Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 1 in 3 Employees Don’t Understand Why Cyber Security Is Important

According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.

What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.

Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.

The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.

https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/

• As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference

The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.

This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.

Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.

While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.

https://venturebeat.com/2022/07/22/as-companies-calculate-cyber-risk-the-right-data-makes-a-big-difference/

• Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business

A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.

Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.

The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.

https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/

• The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million

IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.

With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.

The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.

The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.

https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/

• Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed

Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.  This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..

The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.

Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.

While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).    

Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.

https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/

• Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline

Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.

The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.

It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.

The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.

“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.

“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”

In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.

The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.

As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.

Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.

https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/

• Phishers Targeted Financial Services Most During H1 2022

Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.

The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.

While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.

Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.

Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.

https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/

• HR Emails Dupe Employees the Most – KnowBe4 research reveals

In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.

New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.

KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”

This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.

https://www.itsecurityguru.org/2022/07/27/hr-emails-dupe-employees-the-most-knowbe4-research-reveals/

• 84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months

60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.

The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.

Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.

However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.

While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.

https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/

• Economic Downturn Raises Risk of Insiders Going Rogue

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue

• 5 Trends Making Cyber Security Threats Riskier and More Expensive

Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.

Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.

1. Everything becomes digital

2. Organisations become ecosystems

3. Physical and digital worlds collide

4. New technologies bring new risks

5. Regulations become more complex

Organisations can follow these best practices to elevate cyber security performance:

• Identify, prioritise, and implement controls around risks.

• Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.

• Develop human-layered cyber security.

• Fortify your supply chain.

• Avoid using too many tools.

• Prioritise protection of critical assets.

• Automate where you can.

• Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.

Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.

https://www.csoonline.com/article/3667442/5-trends-making-cybersecurity-threats-riskier-and-more-expensive.html#tk.rss_news

• Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg

The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.

As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.

This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.

Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.

At least 47 unique ransomware threat actors were found.

For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.

We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.

The study also shows that companies of every size and from all sectors are affected.

The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.

https://www.enisa.europa.eu/news/ransomware-publicly-reported-incidents-are-only-the-tip-of-the-iceberg

Threats

Ransomware

• LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)

• Ransomware looms large over the cyber insurance industry - Help Net Security

• 800,000 businesses fall victim to ransomware each year (komando.com)

• Business services top target of ransomware attacks (securitybrief.co.nz)

• How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube

• On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop

• LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)

• Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com

• No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)

• Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs

• Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)

• A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)

• No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)

• Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)

• The road to ransomware recovery starts before an attack • The Register

• LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (trendmicro.com)

BEC – Business Email Compromise

• Crackdown on BEC Schemes: 100 Arrested in Europe, Man Charged in US | SecurityWeek.Com

• European Police Arrest 100 Suspects in BEC Crackdown - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost

• Three of the world's most expensive phishing attacks and how they could have been prevented (betanews.com)

• Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics (informationsecuritybuzz.com)

• Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)

• APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)

• New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert

• Microsoft Tops Brands Phishers Prefer (darkreading.com)

• Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert

• Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network (thehackernews.com)

• 1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)

• New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)

Other Social Engineering; SMishing, Vishing, etc

• US govt warns Americans of escalating SMS phishing attacks (bleepingcomputer.com)

Malware

• Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert

• Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

• As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)

• Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)

• Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)

• Malware-laced npm packages used to target Discord users - Security Affairs

• CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)

• Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online

• Attackers are slowly abandoning malicious macros - Help Net Security

• One of the most beloved Windows tools could actually be a huge security risk | TechRadar

• QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)

• Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)

• Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)

• Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs

• Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)

Mobile

• Here are the top phone security threats in 2022 and how to avoid them | ZDNet

• New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)

• Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)

• Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)

• Millions of Android devices infected with wallet-draining malware | TechRadar

• Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)

• These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware (thehackernews.com)

Internet of Things – IoT

• IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost

• Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)

Data Breaches/Leaks

• US court system suffered ‘incredibly significant attack’ • The Register

• Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge

• T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica

• Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com

• Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop

• Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)

Organised Crime & Criminal Actors

• Cyber-mercenaries represent shifting criminal business model • The Register

• Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost

• Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru

• DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews

• Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)

• NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru

• Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)

 Fraud, Scams & Financial Crime

• Major shifts and the growing risk of identity fraud - Help Net Security

• Uber's former head of security faces fraud charges after allegedly covering up data breach (bitdefender.com)

• JPMorgan, UBS accused of shoddy identity theft protection • The Register

• Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)

• Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)

• Get a family safeword to make sure you don’t fall for the Mum and Dad scam | Money | The Sunday Times (thetimes.co.uk)

• What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com

AML/CFT/Sanctions

• Russia declares Guernsey an 'unfriendly state' - BBC News

• Crypto exchange Kraken reportedly probed over Iran sanctions • The Register

Insurance

• Ransomware looms large over the cyber insurance industry - Help Net Security

Dark Web

• Cyber crime goods and services are cheap and plentiful - Help Net Security

• Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)

Supply Chain and Third Parties

• Experts warn of hacker claiming access to 50 US companies through breached MSP - The Record by Recorded Future

• Crook calls for help extorting service provider's clients • The Register

• Getting Ahead of Supply Chain Attacks (darkreading.com)

Software Supply Chain

• 8 top SBOM tools to consider | CSO Online

Denial of Service DoS/DDoS

• Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs

• DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)

Cloud/SaaS

• Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)

• Organisations are struggling with SaaS security. Why? - Help Net Security

Attack Surface Management

• 4 Steps the Financial Industry Can Take to Cope With Their Growing Attack Surface (thehackernews.com)

Identity and Access Management

• Why firms need to harness identity management before it spirals into an identity crisis - Help Net Security

• Benefits of modern PAM: Efficiency, security, compliance - Help Net Security

Encryption

• Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)

• SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Inadequate password and authentication requirements found in popular business web apps - Help Net Security

• Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)

• Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)

Social Media

• Facebook security cracked by Malware made in Vietnam • The Register

• Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)

• Social Media Accounts Hijacked to Post Indecent Images - Infosecurity Magazine (infosecurity-magazine.com)

Training, Education and Awareness

• Poor Training and Communications Hindering Cyber security Efforts - Infosecurity Magazine (infosecurity-magazine.com)

Privacy

• US, UK law enforcement to implement data sharing law, troubling privacy advocates - CyberScoop

Law Enforcement Action and Take Downs

• UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)

• European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• World entering 'dangerous new age' of threats, says UK's top national security adviser | World News | Sky News

• Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)

• Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge

• Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

• Ukraine Cyber War Fall-out and Ransomware Trends Areas of Focus in New CyberCube Research | Business Wire

• US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert

• CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop

• How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)

• European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com

Nation State Actors

Nation State Actors – Russia

• Russia is quietly ramping up its Internet censorship machine | Ars Technica

• Apple network traffic takes mysterious detour through Russia • The Register

• 'Crippling' Western sanctions are hitting Russia much harder than Putin is letting on, say Yale economists (inews.co.uk)

Nation State Actors – China

• Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)

• OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)

Nation State Actors – North Korea

• North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)

• North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)

• US puts $10 million bounty on North Korean threat groups • The Register

• Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs

Nation State Actors – Iran

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

Vulnerability Management

• Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)

• Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)

• Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)

• Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security

• 2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)

• Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)

• Time between vuln disclosures, exploits is getting smaller • The Register

Vulnerabilities

• Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)

• Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)

• How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra

• CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online

• Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)

• Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs

• FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register

• Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)

• LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs

• Critical security vulnerability in Grails could lead to remote code execution | The Daily Swig (portswigger.net)

• Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs

• LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)

• Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• Hiscox Cyber Readiness Report 2022

• ENISA Threat Landscape for Ransomware Attacks — ENISA (europa.eu)

Other News

• A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security

• The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)

• Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost

• Strong Authentication - Robust Identity and Access Management Is a Strategic Choice - Security Affairs

• You Pay More When Companies Get Hacked | WIRED

• Microsoft again reverses course, will block macros by default (scmagazine.com)

• Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)

• Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits - Microsoft Security Blog

• Infosec pros want more industry cooperation and support for open standards - Help Net Security

• We pass cyber attack costs onto customers, businesses admit • The Register

• How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)

• Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls

In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.

According to a July filing, Travelers said it would not have issued a cyber insurance policy in April to electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.

Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.

ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cyber security.

Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

https://www.insurancejournal.com/news/national/2022/07/12/675516.htm#

• 5 Cyber Security Questions CFOs Should Ask CISOs

Armed with the answers, chief financial officers can play an essential role in reducing cyber risk.

Even in a shrinking economy, organisations are likely to maintain their level of cyber security spend. But that doesn’t mean in the current economic climate of burgeoning costs and a possible recession they won’t take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cyber security spending isn’t targeting the most significant dangers, according to experts — as evidenced by the large number of successful ransomware attacks and data breaches.

Without a comprehensive understanding of the security landscape and what the organisation needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cyber security technology and other resources? They can’t.

So, CFOs need to ensure they have a timely grasp of the security issues their organisation faces. That requires turning to the most knowledgeable people in the organisation: chief information security officers (CISOs) and other security leaders on the IT front lines.

Here are five questions CFOs should be asking their CISOs about the security of their companies.

1. How secure are we as an organisation?

2. What are the main security threats or risks in our industry?

3. How do we ensure that the cyber security team and the CISO are involved in business development?

4. What are the risks and potential costs of not implementing a cyber control?

5. Do employees understand information security and are they implementing security protocols successfully?

https://www.cfo.com/technology/cyber-security-technology/2022/07/cybersecurity-spending-protocols-ciso-security-threats-business-development-cyber-control/

• The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg

For those in the cyber resilience realm, it’s no surprise that there’s a continued uptick in cyber attacks. Hackers are hacking, thieves are thieving and ransomers are — you guessed it — ransoming. In other words, cyber crime is absolutely a growth industry.

As we cross into the second half of this year, let’s look at some of the most significant attacks so far:

• Blockchain schmockchain. Cryptocurrency exchange Crypto.com’s two-factor-identification (2FA) system was compromised as thieves made off with approximately $30 million.

• Still the one they run to. Microsoft’s ubiquity makes it a constant target. Earlier this year, the hacking collective Lapsus$ compromised Cortana and Bing, among other Microsoft products, posting source code online.

• Not necessarily the news. News Corp. journalist emails and documents were accessed at properties including the Wall Street Journal, Dow Jones and the New York Post in a hack tied to China.

• Uncharitable ways. The Red Cross was the target of an attack earlier this year, with more than half a million “highly vulnerable” records of Red Cross assistance recipients compromised.

• Victim of success. North Korea’s Lazarus Group made off with $600 million in cryptocurrencies after blockchain gaming platform Ronin relaxed some of its security protocols so its servers could better handle its growing popularity.

• We can hear you now. State-sponsored hackers in China have breached global telecom powerhouses worldwide this year, according to the U.S. Cybersecurity & Infrastructure Security Agency.

• Politics, the art of the possible. Christian crowdfunding site GiveSendGo was breached twice this year as hacktivists exposed the records of donors to Canada’s Freedom Convoy.

• Disgruntled revenge. Businesspeople everywhere were reminded of the risks associated with departing personnel when fintech powerhouse Block announced that a former employee accessed sensitive customer information, impacting eight million customers.

• Unhealthy habits. Two million sensitive customer records were exposed when hackers breached Shields Health Care’s network.

• They even stole the rewards points. General Motors revealed that hackers used a credentials stuffing attack to access personal information on an undisclosed number of car owners. They even stole gift-card-redeemable customer reward points.

For every breach or attack that generates headlines, millions of others that we never hear about put businesses at risk regularly. The Anti-Phishing Working Group just released data for the first quarter of this year, and the trend isn’t good. Recorded phishing attacks are at an all-time high (more than a million in just the first quarter) and were accelerating as the quarter closed, with March 2022 setting a new record for single-month attacks.

https://www.msspalert.com/cybersecurity-guests/the-biggest-cyberattacks-in-2022-so-far-and-its-just-the-tip-of-the-iceberg/

• Malware-as-a-Service Creating New Cyber Crime Ecosystem

This week HP released their report The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back, exploring how cyber-criminals are increasingly operating in a quasi-professional manner, with malware and ransomware attacks being offered on a ‘software-as-a-service’ basis.

The report’s findings showed how cyber crime is being supercharged through “plug and play” malware kits that are easier than ever to launch attacks. Additionally, cyber syndicates are now collaborating with amateur attackers to target businesses, putting the online world and its users at risk.

The report’s methodology saw HP’s Wolf Security threat team work in tandem with dark-web investigation firm Forensic Pathways to scrape and analyse over 35 million cyber criminal marketplaces and forum posts between February and March 2022, with the investigation helping to gain a deeper understanding of how cyber criminals operate, gain trust, and build reputation. Its key findings include:

Malware is cheap and readily available: Over three-quarters (76%) of malware advertisements listed, and 91% of exploits (i.e. code that gives attackers control over systems by taking advantage of software bugs), retail for under $10.

Trust and reputation are ironically essential parts of cyber-criminal commerce: Over three-quarters (77%) of cyber criminal marketplaces analysed require a vendor bond – a license to sell – which can cost up to $3000.  Of these, 92% have a third-party dispute resolution service.

Popular software is giving cyber criminals a foot in the door: Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from $1,000-$4,000), while zero day vulnerabilities are retailing at 10s of thousands of pounds on dark web markets.

https://www.infosecurity-magazine.com/news/malware-service-cybercrime/

• The Rise and Continuing Popularity of LinkedIn-Themed Phishing

Phishing emails impersonating LinkedIn continue to make the bulk of all brand phishing attempts. According to Check Point, 45% of all email phishing attempts in Q2 2022 imitated the style of communication of the professional social media platform, with the goal of directing targets to a spoofed LinkedIn login page and collecting their account credentials.

The phishers are generally trying to pique the targets’ interest with fake messages claiming that they “have appeared in X searches this week”, that a new message is waiting for them, or that another user would like to do business with them, and are obviously taking advantage of the fact that a record number of individuals are switching or are considering quitting their job and are looking for a new one.

To compare: In Q4 2021, LinkedIn-themed phishing attempts were just 8 percent of the total brand phishing attacks flagged by Check Point. Also, according to Vade Secure, in 2021 the number of LinkedIn-themed phishing pages linked from unique phishing emails was considerably lower than those impersonating other social networks (Facebook, WhatsApp).

Other brands that phishers loved to impersonate during Q2 2022 are (unsurprisingly) Microsoft (13%), DHL (12%) and Amazon (9%).

https://www.helpnetsecurity.com/2022/07/21/linkedin-phishing/

• Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks

Relying on default settings on Microsoft Teams leaves organisations and users open to threats from external domains, and misconfigurations can prove perilous to high-value targets.

Microsoft Teams has over 270 million active monthly users, with government institutions using the software in the US, UK, Netherlands, Germany, Lithuania, and other countries at varying levels.

Cyber security researchers have discovered that relying on default MS Teams settings can leave firms and high-value users vulnerable to social engineering attacks. Attackers could create group chats, masquerade as seniors within the target organisation and observe whether users are online.

Attackers could, rather convincingly, impersonate high-ranking officials and possibly strike up conversations, fooling victims into believing they’re discussing sensitive topics with a superior. Skilled attackers could do a lot of harm with this capability.

https://cybernews.com/security/microsoft-teams-settings-leave-govt-officials-open-to-cyberattacks/

• Top 10 Cyber Security Attacks of Last Decade Show What is to Come

Past is prologue, wrote William Shakespeare in his play “The Tempest,” meaning that the present can often be determined by what has come before. So it is with cyber security, serving as the basis of which is Trustwave’s “Decade Retrospective: The State of Vulnerabilities” over the last 10 years.

Threat actors frequently revisit well-known and previously patched vulnerabilities to take advantage of continuing poor cyber security hygiene. “If one does not know what has recently taken place it leaves you vulnerable to another attack,” Trustwave said in its report that identifies and examines the “watershed moments” that shaped cyber security between 2011 and 2021.

With a backdrop of the number of security incidents and vulnerabilities increasing in volume and sophistication, here are Trustwave’s top 10 network vulnerabilities in no particular order that defined the decade and “won’t be forgotten.”

• SolarWinds hack and FireEye breach, Detected: December 8, 2020 (FireEye)

• EternalBlue Exploit, Detected: April 14, 2017

• Heartbleed, Detected: March 21, 2014

• Shellshock, Remote Code Execution in BASH, Detected: September 12, 2014

• Apache Struts Remote Command Injection & Equifax Breach, Detected: March 6, 2017

• Chipocalypse, Speculative Execution Vulnerabilities Meltdown & Spectre

• BlueKeep, Remote Desktop as an Access Vector, Detected: January, 2018

• Drupalgeddon Series, CMS Vulnerabilities, Detected: January, 2018

• Microsoft Windows OLE Vulnerability, Sandworm Exploit, Detected: September 3, 2014

• Ripple20 Vulnerabilities, Growing IoT landscape, Detected: June 16, 2020

https://www.msspalert.com/cybersecurity-news/top-10-cybersecurity-attacks-of-last-decade-show-what-is-to-come-report/

• Software Supply Chain Concerns Reach C-Suite

Major supply chain attacks have had a significant impact on software security awareness and decision-making, with more investment planned for monitoring attack surfaces.

Organisations are waking up to the need to establish better software supply chain risk management policies and are taking action to address the escalating threats and vulnerabilities targeting this expanding attack surface.

These were among the findings of a CyberRisk Alliance-conducted survey of 300 respondents from both software-buying and software-producing companies.

Most survey respondents (52%) said they are "very" or "extremely" concerned about software supply chain risks, and 84% of respondents said their organisation is likely to allocate at least 5% of their AppSec budgets to manage software supply chain risk.

Software buyers are planning to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the findings.

Meanwhile, software developers said they plan to invest in secure code review as well as SBOM design and implementation.

https://www.darkreading.com/application-security/software-supply-chain-concerns-reach-c-suite

• EU Warns of Russian Cyber Attack Spillover, Escalation Risks

The Council of the European Union (EU) said that Russian hackers and hacker groups increasingly attacking "essential" organisations worldwide could lead to spillover risks and potential escalation.

"This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation," the High Representative on behalf of the EU said.

"The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed."

In this context, the EU reminded Russia that all United Nations member states must adhere to the UN's Framework of responsible state behaviour in cyberspace to ensure international security and peace.

The EU urged all states to take any actions required to stop malicious cyber activities conducted from their territory.

The EU's statement follows a February joint warning from CISA and the FBI that wiper malware attacks targeting Ukraine could spill over to targets from other countries.

Google's Threat Analysis Group (TAG) said in late March that it observed phishing attacks orchestrated by the Russian COLDRIVER hacking group against NATO and European military entities.

In May, the US, UK, and EU accused Russia of coordinating a massive cyber attack that hit the KA-SAT consumer-oriented satellite broadband service in Ukraine on February 24 with AcidRain data destroying malware, approximately one hour before Russia invaded Ukraine.

A Microsoft report from June also confirms the EU's observation of an increase in Russian malicious cyber activities. The company's president said that threat groups linked to Russian intelligence agencies (including the GRU, SVR, and FSB) stepped up cyber attacks against government entities in countries allied with Ukraine after Russia's invasion.

In related news, in July 2021, President Joe Biden warned that cyber attacks leading to severe security breaches could lead to a "real shooting war," a statement issued a month after NATO said that cyber attacks could be compared to "armed attacks" in some circumstances.

https://www.bleepingcomputer.com/news/security/eu-warns-of-russian-cyberattack-spillover-escalation-risks/

• Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks

A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimise exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.

An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

https://arstechnica.com/information-technology/2022/07/critical-flaws-in-gps-tracker-enable-disastrous-and-life-threatening-hacks/

• Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say

The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organisations to collect intelligence while also targeting an unnamed European government that is a NATO member.

The new findings show how relentless the hacking group — which US officials have linked with Russia's foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, and how adept the hackers are at targeting widely used cloud-computing technologies.

The hacking efforts come as Russia's invasion of Ukraine continues to fray US-Russia relations and drive intelligence collection efforts from both governments.

In recent months, the hacking group has compromised the networks of US-based organisations that have data of interest to the Russian government.

In separate activity revealed Tuesday, US cyber security firm Palo Alto Networks said that the Russian hacking group had been using popular services like Dropbox and Google Drive to try to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June.

https://edition.cnn.com/2022/07/19/politics/russia-solarwinds-hackers/index.html

• The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough

If the ongoing fight against ransomware wasn't keeping security teams busy, along with the challenges of securing the ever-expanding galaxy of Internet of Things devices, or cloud computing, then there's a new challenge on the horizon – protecting against the coming wave of digital imposters or deepfakes.

A deepfake video uses artificial intelligence and deep-learning techniques to produce fake images of people or events.

One recent example is when the mayor of Berlin thought he was having an online meeting with former boxing champion and current mayor of Kyiv, Vitali Klitschko. But the mayor of Berlin grew suspicious when 'Klitschko' started saying some very out of character things relating to the invasion of Ukraine, and when the call was interrupted the mayor's office contacted the Ukrainian ambassador to Berlin – to discover that, whoever they were talking to, it wasn't the real Klitschko.

It's a sign that deepfakes are getting more advanced and quickly. Previous instances of deepfake videos that have gone viral often have tell-tale signs that something isn't real, such as unconvincing edits or odd movements, but the developments in deepfake technology mean it isn't difficult to imagine it being exploited by cyber criminals, particularly when it comes to stealing money.

While ransomware might generate more headlines, business email compromise (BEC) is the costliest form of cyber crime today. The FBI estimates that it costs businesses billions of dollars every year. The most common form of BEC attack involves cyber criminals exploiting emails, hacking into accounts belonging to bosses – or cleverly spoofing their email accounts – and asking staff to authorise large financial transactions, which can often amount to hundreds of thousands of dollars.

The emails claim that the money needs to be sent urgently, maybe as part of a secret business deal that can't be disclosed to anyone. It's a classic social-engineering trick designed to force the victim into transferring money quickly and without asking for confirmation from anyone else who could reveal it's a fake request. By the time anyone might be suspicious, the cyber criminals have taken the money, likely closed the bank account they used for the transfer – and run.

BEC attacks are successful, but many people might remain suspicious of an email from their boss that comes out the blue and they could avoid falling victim by speaking to someone to confirm that it's not real. But if cyber criminals could use a deepfake to make the request, it could be much more difficult for victims to deny the request, because they believe they're actually speaking to their boss on camera.

Many companies publicly list their board of directors and senior management on their website. Often, these high-level business executives will have spoken at events or in the media, so it's possible to find footage of them speaking. By using AI-powered deep-learning techniques, cyber criminals could exploit this public information to create a deepfake of a senior-level executive, exploit email vulnerabilities to request a video call with an employee, and then ask them to make the transaction. If the victim believes they're speaking to their CEO or boss, they're unlikely to deny the request.

https://www.zdnet.com/article/the-next-big-security-threat-is-staring-us-in-the-face-tackling-it-is-going-to-be-tough/

Threats

Ransomware

• Post-Breakup, Conti Ransomware Members Remain Dangerous (darkreading.com)

• The Kronos Ransomware Attack: What You Need to Know So Your Business Isn't Next (darkreading.com)

• New Luna ransomware encrypts Windows, Linux, and ESXi systems (bleepingcomputer.com)

• Digital security giant Entrust breached by ransomware gang (bleepingcomputer.com)

• Protecting Against Kubernetes-Borne Ransomware (darkreading.com)

• Knauf cyber attack: Black Basta ransomware gang claims responsibility (techmonitor.ai)

• New Redeemer ransomware version promoted on hacker forums (bleepingcomputer.com)

• Kaspersky report on Luna and Black Basta ransomware | Securelist

• Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments (darkreading.com)

• New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates | SecurityWeek.Com

• Conti’s Reign of Chaos: Costa Rica in the Crosshairs | Threatpost

• Researchers uncover potential ransomware network with U.S. connections - CyberScoop

• How Conti ransomware hacked and encrypted the Costa Rican government (bleepingcomputer.com)

• A small Canadian town is being extorted by a global ransomware gang - The Verge

BEC – Business Email Compromise

• The biggest cyber-crime threat is also the one that nobody wants to talk about | ZDNet

Phishing & Email Based Attacks

• Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In (darkreading.com)

• Outlook users report suspicious activity from Microsoft IPs • The Register

• PayPal Used to Send Malicious “Double Spear” Invoices - Infosecurity Magazine

• LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)

• Google Calendar provides new way to block invitation phishing (bleepingcomputer.com)

Other Social Engineering

• Ongoing 'Roaming Mantis' Smishing Campaign Hits Over 70,000 Users in France | SecurityWeek.Com

Malware

• Hacking group '8220' grows cloud botnet to more than 30,000 hosts (bleepingcomputer.com)

• Buy ‘plug-n-play’ malware for the price of a pint of beer (computerweekly.com)

• The Market Is Teeming: Bargains on Dark Web Give Novice Cyber Criminals a Quick Start (darkreading.com)

• New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)

Mobile

• Google pulls malware-infected apps, 3 million users at risk • The Register

• Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware (thehackernews.com)

• Roaming Mantis hits Android and iOS users in malware, phishing attacks (bleepingcomputer.com)

BYOD

• The New Weak Link in SaaS Security: Devices (thehackernews.com)

Data Breaches/Leaks

• Neopets data breach exposes personal data of 69 million members (bleepingcomputer.com)

• Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts | RestorePrivacy

• Mixed Messages as Neopets Scrambles to Respond to Mega Breach - Infosecurity Magazine

Organised Crime & Criminal Actors

• Cyber crime escalates as barriers to entry crumble | CSO Online

• Understanding the Evolution of Cyber Crime to Predict its Future | SecurityWeek.Com

• The growth in targeted, sophisticated cyber attacks troubles top FBI cyber official - CyberScoop

• 'AIG' Threat Group Launches with Unique Business Model (darkreading.com)

• US DOJ report warns of escalating cyber crime, 'blended' threats (techtarget.com)

• Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists (darkreading.com)

• Last member of Gozi malware troika arrives in US for criminal trial – Naked Security (sophos.com)

• Romanian hacker faces US trial over virus-for-hire service - The Verge

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies (thehackernews.com)

• Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms (thehackernews.com)

• Singapore distances itself from local crypto companies • The Register

• FBI Warns Fake Crypto Apps are Bilking Investors of Millions | Threatpost

• Ex-Coinbase manager charged in crypto insider trading case • The Register

• FBI Warns of Fake Cryptocurrency Apps Stealing Millions from Investors (thehackernews.com)

• My Big Coin founder guilty of $6m crypto-fraud • The Register

Insider Risk and Insider Threats

• Three Charged in First Crypto Insider-Trading Case- IT Security Guru

Fraud, Scams & Financial Crime

• How to identify and combat online fraud - Help Net Security

AML/CFT/Sanctions

• UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine

• Broker Fined £2m for Financial Crime Control Failings - Infosecurity Magazine

Insurance

• Graff paid a $7.5M ransom and sued its insurance firm for refusing to cover this payment - Security Affairs

• 82% of global insurers expect the rise in cyber insurance premiums to continue - Help Net Security

• Will Your Cyber Insurance Premiums Protect You in Times of War? (darkreading.com)

Dark Web

• Stolen Credentials Selling on the Dark Web for Price of a Gallon of Gas – Security Review Magazine

• The Market Is Teeming: Bargains on Dark Web Give Novice Cyber criminals a Quick Start (darkreading.com)

Supply Chain and Third Parties

• Supply chain security breaches jumped in 2021 | CSO Online

Software Supply Chain

• Improving Software Supply Chain Cyber Security (trendmicro.com)

• Why SBOMs aren't the silver bullet they're portrayed as - Help Net Security

• Breaking down CIS's new software supply chain security guidance | CSO Online

Cloud/SaaS

• 60% of IT leaders are not confident about their secure cloud access - Help Net Security

• Public Cloud Customers Admit Security Challenges - Infosecurity Magazine

• The New Weak Link in SaaS Security: Devices (thehackernews.com)

Identity and Access Management

• Authentication weakness responsible for 80% of financial breaches (scmagazine.com)

Encryption

• British recycle old arguments for bypassing E2E encryption • The Register

Open Source

• Open source security needs automation as usage climbs amongst organisations | ZDNet

• New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)

• The US military wants to understand the most important software on earth | MIT Technology Review

Passwords, Credential Stuffing & Brute Force Attacks

• The importance of secure passwords can't be emphasized enough - Help Net Security

• 3rd Party Services Are Falling Short on Password Security (bleepingcomputer.com)

• Okta Exposes Passwords in Clear Text for Possible Theft (darkreading.com)

• Enforcing Password History in Your Windows AD to Curb Password Reuse (bleepingcomputer.com)

Social Media

• LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)

• Hacker selling Twitter account data of 5.4 million users for $30k (bleepingcomputer.com)

• TikTok Engaging in Excessive Data Collection - Infosecurity Magazine

Privacy

• New Deanonymization Attack Works on Major Browsers, Websites | SecurityWeek.Com

Parental Controls and Child Safety

• UK cyber security chiefs back plan to scan phones for child abuse images | GCHQ | The Guardian

Regulations, Fines and Legislation

• UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine

• Legal Experts Concerned Over New UK Digital Reform Bill - Infosecurity Magazine

• Understanding Proposed SEC Rules Through an ESG Lens (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• What NATO's virtual rapid response cyber capability means for the fight against cyber warfare - Help Net Security

• EU warns of risks of spillover effects associated with ongoing war - Security Affairs

• Continued cyber activity in Eastern Europe observed by Google’s Threat Analysis Group (TAG) (blog.google)

• US Cyber Command IDs new malware strains targeting Ukraine • The Register

• Russian hackers use fake DDoS app to infect pro-Ukrainian activists (bleepingcomputer.com)

• Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users (thehackernews.com)

• Hackers attempt to infiltrate Ukrainian tech company with backdoor malware, Talos says - CyberScoop

• Will Your Cyber-Insurance Premiums Protect You in Times of War? (darkreading.com)

• Hackers Target Ukrainian Software Company Using GoMet Backdoor (thehackernews.com)

• Copycat DoS App Created by Russian Hackers to Target Ukraine - IT Security Guru

• Inside Ukraine’s Decentralized Cyber Army (vice.com)

• Albanian government websites go dark after cyber attack • The Register

• China Accuses Indian APT Group of Cyber Warfare Against Pakistan; 2nd Major Accusation After 'Evil Flower' (eurasiantimes.com)

• Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene (darkreading.com)

• Belgium claims China-linked APT groups hit its ministries - Security Affairs

• Hacked Ukrainian Radio Stations Broadcast Fake News About President Zelensky’s Health - Infosecurity Magazine

Nation State Actors

Nation State Actors – Russia

• Google, EU Warn of Malicious Russian Cyber Activity | SecurityWeek.Com

• Russian cyber spies targeting NATO countries in new hacking campaign | Science & Tech News | Sky News

• Google warns Kremlin-backed goons pose as pro-Ukraine app • The Register

• Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware (vice.com)

• Cloaked Ursa (APT29) Hackers Use Trusted Online Storage Services (paloaltonetworks.com)

• Russian SVR hackers use Google Drive, Dropbox to evade detection (bleepingcomputer.com)

• Russia, Iran discuss broad tech collaboration • The Register

• Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief | MI6 | The Guardian

Nation State Actors – China

• Belgium says Chinese APT gangs attacked its government • The Register

• A massive cyber attack hit Albania - Security Affairs

• Government blocks Chinese tech deal on national security grounds | Business News | Sky News

Nation State Actors – North Korea

• US seizes stolen funds from suspected North Korean hackers - BBC News

Nation State Actors – Iran

• Russia, Iran discuss broad tech collaboration • The Register

Nation State Actors – Misc APT

• Unit 42 Threat Group Naming Update (paloaltonetworks.com)

Vulnerability Management

• Mind the Gap – How to Ensure Your Vulnerability Detection Methods are up to Scratch (thehackernews.com)

• Zero-day attacks climb as hackers get more sophisticated (securitybrief.com.au)

Vulnerabilities

• Chrome 103 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open (darkreading.com)

• WordPress Page Builder Plug-in Under Attack, Can't Be Patched (darkreading.com)

• Apple Releases Security Patches for all Devices Fixing Dozens of New Vulnerabilities (thehackernews.com)

• SonicWall: Patch critical SQL injection bug immediately (bleepingcomputer.com)

• Cisco fixes bug that lets attackers execute commands as root (bleepingcomputer.com)

• Atlassian reveals critical flaws across its product line • The Register

• Netwrix Auditor Vulnerability Can Facilitate Attacks on Enterprises | SecurityWeek.Com

• Azure's Security Vulnerabilities Are Out of Control - Last Week in AWS Blog

• Oracle Releases 349 New Security Patches With July 2022 CPU | SecurityWeek.Com

• 0-day used to infect Chrome users could pose threat to Edge and Safari users, too | Ars Technica

• Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities | SecurityWeek.Com

• Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability (thehackernews.com)

• Google Chrome Zero-Day Weaponized to Spy on Journalists (darkreading.com)

• Apple Ships Urgent Security Patches for macOS, iOS | SecurityWeek.Com

• Cisco Releases Patches for Critical Flaws Impacting Nexus Dashboard for Data Centers (thehackernews.com)

• Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking (thehackernews.com)

• Code Execution and Other Vulnerabilities Patched in Drupal | SecurityWeek.Com

• Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• The Evolution of Cyber Crime:  Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back - HP

• Decade Retrospective: The State of Vulnerabilities | Trustwave

Other News

• Hackers for Hire: Adversaries Employ 'Cyber Mercenaries' | Threatpost

• Companies around the globe still not implementing MFA - Help Net Security

• Global Firms Fear the Worst Over Risk Management Failures - Infosecurity Magazine

• Humans are becoming the primary security risk for organisations around the world - Help Net Security

• What threats and challenges are CISOs and CROs most focused on? - Help Net Security

• What InfoSec Pros Can Teach the Organisation About ESG (darkreading.com)

• SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security | Hackaday

• Cyber security hiring remains red-hot—the industry to surpass $400 billion market size by 2027 | Fortune

• Lack of staff and resources drives smaller teams to outsource security - Help Net Security

• Office macro security: on-again-off-again feature now BACK ON AGAIN! – Naked Security (sophos.com)

• New Study Finds Most Enterprise Vendors Failing to Mitigate Speculative Execution Attacks (thehackernews.com)

• Analysing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data (trendmicro.com)

• Removing the blind spots that allow lateral movement - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Ransomware attacks are becoming more prevalent and the costs for insurers are increasing. Traditionally, ransomware groups have encrypted an organisation’s data and demanded a ransom for the decryption key. However, in the last year, there has been a growing shift by the ransomware community towards exfiltration and then a threat to release the stolen data to extort money from their victims.. These factors have increased the financial pressure that cyber insurance companies are currently experiencing, which in turn has caused them to reconsider their obligations for settling claims. There are currently two significant court cases relating to ransomware insurance claims involving the Travelers insurance company.

The first case relates to Graff, a UK-based jeweller who paid a ransom of $7.5M to prevent the Russian-based ransomware gang Conti from releasing 69,000 confidential documents it had stolen. Graff published the following public statement regarding the dispute with their insurer: “We are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk. They have left us with no option but to bring these recovery proceedings at the High Court.”

The second involves a filing with the US District court requesting  a declaration that Travellers insurance contract with International Control Services (ICS) is invalid due to misrepresentation of Multi-Factor Authentication (MFA) controls on the company’s  application for its cyber insurance policy. The application stated that MFA was used for administrative or privileged access. Subsequently, ICS were victim to a ransomware attack that resulted in a claim against their cyber insurance policy. As the insurer, Travelers conducted an investigation which revealed that ICS “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

What’s the risk to me or my business?

With the evolving threat of ransomware being ever prominent, it is critical that an organisation considers appropriate cyber controls across people, operations and technology to manage and effectively reduce its risk. Organisations often rely on cyber insurance to provide cover when these controls  fail, however insurers are now demanding more evidence of robust cyber controls as they begin to better manage their own exposure to the increasing risks.

What can I do?

Ensure that leadership have an understanding of key cyber controls and what is covered within a cyber insurance policy. When considering ransomware payments, it should be clear what the policy will cover. Any declaration of cyber security controls should be informed by an appropriate cyber security expert with knowledge of what controls the organisation has in place, to ensure that the facts are correctly represented and are less likely to be used in a misrepresentation defence.

Further information on the above cases can be found here:

• Diamonds.net - Graff Paid $7.5M to Cyber Hackers: Lawsuit

• Travelers vs. ICS: What You Need to Know About Misrepresentation and Your Cyber Insurance (itsasap.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft has released information on a new phishing campaign involving “adversary-in-the-middle” AiTM techniques, which has affected more than 10,000 organisations since September 2021. What is unique about this particular attack method is that it has the potential to bypass Multi-Factor Authentication (MFA). It is important to note that this attack does not make use of a vulnerability within MFA, and that MFA is still a key control in preventing credential compromise.

What’s the risk to me or my business?

As more organisations implement security controls such as MFA, malicious actors will be looking into possibilities of targeting these controls. This particular attack technique involves a proxy server being deployed in between the recipient and a valid targeted website. In short, a targeted user would receive a phishing email, the link to the phishing email would resolve in a valid website, with the traffic being re-directed through the server of a malicious actor. This allows the malicious actor to steal “authenticated session cookies”, after the user has logged into the valid website. The malicious actor can then use the authenticated session cookies to access the valid website with the targeted users credentials, which can then lead to further attacks such as Business Email Compromise as shown in the diagram below.

Figure 1: Overview of AiTM phishing campaign and follow-on BEC (Microsoft 365 Defender Research Team, 2022)

What can I do?

Microsoft recommends implementing conditional access policies, which can limit user access in different scenarios, such as only allowing access to trusted locations, compliant devices or trusted IP addresses. This would prevent a stolen session cookie from granting access to an account outside of these conditions. Anti-Phishing solutions can also be used to block phishing emails from arriving in end-users inboxes, however it is worth noting that these solutions may not be able to block every threat. Where possible, security monitoring should be in place to detect suspicious sign-in attempts, and unusual mailbox activities including external forwarding, rule creation and access from untrusted IP addresses or devices.

It is also critically important that technical controls such as MFA are supplemented with end-user training, including Phishing simulations as it is the primary ingress point for this type of attack.

Technical Summary

Microsoft has published a full breakdown of sample attacks that they have monitored. So far they have followed the following process:

1.       An attacker sends emails containing an HTML file attachment, stating that a voicemail has been received on their Microsoft account. This email follows the same template which is received when a user receives a voicemail via Microsoft Teams.

2.       The user clicks on the HTML attachment, which takes them to a website displaying the mp3 file being downloaded. No actual download takes place, but a progress bar is updated.

3.       The user is then re-directed to a gatekeeper, which confirms that the user has clicked on the html attachment.

4.       The user arrives at a proxied version of the Microsoft Azure Active Directory login page. It is important to note that if an organisation has customised this landing page with their corporate logo then this will also be displayed, making the website seem even more legitimate.

5.       The user enters their credentials which are then authenticated by Microsoft. If MFA is enabled, the user would be prompted for MFA at this stage.

6.       The user is re-directed to the official Microsoft 365 website, while the authenticated session cookies are captured by the attacker, also allowing them into the official Microsoft 365 website.

7.       Microsoft’s research has then shown that the stolen session is used for Business Email Compromise (BEC) attacks, targeting finance related emails within the targeted users inbox to request fraud payments. At this stage however a malicious attacker also has potential to access any 365 service which the targeted user has access to.

Appropriate conditional access controls could prevent an attacker at step 6 from using the stolen cookies to access the targeted users Microsoft 365 account.

A full breakdown of this particular phishing campaign is available here: From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud - Microsoft Security Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

References

Microsoft 365 Defender Research Team. (2022, 07 19). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Retrieved from Microsoft 365 Defender Research Team Security Blog: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

Executive Summary

Netwrix Auditor is an application that allows an organisation to monitor their IT infrastructure. A newly discovered vulnerability could allow malicious actors to execute arbitrary code on affected servers which are running the application. This vulnerability can also allow for privilege escalation on the server as the malicious code can be executed with “System” level permissions. This software is currently in use by more than 11,000 organisations across the globe.

What’s the risk to me or my business?

Managed service providers and IT Teams use software to assist in monitoring various elements of IT Infrastructure, including Active Directory. If Netwrix Auditor is currently being used by your organisation, then this vulnerability could potentially be exploited to execute code remotely, allowing them to run malicious software to further compromise affected devices.

What can I do?

An update, version 10.5, has been released by Netwrix Auditor to address the issue, this should be applied to all current deployments of the software tool. This specific vulnerability is accessed using an exposed network port, appropriately configured external perimeter controls could be used to mitigate the risk, however the vulnerability could still be used if an attacker manages to gain access to the organisations network.

Technical Summary

This specific vulnerability relates to an unsecured .NET remoting service which can be accessed via TCP port 9004 on the server which Netwrix Auditor is installed. While this vulnerability is yet to be given an official CVE, Bishop Fox, the firm which published details on the vulnerability has rated this as Critical, since it can be executed remotely and can lead to escalation of privileges and code execution.

Further information on this particular vulnerability is available here: Netwrix Auditor Bug Threatens Active Directory Domain - Blumira

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 10,000 Organisations Targeted by Phishing Attack That Bypasses Multi-Factor Authentication

Microsoft has shared details of a widespread phishing campaign that not only attempted to steal the passwords of targeted organisations, but was also capable of circumventing multi-factor authentication (MFA) defences.

The attackers used AiTM (Attacker-in-The-Middle) reverse-proxy sites to pose as Office 365 login pages which requested MFA codes, and then use them to log into the genuine site.

According to Microsoft’s detailed report on the campaign, once hackers had broken into email inboxes via the use of stolen passwords and session cookies, they would exploit their access to launch Business Email Compromise (BEC) attacks on other targets.

By creating rules on victims’ email accounts, the attackers are able to then ensure that they maintain access to incoming email even if a victim later changes their password.

The global pandemic, and the resulting increase in staff working from home, has helped fuel a rise in the adoption of multi-factor authentication.

Cyber criminals, however, haven’t thrown in the towel when faced with MFA-protected accounts. Accounts with MFA are certainly less trivial to break into than accounts which haven’t hardened their security, but that doesn’t mean that it’s impossible.

Reverse-proxy phishing kits like Modlishka, for instance, impersonate a login page, and ask unsuspecting users to enter their login credentials and MFA code. That collected data is then passed to the genuine website – granting the cyber criminal access to the site.

As more and more people recognise the benefits of MFA, we can expect a rise in the number of cyber criminals investing effort into bypassing MFA.

Microsoft’s advice is that organisations should complement MFA with additional technology and best practices.

https://www.tripwire.com/state-of-security/featured/10000-organisations-targeted-by-phishing-attack-that-bypasses-multi-factor-authentication/

• Businesses Are Adding More Endpoints, But Can’t Manage Them All

Most enterprises struggle to maintain visibility and control of their endpoint devices, leading to increased security breaches and impaired ability to ward off outside attacks, according to a survey conducted by Ponemon Institute.

Findings show that the average enterprise now manages approximately 135,000 endpoint devices. Despite $4,252,500 of annual budget spent on endpoint protection, an average of 48 percent of devices – or 64,800 per enterprise – are at risk because they are no longer detected by the organisation’s IT department or the endpoints’ operating systems have become outdated.

Additionally, 63 percent of respondents find that the lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture.

IT organisations are facing unprecedented rates of distribution point sprawl, which has grown rapidly since the onset of the COVID-19 pandemic. 61 percent of respondents say distribution points have increased in the last two years, and the average endpoint has as many as 7 agents installed for remote management, further adding to management complexity.

https://www.helpnetsecurity.com/2022/07/14/businesses-are-adding-more-endpoints/

• Ransomware Activity Resurges in Q2

Ransomware activity rose by a fifth in the last quarter, according to a report from security firm Digital Shadows.

The company, which monitors almost 90 data leak sites on the dark web, observed ransomware groups name 705 victims in Q2 2022, representing a 21% increase over last quarter’s 582. This was a resurgence in activity following a 25.3% decline quarter-on-quarter during Q1.

The LockBit ransomware group overtook Conti in victim numbers as Conti ceased operations following the leak of internal chat logs. Conti had reached almost 900 victims during its operations, but LockBit is now closing in on 1,000 after a 13% growth in activity during the quarter.

LockBit also continued to innovate, releasing version 3 of its ransomware with new features, including support for payments using the Zcash cryptocurrency. It also launched a reward program for any information on high-value targets, along with a data leak site that allows anyone to purchase victim data.

At around 230, Lockbit’s quarterly victim numbers far exceeded any other group in Q2. It was accountable for almost a third of all postings to leak sites in Q2. Conti, which had limped along for several weeks after its own data leak, managed just over 50. In third place was Alphv, which grew 118% during the quarter. Basta came in fourth.

Some other smaller groups are also growing rapidly, according to the report. Vice Society, in fifth place this quarter, doubled its activity.

https://www.infosecurity-magazine.com/news/ransomware-activity-resurges-q2/

• One-Third of Users Without Security Awareness Training Click on Phishing URLs

Phishing attacks just won't die, and new data underscores their effectiveness among users who have not been provided security awareness training.

According to data pulled from security awareness training provider KnowBe4's clients, 32.4% of users will fall for a phish — clicking on a link or following a phony request — if those users have not had any official training. The disconnect is worse in some industry sectors, including consulting, energy and utilities, and healthcare and pharmaceuticals, where half of all untrained users fall for phishing attacks.

The data was pulled from 23.4 million simulated phishing tests conducted at more than 30,000 organisations, encompassing some 9.5 million users. According to KnowBe4, 90 days after monthly or more training, the number of phishing test fails dropped to around 17.6%, and to 5% after one year of regular awareness training.

https://www.darkreading.com/remote-workforce/one-third-of-users-click-on-phishing

• Ransomware Scourge Drives Price Hikes in Cyber Insurance

Cyber security insurance costs are rising, and insurers are likely to demand more direct access to organisational metrics and measures to make more accurate risk assessments.

The rising cost of ransomware attacks is helping push significant premium increases in cyber insurance policies in the UK and US, new data shows.

With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cyber security insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber insurance industry.

However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.

Panaseer notes that 82% of insurers surveyed said they expect the rise in premiums to continue. The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive.

Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analysing cyber-risk. Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it. Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance.

https://www.darkreading.com/attacks-breaches/ransomware-scourge-drives-price-hikes-in-cyber-insurance

• Conventional Cyber Security Approaches Are Falling Short

Traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can’t keep pace with the volume, variety, and velocity of current threats, according to Skybox Security. As a result, 27% of all executives and 40% of CSOs say their organisations are not well prepared for today’s rapidly shifting threat landscape.

On average, organisations experienced 15% more cyber security incidents in 2021 than in 2020. In addition, “material breaches”— defined as “those generating a large loss, compromising many records, or having a significant impact on business operations” — jumped 24.5%.

The top four causes of the most significant breaches reported by the affected organisations were:

• Human error

• Misconfigurations

• Poor maintenance/lack of cyber hygiene

• Unknown assets.

https://www.helpnetsecurity.com/2022/07/14/conventional-cybersecurity-approaches/

• Virtual CISOs Are the Best Defence Against Accelerating Cyber-Risks

The cyber security challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmanoeuvre security controls effortlessly.

As technology races forward, companies without a full-time CISO (Chief Information Security Officer) are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.

Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.

The best vCISO engagements are long-term contracts. Typically, there's an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.

https://www.darkreading.com/careers-and-people/virtual-cisos-are-the-best-defense-against-accelerating-cyber-risks

• Firms Not Planning for Supply Chain Threats

Enterprises are failing to plan properly for supply chain risks and cyber security threats from the wider digital ecosystem, a leading technology consultancy has warned.

According to Tata Consultancy Services (TCS), firms put the risks posed by ecosystem partners at the bottom of a list of 10 key threats. CISOs and chief risk officers believed that financial systems, customer databases and R&D were the systems most likely to be targeted. Supply chain and distribution was placed in ninth.

The report, based on a survey of larger firms with annual revenues of $1bn or more, found that only 16% of chief risk officers believed the digital ecosystem was a concern when it comes to cyber risks, and only 14% said those ecosystems were a priority for board level discussions.

The research also found that a small number of enterprises fail to focus on cyber risk, with one in six boards discussing it only “occasionally, as necessary or never.” TCS found, though, that organisations with above-average profit and revenue growth were more likely to put cyber security on the agenda at board meetings.

TCS also found that enterprises view the cloud as a more secure environment than conventional data centres and on-premises systems. Additionally, the research highlighted ongoing concerns about skills and the need to attract and retain talented security staff. Firms where senior leaders focus on cyber security are more likely to be able to close the skills gap, according to the study.

https://www.infosecurity-magazine.com/news/planning-supply-chain-threats/

• Data Breach Lawsuit: Will IT Service Provider Capgemini Owe Damages?

IT service provider and consulting firm Capgemini is facing a lawsuit related to a June 2020 data breach. The plaintiff — gaming company Razer — is seeking $7 million in damages. A trial in Singapore’s High Court regarding the dispute is underway, according to Vulcan Post.

Razer claims it has suffered approximately $6.85 million in profit losses from its online website due to the data breach. Razer is pursuing damages for an unquantified sum for profit losses from the rejection of its digital bank license application.

The Razer data breach occurred due to an issue with an IT system. It may have exposed the personal information of about 100,000 Razer customers.

The Razer data breach may have occurred due to a misconfigured Elasticsearch cluster. It also was exposed to the public and indexed by public search engines and took more than three weeks to fix.

Experts from Razer and Capgemini agreed that the data breach was caused by a security misconfiguration. However, Razer now claims that a Capgemini employee recommended the IT system that led to the breach and is therefore responsible for the incident.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/data-breach-lawsuit-gaming-company-razer-sues-capgemini-for-7-million/

• Security Culture: Fear of Cyber Warfare Driving Initiatives

KnowBe4, the provider of security awareness training and simulated phishing platform, has conducted a survey during Infosecurity Europe, which evaluated the opinions of nearly 200 security professionals towards security culture, or more specifically: the ideas, customs and social behaviours of an organisation that influence their security practices.

The research found the threat of cyber warfare (30%) or experiencing a data breach or cyber attack (30%) were the two biggest reasons why security professionals wanted to improve security culture at their organisations. Given the current invasion of Ukraine by Russia and the resulting cyber security warnings announced by many of the world’s leading governments, improving current cyber security efforts has continued to be a top priority for many.

The study also revealed just over two thirds (67%) answered that a strong security culture would very likely reduce the risk of security incidents, with the majority (85%) directing their efforts into both improving security awareness training and communicating values expected from employees regarding security.

However, there are many obstacles when attempting to create a strong security culture, with the main issue being a lack of budget (26%) which was followed security professionals facing indifference from fellow employees (24%) and a lack of senior management support (16%).

Interestingly, just under three quarters (73%) admitted to putting an increased effort into measuring employees understanding of security – this still leaves a considerable gap of 27% that do not, something many security professionals will want to consider closing. Thankfully, 38% agree this aspect of security culture would be an area they want to improve in their organisation. When witnessing a colleague display poor security practises, 67% of UK security experts would prefer to tell the individual discreetly, while just under a third (31%) would send the member of staff training material to review. Only 18% would report the individual to the security team.

https://www.itsecurityguru.org/2022/07/11/security-culture-fear-of-cyber-warfare-driving-initiatives/

• Cryptocurrency 'Mixers' See Record Transactions from Sanctioned Actors

Use of so-called cryptocurrency “mixers,” which combine various types of assets to mask their origin, peaked at a 30-day average of nearly $52 million worth of digital currency in April, representing an unprecedented volume of funds moving through those services, researchers at cryptocurrency research firm Chainalysis found.

A near two-fold increase in funds sent from illicit addresses has accelerated the increase, indicating that the technology that can obfuscate the currency continues to be highly attractive to cyber criminals.

Cryptocurrency mixers work by taking an individual’s cryptocurrency and combining it with a larger pool before returning units equivalent to the original amount minus a service fee to the original account. As a result, it makes it harder for law enforcement and cryptocurrency analysts to trace the currency.

Mixers aren’t solely used by criminals, but they are extremely popular with them. 10% of all funds from illicit wallets are sent to mixers, while mixers received less than 0.5% of the share of other sources of funds tracked by the firm, including decentralised finance projects.

The bulk of illicit funds transferred to mixers came from sanctioned actors, primarily Russian dark net market Hydra and more recently the Lazarus Group, a group of North Korean state-backed hackers. International law enforcement took out Hydra, which had been responsible for 80% of dark web transactions involving cryptocurrency, in May. The US Treasury’s Office of Foreign Assets Control followed with sanctions on more than 100 of its cryptocurrency addresses.

The use of mixers by North Korea state-backed hackers, and a popular mixer they employed to launder funds, made up the rest of the transfers.

https://www.cyberscoop.com/cryptocurrency-mixers-see-record-transactions-from-sanctioned-actors/

• Online Payment Fraud Expected to Cost $343B Over Next 5 Years

Despite ratcheted-up efforts to prevent account takeover, fraudsters are cashing in on a range of online payment fraud schemes, which researchers predict will cost retail organisations more than $343 billion over the next five years.

Physical good purchases are loss leaders, making up 49% of online payment fraud, driven in large part by developing markets with little address verification, according to a new Juniper Research report.

Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution. Payment fraud detection and prevention vendors must build a multitude of verification capabilities, and intelligently orchestrate different solutions depending on circumstances, in order to correctly protect both merchants and users.

https://www.darkreading.com/application-security/online-payment-fraud-expected-to-cost-343b-over-5-years

Threats

Ransomware

• Largest ransom pay-outs by cyber-insurers averaged £3.2 million in the past two years – Intelligent CISO

• Risk & Repeat: Ransomware in 2022 so far (techtarget.com)

• Paying ransomware crooks won’t reduce your legal risk, warns regulator – Naked Security (sophos.com)

• Ransomware Attacks Reign Supreme in 2022 - MSSP Alert

• BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands - Help Net Security

• New Lilith ransomware emerges with extortion site, lists first victim (bleepingcomputer.com)

• Experts warn of the new 0mega ransomware operation - Security Affairs

• Organisations Warned of New Lilith, RedAlert, 0mega Ransomware | SecurityWeek.Com

• Microsoft links H0ly Gh0st ransomware operation to North Korean hackers (bleepingcomputer.com)

• Feds Issue Warning for North Korean-backed Ransomware Hijackers - MSSP Alert

• Ransomware gang now lets you search their stolen data (bleepingcomputer.com)

• Rise in ransomware drives IT leaders to implement data encryption - Help Net Security

• BlackCat Ransomware Group Deploys Brute Ratel Pen Testing Kit - Infosecurity Magazine (infosecurity-magazine.com)

• Bandai Namco confirms hack after ALPHV ransomware data leak threat (bleepingcomputer.com)

• 1.9m patients' medical data exposed in PFC ransomware attack • The Register

Phishing & Email Based Attacks

• Email scams are getting more personal – they even fool cyber security experts (theconversation.com)

• New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials (darkreading.com)

• Hackers impersonate cyber security firms in callback phishing attacks (bleepingcomputer.com)

• $8 million stolen in large-scale Uniswap airdrop phishing attack (bleepingcomputer.com)

• Almost a third of untrained users will click a phishing link - KnowBe4 research - IT Security Guru

• PayPal phishing kit added to hacked WordPress sites for full ID theft (bleepingcomputer.com)

Other Social Engineering

• Rise In Smishing Scams, Why And How To Protect? (informationsecuritybuzz.com)

• How Hackers Create Fake Personas for Social Engineering (darkreading.com)

• How attackers abuse Quickbooks to send phone scam emails - Help Net Security

Malware

• Criminals are now posing as security companies to trick you into installing malware | TechRadar

Mobile

• New Android malware on Google Play installed 3 million times (bleepingcomputer.com)

• The weaponizing of smartphone location data on the battlefield - Help Net Security

Internet of Things – IoT

• Honda Admits Hackers Could Unlock Car Doors, Start Engines | SecurityWeek.Com

• Watch This $80,000 Tesla Model Y Get Hacked With $20 Hardware - autoevolution

Data Breaches/Leaks

• Fewer Individuals Fall Victim to Data Breaches as Attackers Switch to Business in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• A look inside Russian cyber crime syndicate TrickBot reveals an organised, potent adversary - CyberScoop

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto Scams Soar Despite Crash (informationsecuritybuzz.com)

• Cryptocurrency flowing into “mixers” hits an all-time high. Wanna guess why? | Ars Technica

• Falling Cryptocurrency Market Stalling Cyber Crime Activity - Infosecurity Magazine (infosecurity-magazine.com)

• Hackers stole $620 million from Axie Infinity via fake job interviews (bleepingcomputer.com)

Insider Risk and Insider Threats

• Joshua Schulte Convicted of Leaking CIA 'Vault 7' to Wikileaks (gizmodo.com)

Fraud, Scams & Financial Crime

• New Phishing Kit Hijacks WordPress Sites for PayPal Scam (darkreading.com)

Insurance

• Cyber Insurers Looking for New Risk Assessment Models - Infosecurity Magazine (infosecurity-magazine.com)

• How War Impacts Cyber Insurance | Threatpost4

• The cyber insurance market has a critical infrastructure problem - CyberScoop

Supply Chain and Third Parties

• 3 Golden Rules of Modern Third-Party Risk Management (darkreading.com)

Denial of Service DoS/DDoS

• Mantis, the tiny shrimp that launched 3,000 DDoS attacks • The Register

Identity and Access Management

• Report: Financial Institutions Overly Complacent About Current Authentication Methods (darkreading.com)

• Access Permissions: Manual Reviews Less Effective than Automation, Netwrix Study Finds - MSSP Alert

Encryption

• What to do now about tomorrow’s code-cracking computers | The Economist

Social Media

• Facebook 2FA scammers return – this time in just 21 minutes – Naked Security (sophos.com)

• Disneyland Social Media Hacked - IT Security Guru

Training, Education and Awareness

• Accessible Cyber security Awareness Training Reduces Your Risk of Cyber Attack (darkreading.com)

Privacy

• New Cache Side Channel Attack Can De-Anonymize Targeted Online Users (thehackernews.com)

• Amazon handed Ring video to police without warrant, consent • The Register

• TikTok Chief Security Officer Steps Down Amid Concerns About Privacy (businessinsider.com)

Regulations, Fines and Legislation

• Proposed SEC Rules Require More Transparency About Cyber-Risk (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Ukraine's Cyber Agency Reports Q2 Cyber-Attack Surge - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber espionage groups increasingly target journalists and media organisations | CSO Online

• Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (darkreading.com)

• The Man at the Centre of the New Cyber World War - POLITICO

• How War Impacts Cyber Insurance | Threatpost

• Lithuanian Energy Firm Disrupted by DDOS Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Security vendor splits to address Russia’s war in Ukraine • The Register

• Apple previews Lockdown Mode, a new extreme security feature | ZDNet

Nation State Actors

Nation State Actors – North Korea

• ‘Nobody is holding them back’ — North Korean cyber-attack threat rises (cointelegraph.com)

• North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog

Nation State Actors – Misc APT

• APT groups target journalists and media organisations since 2021 - Security Affairs

Vulnerability Management

• Rethinking Vulnerability Management in a Heightened Threat Landscape | Threatpost

• Using shields up to secure credentials and mitigate vulnerabilities (scmagazine.com)

• The enemy of vulnerability management? Unrealistic expectations - Help Net Security

Vulnerabilities

• DHS warns: Expect Log4j risks for 'a decade or longer' • The Register

• Microsoft's Patch Tuesday fixes one bug under active exploit • The Register

• Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution (cisecurity.org)

• CISA orders agencies to patch new Windows zero-day used in attacks (bleepingcomputer.com)

• Flaw in Netwrix Auditor application allows arbitrary code execution - Security Affairs

• Elastix VoIP systems hacked in massive campaign to install PHP web shells (bleepingcomputer.com)

• Hackers Targeting VoIP Servers by Exploiting Digium Phone Software (thehackernews.com)

• Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature | The Daily Swig (portswigger.net)

• Anvil Mobile Hit By New Exploit - DNS Hijacking. (informationsecuritybuzz.com)

• Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now (darkreading.com)

• Patch these Juniper Networks bugs, CISA says • The Register

• Buggy WordPress plugin allows complete site takeover • The Register

• VMware patches vCenter Server flaw disclosed in November (bleepingcomputer.com)

• Vulnerabilities that could allow undetectable infections affect 70 Lenovo laptop models | Ars Technica

• AMD, Intel chips vulnerable to 'Retbleed' Spectre variant • The Register

• Microsoft fixes dozens of Azure Site Recovery privilege escalation bugs (bleepingcomputer.com)

• Microsoft releases PoC exploit for macOS sandbox escape vulnerability (bleepingcomputer.com)

• AWS squashes authentication bugs in Kubernetes service • The Register

• Lenovo fixes trio of UEFI vulnerabilities • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in. 

• Automotive

• Construction

• Critical National Infrastructure (CNI)

• Defence & Space

• Education & Academia

• Energy & Utilities

• Estate Agencies

• Financial Services

• FinTech

• Food & Agriculture

• Gaming & Gambling

• Government & Public Sector (including Law Enforcement)

• Health/Medical/Pharma

• Hotels & Hospitality

• Insurance

• Legal

• Manufacturing

• Maritime

• Oil, Gas & Mining

• OT, ICS, IIoT, SCADA & Cyber-Physical Systems

• Retail & eCommerce

• Small and Medium Sized Businesses (SMBs)

• Startups

• Telecoms

• Third Sector & Charities

• Transport & Aviation

• Web3

Reports Published in the Last Week

State of Authentication in the Finance Industry 2022 | HYPR

Online Payment Fraud Market Report 2022-27: Size, Share, Trends (juniperresearch.com)

Other News

5 key considerations for your 2023 cyber security budget planning | CSO Online

What Are the Risks of Employees Going on a 'Hybrid Holiday'? (darkreading.com)

New ‘Luna Moth’ hackers breach orgs via fake subscription renewals (bleepingcomputer.com)

Experian accounts could still be at risk from hackers | TechRadar

Cyber security skills surpass cloud skills as this year's training priority, if professionals can find the time | ZDNet

Average American Accesses Suspicious Sites 6.5 Times a Day - Infosecurity Magazine (infosecurity-magazine.com)

Mergers and acquisitions are a strong zero-trust use case • The Register

Recruitment agency Morgan Hunt confirms 'cyber incident' • The Register

New Exploit Attacks UK Routers and Runs Up Mobile Data Bills - ISPreview UK

How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub (darkreading.com)

CEO of Dozens of Companies Charged in Scheme to Traffic An Estimated $1bn in Fake Cisco Devices - Infosecurity Magazine (infosecurity-magazine.com)

Data breaches explained: Types, examples, and impact | CSO Online

President of European Central Bank Christine Lagarde targeted by hackers - Security Affairs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Microsoft’s July Patch Tuesday provides updates to address security issues across its product range, including several critical patches. The standout patch in this release is for a Zero-Day flaw, affecting both client and server version of Windows, that is being actively exploited in the wild, and allows an attacker to escalate privileges within a specific Windows component to gain SYSTEM level permissions.

Security updates have also been released for other Microsoft products to tackle different issues, including the Microsoft Edge browser, which also has a Zero-Day patch, Microsoft Office, and all supported versions of Microsoft Windows.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible, particularly as this release contains a patch for an actively exploited Zero-day.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The aforementioned Zero-Day exploit, CVE-2022-22047, allows attackers to use privileged escalation within the Windows Client Server Runtime Subsystem (CSRSS) to gain SYSTEM permissions, effectively providing them with unlimited privileged access on a local system, allowing them to disable Endpoint Security Solutions, and allow for further privilege escalation through the installation of malicious software, allowing access to the wider organisational network. Further information on this particular vulnerability is available here: CVE-2022-22047 - Security Update Guide - Microsoft - Windows CSRSS Elevation of Privilege Vulnerability

Several vulnerabilities within the Edge browser have also been addressed, which also includes a Zero-Day flaw that Google had previously disclosed as been actively exploited in the wild earlier this month. This Zero-Day flaw has been marked as CVE-2022-2294, and further information is available here: Chrome Releases: Stable Channel Update for Desktop (googleblog.com)

Further details on other specific updates within this Patch Tuesday can be found here: Microsoft Windows Security Updates July 2022 overview - gHacks Tech News

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Urged Not to Give In To Ransomware Cyber Criminals As Authorities See Increase In Payouts

While there have been arguments made for criminalising the payment of ransoms, it poses a number of additional risks such as providing the criminals with an additional factor they could use to extort their victims.

Businesses are being urged not to pay cyber extortionists as authorities say they are seeing evidence of a rise in ransomware payments.

In a joint letter to the Law Society, the National Cyber Security Centre (NCSC) and the Information Commissioner's Office are warning solicitors who may have been advising their clients to pay.

It follows warnings earlier this year by cyber security experts from the UK, US, and Australia of a "growing wave of increasingly sophisticated ransomware attacks" which could have "devastating consequences".

The joint letter states that while ransomware payments are "not unusually unlawful" those who pay them "should be mindful of how relevant sanctions regimes (particularly those related to Russia)" when considering making the payment.

The US sanctioned in December 2019 any financial dealings with a Russian cyber crime group that was accused of working with Russian intelligence to steal classified government documents.

Despite the spillover from the Russian war in Ukraine - in one case knocking 5,800 wind turbines in Germany offline - the NCSC says it has not detected any increase in hostile activity targeting Britain during the conflict.

Businesses however had been warned that there is a heightened threat level when it comes to cyber attacks due to the conflict which is likely to be here "for the long-haul".

https://news.sky.com/story/businesses-urged-not-to-give-in-to-ransomware-cyber-criminals-as-authorities-see-increase-in-payouts-12648253

• People Are the Primary Attack Vector Around the World

With an unprecedented number of employees now working in hybrid or fully remote environments, compounded by an increase in cyber threats and a more overwhelmed, COVID-19 information fatigued workforce, there has never been a more critical time to effectively create and maintain a cyber secure workforce and an engaged security culture.

People have become the primary attack vector for cyber-attackers around the world. Humans, rather than technology, represent the greatest risk to organisations and the professionals who oversee security awareness programs are the key to effectively managing that risk.

Awareness programs enable security teams to effectively manage their human risk by changing how people think about cyber security and help them exhibit secure behaviours, from the Board of Directors on down.

Effective and mature security awareness programs not only change their workforce’s behaviour and culture but also measure and demonstrate their value to leadership via a metrics framework. Organisations can no longer justify an annual training to tick the compliance box, and it remains critical for organisations to dedicate enough personnel, resources, and tools to manage their human risk effectively.

https://www.helpnetsecurity.com/2022/07/05/people-primary-attack-vector/

• Early Detection Crucial in Stopping Business Email Compromise (BEC) Scams

Cofense Intelligence studied hundreds of business email compromise attacks and found that most scams attempt to establish trust with targeted employees over multiple emails.

Avoiding a costly social engineering attack often requires employees to spot suspicious emails before threat actors request sensitive information or access.

Cofense Intelligence published new research Thursday that showed most business email compromise (BEC) scams can be thwarted in their initial stages when the attackers are not asking for money or a transfer of funds. The cyber security vendor analysed hundreds of BEC emails sent to customers during March and April, and engaged with the threat actors in approximately half the cases.

The company found that only 36% of attackers looking to conduct fraud attacks opened with a cordial greeting and request for cash, gift cards or confidential payment information. Most BEC scams, Cofense found, attempt to slowly build up trust over the course of multiple email exchanges with the target and ingratiate them with common phrases like "sorry to bother you."

Once they realise they can get money out of you, they will do everything they can to drain you dry. For many of the scammers, this becomes a literal hustle, where they will quickly pivot to other cash-out methods. Just because something starts as a wire transfer doesn't mean they won't ask you to send cryptocurrency, gift cards, a cheque, or use your personal Venmo or PayPal to wire them money.

https://www.techtarget.com/searchsecurity/news/252522493/Early-detection-crucial-in-stopping-BEC-scams

• 54% of SMBs Do Not Implement Multi-Factor Authentication (MFA)

SMB owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data, according to the Global Small Business Multi-Factor Authentication (MFA) Study released by the Cyber Readiness Institute (CRI).

Services that enforce MFA require users to present more than one piece of evidence whenever they log in to a business account (e.g., company email, payroll, human resources, etc.).

MFA has been in use for decades and is widely recommended by cyber security experts, yet 55% of SMBs surveyed are not “very aware” of MFA and its security benefits, and 54% do not use it for their business. Of the businesses that have not implemented MFA, 47% noted they either didn’t understand MFA or didn’t see its value. In addition, nearly 60% of small business and medium-sized owners have not discussed MFA with their employees.

Nearly all account compromise attacks can be stopped outright, just by using MFA. It’s a proven, effective way to thwart bad actors.

Of the companies that have implemented some form of MFA, many still seem to have done so haphazardly. Only 39% of those who offer MFA have a process for prioritising critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available.”

https://www.helpnetsecurity.com/2022/07/08/smb-implement-mfa/

• New Cyber Threat Emerges from the Inside, Research Report Finds

In its 2022 Insider Risk Intelligence & Research Report, DTEX Systems, a workforce cyber intelligence and security company, identifies a new cyber threat: the “Super Malicious Insider.”

Just what is a Super Malicious Insider and where does it come from? Well, it comes from inside your own organisation or someone who recently worked for you — a threat actor who may be truly of your own making.

“It was the year (2021) we all came to realise the Work-from-Anywhere (WFA) movement was here to stay,” DTEX reports. “For security and risk professionals, this hastened the end of corporate perimeter-centric security, and a requirement to protect hundreds of thousands of ‘remote offices’ outside of traditional corporate controls. To make matters worse, a measurable increase in employee attrition toward the end of 2021 created the perfect storm for insider threats.”

So, if your organisation didn’t observe a proportional increase in attempted or actual data loss, then you were likely not looking, DTEX asserts.

Critically your insiders know your vulnerabilities and can exploit them, for example, when an employee quits to join a competitor, it is often tempting to take proprietary information with them. This can include customer lists, product plans, financial data and other intellectual property.

The Super Malicious Insider is better able to hide their activities, obfuscate data and exfiltrate sensitive information without detection. Importantly, in numerous insider incidents reviewed in 2021, the Super Malicious Insider had made significant efforts to appear normal by not straying outside of their day-to-day routine, DTEX reports.

Here are some key statistics from the report:

• Industrial espionage is at an all-time high. In 2021, 72% of respondents saw an increase in actionable insider threat incidents. IP or data theft led the list at 42% of incidents, followed by unauthorised or accidental disclosure (23%), sabotage (19%), fraud (%) and other (7%). In fact, 42% of all DTEX i3 investigations involved theft of IP or customer data.

• The technology industry (38%), followed by pharma/life sciences (21%), accounted for the most IP theft incidents. In addition, technology (33%) had the most super malicious incidents, followed by critical infrastructure (24%) and government (11%).

• Investigations that led to criminal prosecution occurred within someone’s home 75% of the time. More telling, 32% of malicious incident incidents included sophisticated insider techniques.

https://www.msspalert.com/cybersecurity-research/new-cyberthreat-emerges-from-the-inside-research-report-finds/

• Ransomware: Why It's Still A Big Threat, And Where The Gangs Are Going Next

Ransomware attacks are still lucrative for cyber criminals because victims pay ransoms - and the threat is still evolving.

Ransomware has been a cyber security issue for a long time, but last year it went mainstream. Security threats like malware, ransomware and hacking gangs are always evolving.

Major ransomware attacks like those on Colonial Pipeline, the Irish Healthcare Executive and many others demonstrated how significant the problem had become as cyber attacks disrupted people's lives.

What was once a small cyber-criminal industry based around encrypting files on personal computers and demanding a ransom of a few hundred dollars for a decryption key had evolved into a massive ecosystem designed around holding critical services and infrastructure to ransom - and making extortion demands of millions of dollars.

No wonder Lindy Cameron, head of the UK's National Cyber Security Centre (NCSC), has described ransomware as "the biggest global cyber threat".

Ransomware is continually evolving, with new variants appearing, new ransomware groups emerging, and new techniques and tactics designed to make the most money from attacks.

And as the recent Conti ransomware leaks showed, the most successful ransomware gangs are organised as if they were any other group of software developers.

They are really acting like a business. Aside from the fact they're not legitimately registered, they really are. They're functioning like a real business and sometimes the number of people within these organisations is bigger than some startups. They have shown a lot of resilience and a lot of agility in adapting to what's new.

https://www.zdnet.com/article/ransomware-why-its-still-a-big-threat-and-where-the-gangs-are-going-next/

• NCSC: Prepare for Protracted Period of Heightened Cyber Risk

The UK’s leading cyber security agency has urged organisations to follow best practices and take care of their infosecurity staff in order to weather an extended period of elevated cyber risk due to the ongoing war in Ukraine.

The National Cyber Security Centre (NCSC) guide, Maintaining A Sustainable Strengthened Cyber Security Posture, comes on the back of warnings that organisations must “prepare for the long haul” as the conflict enters its fifth month.

Alongside basic hygiene controls, the strengthening of cyber-resilience and revisiting of risk-based decisions made in the earlier acute phase of the war, organisations should pay special attention to their security staff, the NCSC said.

“Increased workloads for cyber security staff over an extended period can harm their wellbeing and lead to lower productivity, with a potential rise in unsafe behaviours or errors,” it said.

With this in mind, the guide highlighted several steps IT security managers should consider:

• Empower staff to make decisions in order to improve agility and free-up leaders to focus on medium-term priorities

• Spread workloads evenly across a wider pool of staff to reduce the risk of burnout and enable less experienced employees to benefit from development opportunities

• Provide opportunities for staff to recharge through more frequent breaks and time away from the office, as well as work on less pressured tasks

• Look after each other by watching for signs that colleagues are struggling and ensuring they always have the right resources to hand

• Engage the entire workforce with the right internal communications processes, and support so that all staff are able to identify and report suspicious behaviour

https://www.infosecurity-magazine.com/news/ncsc-prepare-cyber-risk/

• 69% Of Employees Need to Deal with More Security Measures In A Hybrid Work Environment

Security firm Ivanti worked with global digital transformation experts and surveyed 10,000 office workers, IT professionals, and the C-Suite to evaluate the level of prioritisation and adoption of digital employee experience in organisations and how it shapes the daily working experiences for employees. The report revealed that 49% of employees are frustrated by the tech and tools their organisation provides and 64% believe that the way they interact with technology directly impacts morale.

One of the biggest challenges facing IT leaders today is the need to enable a seamless end user experience while maintaining robust security. The challenge becomes more complex when there is pressure from the top to bypass security measures, with 49% of C-level executives reporting they have requested to bypass one or more security measures in the last year.

Maintaining a secure environment and focusing on the digital employee experience are two inseparable elements of any digital transformation. In the war for talent a key differentiator for organisations is providing an exceptional and secure digital experience. Ivanti, a cyber security software provider, says “We believe that organisations not prioritising how their employees experience technology is a contributing factor for the Great Resignation”.

https://www.helpnetsecurity.com/2022/07/04/security-measures-hybrid-work-environment/

• FBI and MI5 Leaders Give Unprecedented Joint Warning on Chinese Spying

The head of the FBI and the leader of Britain’s domestic intelligence agency have delivered an unprecedented joint address, raising fresh alarm about the Chinese government, warning business leaders that Beijing is determined to steal their technology for competitive gain.

In a speech at MI5’s London headquarters intended as a show of western solidarity, Christopher Wray, the FBI director, stood alongside the MI5 director general, Ken McCallum. Wray reaffirmed longstanding concerns about economic espionage and hacking operations by China, as well as the Chinese government’s efforts to stifle dissent abroad.

“We consistently see that it’s the Chinese government that poses the biggest long-term threat to our economic and national security, and by ‘our’, I mean both of our nations, along with our allies in Europe and elsewhere,” Wray said.

He told the audience the Chinese government was “set on stealing your technology, whatever it is that makes your industry tick, and using it to undercut your business and dominate your market”.

Ken McCallum said MI5 was running seven times as many investigations into China as it had been four years ago and planned to “grow as much again” to tackle the widespread attempts at inference which pervade “so many aspects of our national life”.

https://www.theguardian.com/world/2022/jul/06/fbi-mi5-china-spying-cyberattacks-business-economy

• As Cyber Criminals Recycle Ransomware, They're Getting Faster

Like history, ransomware repeats itself. Researchers recently encountered a new variant of a ransomware campaign and observed that it has been improving itself by reusing code from publicly available sources.

Nokoyawa is a new ransomware for Windows that first appeared at the beginning of this year. The first samples found by researchers were gathered in February 2022 and contain significant coding similarities with other older ransomware strains, some going back to 2019.

These new variants had been improving themselves by reusing code from publicly available sources. The April 2022 samples include three new features that increase the number of files that Nokoyawa can encrypt. These features already existed in recent ransomware families, and their addition just indicates that Nokoyawa developers are trying to match pace with other operators in terms of technological capability.

https://www.securityweek.com/cybercriminals-recycle-ransomware-theyre-getting-faster

• UK Military Investigates Hacks on Army Social Media Accounts

British military authorities are trying to find out who hacked the army’s social media accounts over the weekend, flooding them with cryptocurrency videos and posts related to collectible electronic art.

The investigation was launched after authorised content on the army’s YouTube account was replaced with a video feed promoting cryptocurrencies that included images of billionaire Elon Musk. The Army’s Twitter account retweeted a number of posts about non-fungible tokens, unique digital images that can be bought and sold but have no physical counterpart.

“Apologies for the temporary interruption to our feed,” the Army said in a tweet posted after the Twitter account was restored on Sunday. “We will conduct a full investigation and learn from this incident. Thanks for following us, and normal service will now resume.”

The Ministry of Defence said late Sunday that both breaches had been “resolved.”

While internet users were unable to access the Army’s YouTube site on Monday, a spokesperson said the site was down for standard maintenance. The Twitter feed was operating normally.

Although U.K. officials have previously raised concerns about state-sponsored Russian hacking, the military did not speculate on who was responsible for Sunday’s breaches.

“The Army takes information security extremely seriously, and until their investigation is complete it would be inappropriate to comment further,” the Ministry of Defence said.

https://www.securityweek.com/uk-military-investigates-hacks-army-social-media-accounts

Campaign Targeting SOHO Routers Highlights Risks to Remote Workers

A targeted attack campaign has been compromising small office/home office (SOHO) routers since late 2020, with the goal of hijacking network communications and infecting local computers with stealthy and sophisticated backdoors. Attacks against home routers are not new, but the implants used by attackers in this case were designed for local network reconnaissance and lateral movement instead of just abusing the router itself.

"The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defence-in-depth protections by targeting the weakest points of the new network perimeter - devices that are routinely purchased by consumers but rarely monitored or patched - small office/home office (SOHO) routers," researchers from Black Lotus Labs, the threat intelligence arm of telecommunications company Lumen Technologies said in a recent report.

https://www.csoonline.com/article/3665912/apt-campaign-targeting-soho-routers-highlights-risks-to-remote-workers.html#tk.rss_news

Threats

Ransomware

• Lawyers Urged to Stop Advising Clients to Pay Ransomware Demands - Infosecurity Magazine

• Ransomware in 2022: Evolving threats, slow progress (techtarget.com)

• AstraLocker ransomware closes doors to pursue cryptojacking • The Register

• Ransomware gangs are feeling the crypto winter's impact | TechSpot

• LockBit explained: How it has become the most popular ransomware | CSO Online

• Hive ransomware gang turns to Rust, more complex encryption • The Register

• New RedAlert Ransomware targets Windows, Linux VMware ESXi servers (bleepingcomputer.com)

• Ransomware, hacking groups move from Cobalt Strike to Brute Ratel (bleepingcomputer.com)

• North Korean ransomware dubbed Maui active since May 2021 • The Register

• Hive Ransomware Upgrades to Rust for More Sophisticated Encryption Method (thehackernews.com)

• Ransomware, hacking groups move from Cobalt Strike to Brute Ratel (bleepingcomputer.com)

• New 'HavanaCrypt' Ransomware Distributed as Fake Google Software Update | SecurityWeek.Com

• As New Clues Emerges, Experts Wonder: Is REvil Back? (thehackernews.com)

• Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (thehackernews.com)

• New 0mega ransomware targets businesses in double-extortion attacks (bleepingcomputer.com)

• Feds wave red flag over Maui ransomware | CSO Online

• Evolution of the LockBit Ransomware operation relies on new techniques - Security Affairs

• AstraLocker ransomware shuts down and releases decryptors (bleepingcomputer.com)

• QNAP warns of new Checkmate ransomware targeting NAS devices (bleepingcomputer.com)

• Quantum ransomware attack affects 657 healthcare orgs (bleepingcomputer.com)

• How Conti ransomware group crippled Costa Rica — then fell apart | Financial Times (ft.com)

• Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets (thehackernews.com)

• EternalBlue 5 years after WannaCry and NotPetya - SANS Internet Storm Center

Phishing & Email Based Attacks

• Fake copyright complaints push IcedID malware using Yandex Forms (bleepingcomputer.com)

• Spear Phishing Fake Job Offer Likely Behind Axie Infinity's Lazarus $600m Hack - Infosecurity Magazine (infosecurity-magazine.com)

Malware

• Hackers Exploiting Follina Bug to Deploy Rozena Backdoor (thehackernews.com)

• Dangerous new malware dances past more than 50 antivirus services | TechRadar

• Raspberry Robin campaign leverages compromised QNAP devicesSecurity Affairs

• Malware knocks IT services vendor SHI offline • The Register

• Near-undetectable malware linked to Russia's Cozy Bear • The Register

• New stealthy OrBit malware steals data from Linux devices (bleepingcomputer.com)

• Hackers are using YouTube videos to trick people into installing malware | TechRadar

Mobile

• This WhatsApp scam promises big, but just sends you into a spiral | ZDNet

• Android malware subscribes you to premium services without you knowing - GSMArena.com news

• Free smartphone stalkerware detection tool gets dedicated hub (bleepingcomputer.com)

• Four more apps that infected thousands of Android devices with malware removed from Google Play store | ZDNet

• Apple Debuts Spyware Protection for State-Sponsored Cyber Attacks (darkreading.com)

Internet of Things – IoT

• Vulnerability allows hackers to unlock and start Honda cars remotely | TechSpot

Data Breaches/Leaks

• Marriott Data Breach Exposes PII, Credit Cards (darkreading.com)

• Aon Hack Exposed Sensitive Information of 146,000 Customers - Infosecurity Magazine

• Hackers Claim to Have Stolen Police Data in China’s Largest Cyber Security Breach - Bloomberg

• Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens | Threatpost

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Ransomware gangs are feeling the crypto winter's impact | TechSpot

• AstraLocker ransomware closes doors to pursue cryptojacking • The Register

• Hackers are using YouTube videos to trick people into installing malware | TechRadar

• PennyWise crypto-stealing malware spreads through YouTube (cointelegraph.com)

• US urges Japan to step up pressure on crypto miners with links to Russia | Financial Times (ft.com)

• Large-scale cryptomining campaign is targeting the NPM repositorySecurity Affairs

• ECB to warn eurozone countries over crypto regulation | Financial Times (ft.com)

• Microsoft Issue Updated Warning Against Known Cloud Threat Actor Group - IT Security Guru

Insider Risk and Insider Threats

• Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens | Threatpost

• HackerOne incident raises concerns for insider threats (techtarget.com)

Fraud, Scams & Financial Crime

• Ukrainian police takes down phishing gang behind payments scam | ZDNet

Supply Chain and Third Parties

• Applying Shift Left principles to third party risk management - Help Net Security

Software Supply Chain

• NPM supply-chain attack impacts hundreds of websites and apps (bleepingcomputer.com)

Cloud/SaaS

• Microsoft Issue Updated Warning Against Known Cloud Threat Actor Group - IT Security Guru

• Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake' (darkreading.com)

• What Do All of Those Cloud Cyber Security Acronyms Mean? (darkreading.com)

Identity and Access Management

• 6 signs your IAM strategy is failing, and how to fix it | CSO Online

Asset Management

• How a cyber asset management strategy can help enterprises detect threats - Help Net Security

Encryption

• Encryption is high up on corporate priority lists - Help Net Security

• Quantum-resistant encryption recommended for standardization • The Register

• The threat of quantum computing to sensitive data - Help Net Security

• Inside NIST's 4 Crypto Algorithms for a Post-Quantum World (darkreading.com)

• End-to-end encryption’s central role in modern self-defence | Ars Technica

API

• Why your API gateway is not enough for API security? - Help Net Security

Open Source

• Researchers Warn of New OrBit Linux Malware That Hijacks Execution Flow (thehackernews.com)

Social Media

• British Army Cyber Attack Reminds Businesses That Social Media Accounts Are Prime Targets (informationsecuritybuzz.com)

• Limp Facebook Policies – Do They Ignore Suffering And Crime! (informationsecuritybuzz.com)

Digital Transformation

• Cyber security is driving digital transformation in alternative investment institutions - Help Net Security

Travel

• Marriott suffered a new data breach, attackers stole 20GB of data - Security Affairs

Cyber Bullying and Cyber Stalking

• Free smartphone stalkerware detection tool gets dedicated hub (bleepingcomputer.com)

Regulations, Fines and Legislation

• ICO Set to Scale Back Public Sector Fines - Infosecurity Magazine

• ECB to warn eurozone countries over crypto regulation | Financial Times (ft.com)

• Wegmans hit with $400,000 data-breach penalty (democratandchronicle.com)

Models, Frameworks and Standards

• PCI DSS 4.0 released, addresses emerging threats and technologies - Help Net Security

Law Enforcement Action and Take Downs

• Ukrainian police takes down phishing gang behind payments scam | ZDNet

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Apple's New "Lockdown Mode" Protects iPhone, iPad, and Mac Against Spyware (thehackernews.com)

• Pro-Kremlin hackers Killnet hit Latvia with biggest cyber attack in its history | World | The Times

• TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine (thehackernews.com)

• UK to combat Russia’s ‘hostile online warfare’ by forcing internet firms to remove disinformation | TechCrunch

• NATO Announce Plans to Develop Cyber Rapid Response Capabilities - IT Security Guru

• FBI and MI5 bosses: China cheats and steals at massive scale • The Register

• Hackers linked to the Chinese government increasingly target Russia, analysis suggests - CyberScoop

• In Switch, Trickbot Group Now Attacking Ukrainian Targets (darkreading.com)

• Apple Debuts Spyware Protection for State-Sponsored Cyber Attacks (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Russian Info Ops Ramp Up Effort to Divide West on Ukraine - Infosecurity Magazine

• Near-undetectable malware linked to Russia's Cozy Bear • The Register

Nation State Actors – China

• US and UK intelligence chiefs call for vigilance on China’s industrial spies | Financial Times (ft.com)

• China Censors What Could Be Biggest Data Hack in History (gizmodo.com)

• Hackers linked to the Chinese government increasingly target Russia, analysis suggests - CyberScoop

• China’s Cabinet Stresses Cyber Security After Data Leak - Bloomberg

• Security warning after sale of stolen Chinese data - BBC News

• Five accused of trying to silence China critics in US • The Register

• 50 Chinese students leave UK in three years after spy chiefs’ warning | Espionage | The Guardian

• More UK calls for ban of CCTV makers Hikvision, Dahua • The Register

Nation State Actors – North Korea

• Russian information operations focus on dividing Western coalition supporting Ukraine - CyberScoop

• North Korean ransomware dubbed Maui active since May 2021 • The Register

• Feds wave red flag over Maui ransomware | CSO Online

• Spear Phishing Fake Job Offer Likely Behind Axie Infinity's Lazarus $600m Hack - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' - CyberScoop

• Latest Cyber Attack Against Iran Part of Ongoing Campaign | Threatpost

Vulnerability Management

• Google: Half of zero-day exploits linked to poor software fixes | ZDNet

• Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk (darkreading.com)

Vulnerabilities

• Cisco and Fortinet Release Security Patches for Multiple Products (thehackernews.com)

• Google Patches Actively Exploited Chrome Bug | Threatpost

• OpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCE - Security Affairs

• Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know – Naked Security (sophos.com)

• Cisco fixed a critical arbitrary File Overwrite flaw in Enterprise Communication solutions - Security Affairs

• Cisco Releases 10 Security Patches For Expressway Series and TelePresence VCS Products - Infosecurity Magazine

• Django fixes SQL Injection vulnerability in new releases (bleepingcomputer.com)

• Google fixes the fourth Chrome zero-day in 2022 - Security Affairs - Security Affairs

• Tens of Jenkins plugins are affected by zero-day vulnerabilities - Security Affairs

• OpenSSL fixes two “one-liner” crypto bugs – what you need to know – Naked Security (sophos.com)

• Fortinet addressed multiple vulnerabilities in several products - Security Affairs

• There’s a Nasty Security Hole in the Apache Webserver – The New Stack

Sector Specific

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

We currently provide tailored threat intelligence based on the following sectors, additional sectors by arrangement:

• Automotive

• Construction

• Critical National Infrastructure (CNI)

• Defence & Space

• Education & Academia

• Energy & Utilities

• Estate Agencies

• Financial Services

• FinTech

• Food & Agriculture

• Gaming & Gambling

• Government & Public Sector (including Law Enforcement)

• Health/Medical/Pharma

• Hotels & Hospitality

• Insurance

• Legal

• Manufacturing

• Maritime

• Oil, Gas & Mining

• OT, ICS, IIoT, SCADA & Cyber-Physical Systems

• Retail & eCommerce

• Small and Medium Sized Businesses (SMBs)

• Startups

• Telecoms

• Third Sector & Charities

• Transport & Aviation

• Web3

Other News

• These are the cyber security threats of tomorrow that you should be thinking about today | ZDNet

• Rising threats spark scramble for cyber workers | The Hill

• Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk (darkreading.com)

• Microsoft rolls back plan to block macros by default • Graham Cluley

• Attacker groups adopt new penetration testing tool Brute Ratel | CSO Online

• Security tester says he broke into datacenter via toilets • The Register

• SQL injection, XSS vulnerabilities continue to plague organisations | CSO Online

• Endless cyber-threat pressure could leave security staff burnt out. Here's what you need to change | ZDNet

• Top 7 types of data security technology (techtarget.com)

• Imagination is key to effective data loss prevention - Help Net Security

• The Age of Collaborative Security: What Tens of Thousands of Machines Witness (thehackernews.com)

• Maintaining a sustainable strengthened cyber security posture - NCSC.GOV.UK

• Hacking the Crypto-Monetized Web (trendmicro.com)

• Reflections Of A Former Hacker: How Leaders Can Protect Their Business From Cyber Threats (forbes.com)

• Zero Trust Bolsters Our National Defence Against Rising Cyber Threats (darkreading.com)

• Security advisory accidentally exposes vulnerable systems (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Ransomware Is the Biggest Global Cyber Threat. And The Attacks Are Still Evolving

Ransomware is the biggest cyber security threat facing the world today, with the potential to significantly affect whole societies and economies – and the attacks are unrelenting, the head of the National Cyber Security Centre (NCSC) has warned.

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," said Lindy Cameron, CEO of the NCSC in a speech at Tel Aviv Cyber Week.

She added that the NCSC has dealt with "nationally significant incidents" along with hundreds of general cyber incidents that "affect the UK more widely every year".

While she didn't detail any specific instances of responding to ransomware incidents, Cameron warned that "these complex attacks have the potential to affect our societies and economies significantly", and implied that if it weren't for the work of NCSC incident responders, alongside their counterparts in the industry and international counterparts, the attacks could have had a major impact.

https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/

• Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

Titaniam, Inc., the data security platform, announced the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organisations have an existing set of prevention, detection, and backup solutions, nearly 40% of organisations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.

Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cyber criminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.

Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cyber security stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.

https://www.darkreading.com/attacks-breaches/study-reveals-traditional-data-security-tools-have-a-60-failure-rate-against-ransomware-and-extortion

• Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

Attacks against companies spiked in Q1 2022 with patchable and preventable external vulnerabilities responsible for the bulk of attacks.

Eighty-two percent of attacks on organisations in Q1 2022 were caused by the external exposure of known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.

The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyber attacks against United States organisations between January and March 2022.

The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credentials are still major factors in attacks against organisations.

https://threatpost.com/lead-causes-of-q1-attacks/180096/

• Three in Four Vulnerability Management Programs Ineffective

How at risk are organisations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cyber security professionals.

Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organisation? The answer, as it turns out, is that some organisations are better at detection, response and remediation of their vulnerabilities.

Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.

Seventy percent of respondent say their vulnerability management program (VMP) is only somewhat effective or worse, blind spots and shadow IT remain top challenges, and vulnerabilities take too long to patch.

https://www.msspalert.com/cybersecurity-research/three-in-four-vulnerability-management-programs-ineffective-study-finds/

• EMEA Continues to Be a Hotspot for Malware Threats

Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased.

Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed in Q1 2022 with a massive explosion in ransomware detections. While Q4 2021 saw the downfall of the infamous REvil cybergang, WatchGuard analysis suggests that this opened the door for the LAPSUS$ extortion group to emerge, which along with many new ransomware variants such as BlackCat – the first known ransomware written in the Rust programming language – could be contributing factors to an ever-increasing ransomware and cyber-extortion threat landscape.

The report also shows that EMEA continues to be a hotspot for malware threats. Overall regional detections of basic and evasive malware show WatchGuard Fireboxes in EMEA were hit harder than those in North, Central and South America (AMER) at 57% and 22%, respectively, followed by Asia-Pacific (APAC) at 21%.

https://www.helpnetsecurity.com/2022/06/30/emea-malware-threats/

• A New, Remarkably Sophisticated Malware Is Attacking Home and Small Office Routers

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive, and remain undetected, is the hallmark of a highly sophisticated threat actor.

"While compromising small office/home office (SOHO) routers as a vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organisation."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/

• What Are Shadow IDs, and How Are They Crucial in 2022?

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems that new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

"Shadow IDs," or in other words, unmanaged employee identities and accounts in third-party services, are often created using a simple email-and-password-based registration. Cloud access security broker (CASB) and corporate single-sign-on (SSO) solutions are limited to a few sanctioned applications, and are not widely adopted on most websites and services either. This means, that a large part of an organisation's external surface - as well as its user identities - may be completely invisible.

https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html

• Zero-Days Aren't Going Away Anytime Soon, and What Leaders Need to Know

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just recently, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because the internal security teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organisation's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organisation sufficiently prepared to mitigate zero-day exploits.

https://www.darkreading.com/attacks-breaches/zero-days-aren-t-going-away-anytime-soon-and-what-leaders-need-to-know

• Half of 2022's Zero-Days Are Variants of Previous Vulnerabilities

Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.

According to Google Project Zero researcher Maddie Stone, nine of the in-the-wild zero-days seen so far this year could have been prevented had organisations applied more comprehensive patching.

“On top of that, four of the 2022 zero-days are variants of 2021 in-the-wild zero-days. Just 12 months from the original in-the-wild zero-day being patched, attackers came back with a variant of the original bug,” Stone says.

The most recent of these issues is the Follina vulnerability in the Windows platform. Tracked as CVE-2022-30190, it is a variant of an MSHTML zero-day tracked as CVE-2021-40444.

CVE-2022-21882 is another Windows vulnerability that is a variant of an in-the-wild zero-day that was improperly resolved last year, namely CVE-2021-1732.

An iOS IOMobileFrameBuffer bug (CVE-2022-22587) and a type confusion flaw in Chrome’s V8 engine (CVE-2022-1096) are two other zero-days that are variants of exploited security flaws found last year – CVE-2021-30983 and CVE-2021-30551, respectively.

Other 2022 zero-days that are variants of improperly addressed security defects are CVE-2022-1364 (Chrome), CVE-2022-22620 (WebKit), CVE-2021-39793 (Google Pixel), CVE-2022-26134 (Atlassian Confluence), and CVE-2022-26925 (Windows flaw called PetitPotam).

https://www.securityweek.com/google-half-2022s-zero-days-are-variants-previous-vulnerabilities

• Human Error Remains the Top Security Issue

Human error remains the most effective vector for conducting network infiltrations and data breaches.

The SANS Institute security centre issued its annual security awareness report Wednesday, which was based on data from 1,000 infosec professionals and found that employees and their lack of security training remain common points of failure for data breaches and network attacks. The report also tracked the maturity level of respondents' security awareness programs and their effectiveness in reducing human risk.

"This year's report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it," the cyber security training and education organisation said.

"These larger teams are more effective at working with the security team to identify, track, and prioritise their top human risks, and at engaging, motivating, and training their workforce to manage those risks."

The SANS Institute study ranked maturity by five levels, from lowest to highest: nonexistent, compliance-focused, promoting awareness and behaviour change, long-term sustainment and culture change, and metrics framework. The report found that while approximately 400 respondents said their programs promote awareness and behaviour change - the highest such response for any maturity level - the number represented a 10% decrease from the previous year's report.

https://www.techtarget.com/searchsecurity/news/252522226/SANS-Institute-Human-error-remains-the-top-security-issue

• Carnival Cruises Torpedoed by US States, Agrees to Pay $6m After Wave of Cyber Attacks

Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyber attacks.

A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based business revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

Back in 2019, the security operations team spotted an internal email account sending spam to other addresses. It turned out miscreants had hijacked 124 employee Microsoft Office 365 email accounts, and were using them to send phishing emails to harvest more credentials. This, we're told, gave the intruders access to personal data on 180,000 Carnival employees and customers. It's likely the miscreants first broke in using phishing mails or brute-forcing passwords; either way, there was no multi-factor authentication.

Then in August 2020, the company said it was hit with the aforementioned ransomware, and copies of its files were siphoned. In January 2021, it was infected again with malware, and again sensitive information – specifically, customer passport numbers and dates of birth, and employee credit card numbers – were downloaded. And in March that year, a staffer's work email account was compromised again to send out a phishing email; more sensitive information was exposed.

https://www.theregister.com/2022/06/28/carnival-cybersecurity-fines/

• Uber Ex-Security Chief Accused of Hacking Coverup Must Face Fraud Charges, Judge Rules

A federal judge on Tuesday said a former Uber Technologies Inc. security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.

The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.

https://www.reuters.com/business/uber-ex-security-chief-accused-hacking-coverup-must-face-fraud-charges-judge-2022-06-28/

Threats

Ransomware

• Ransomware market evolution results in fewer variants, but rise in off-the-shelf cyber crime kits continues | The Daily Swig (portswigger.net)

• Record-Breaking Year for Ransomware Attacks, WatchGuard Research Predicts - MSSP Alert

• Cyber Security Experts Warn of Emerging Threat of "Black Basta" Ransomware (thehackernews.com)

• 5 years after NotPetya: Lessons learned | CSO Online

• AstraLocker 2.0 infects users directly from Word attachments (bleepingcomputer.com)

• Mitel VoIP Bug Exploited in Ransomware Attacks | Threatpost

• Black Basta Ransomware Gang Attacks 50 Companies, Cybereason Reports - MSSP Alert

• How Dangerous Is BlackBasta Ransomware? (informationsecuritybuzz.com)

• LockBit 3.0 Debuts With Ransomware Bug Bounty Program (darkreading.com)

• Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit (trendmicro.com)

• Son of Conti: Ransomware tries its hand at politics - The Record by Recorded Future

• Kaseya Ransomware - Cyber Leader’s Thoughts & Learnings One Year Later (informationsecuritybuzz.com)

• Are Protection Payments the Future of Ransomware? (tripwire.com)

• Conti vs. LockBit: A Comparative Analysis of Ransomware Groups (trendmicro.com)

• This new malware is at the heart of the ransomware ecosystem | ZDNet

• Macmillan Publishing shuts down systems after likely ransomware attack (bleepingcomputer.com)

• Walmart denies being hit by Yanluowang ransomware attack (bleepingcomputer.com)

• Fake copyright infringement emails install LockBit ransomware (bleepingcomputer.com)

• Cisco Talos techniques uncover ransomware sites on dark web (techtarget.com)

• RansomHouse gang claims to have some stolen AMD data • The Register

• 'Prolific' NetWalker extortionist pleads guilty • The Register

Phishing & Email Based Attacks

• Google Warns About Hacker-for-Hire Services Trying to Phish Users (pcmag.com)

• Clever phishing method bypasses MFA using Microsoft WebView2 apps (bleepingcomputer.com)

• Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)

• How phishing attacks are becoming more sophisticated - Help Net Security

• How Evilnum Cyber Attacks Target Microsoft Office Files - MSSP Alert

• New Matanbuchus Campaign drops Cobalt Strike beacons - Security Affairs

• Kaspersky Reveals Phishing Emails That Employees Find Most Confusing (darkreading.com)

• Ukraine arrests cyber crime gang operating over 400 phishing sites (bleepingcomputer.com)

Malware

• Microsoft finds Raspberry Robin worm in hundreds of Windows networks (bleepingcomputer.com)

• Microsoft Exchange servers worldwide backdoored with new malware (bleepingcomputer.com)

• Microsoft warning: This malware that targets Linux just got a big update | ZDNet

• ZuoRAT Hijacks SOHO Routers From Cisco, Netgear (darkreading.com)

• XFiles info-stealing malware adds support for Follina delivery (bleepingcomputer.com)

• Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)

• Minors Use Discord Servers To Earn Extra Pocket Money Through Spreading Malware (informationsecuritybuzz.com)

• PyPi python packages caught sending stolen AWS keys to unsecured sites (bleepingcomputer.com)

Mobile

• Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine

• Google warns Hermit spyware is infecting phones. What is it and how do you protect yourself from it? | Mashable

• Phone Hackers: 9 Ways To Tell If You Have Fallen Victim (informationsecuritybuzz.com)

• Apple revokes certificates for Hermit spyware app - 9to5Mac

• Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru

Internet of Things – IoT

• Swarm of malfunctioning driverless taxis brings traffic to a halt for hours (telegraph.co.uk)

Data Breaches/Leaks

• Millions of free VPN user records leaked | TechRadar

• Leaky Access Tokens Exposed Amazon Photos of Users | Threatpost

• California gun dashboards expose 10 years of personal data • The Register

Organised Crime & Criminal Actors

• The strange business of cyber crime | CSO Online

• Russia-China cyber criminal collaboration could “destabilize” international order | CSO Online

• Canadian admits to hacking spree with Russian cyber-gang - BBC News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Pentagon finds concerning vulnerabilities on blockchain | TechRepublic

• Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0daySecurity Affairs

• Hackers steal $100m from another breached crypto bridge | TechRadar

• Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine

• Dozens of cryptography libraries vulnerable to private key theft | The Daily Swig (portswigger.net)

• Missing Cryptoqueen: FBI adds Ruja Ignatova to top ten most wanted - BBC News

• Singapore warns of ‘brutal, unrelentingly hard’ crypto regs • The Register

Insider Risk and Insider Threats

• Rogue HackerOne employee steals bug reports to sell on the side (bleepingcomputer.com)

• Japanese worker loses city's personal data in USB fail • The Register

• How you handle independent contractors may determine your insider threat risk | CSO Online

Fraud, Scams & Financial Crime

• Threat actors increasingly use third parties to run their scams - Help Net Security

• Santander Warns of 87% Surge in UK Crypto Scams - Infosecurity Magazine

• Evolving online habits have paved the way for fraud. What can we do about it? - Help Net Security

Insurance

• Cyber Insurance: The Good, the Bad, and the Ugly - IT Security Guru

Software Supply Chain

• It's a Race to Secure the Software Supply Chain — Have You Already Stumbled? (darkreading.com)

• Over a Decade in Software Security: What Have We learned? - IT Security Guru

Denial of Service DoS/DDoS

• Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)

Attack Surface Management

• Digital Shadows Weaken Your Attack Surface (securityintelligence.com)

Shadow IT

• Shadow IT Spurs 1 in 3 Cyber Attacks (darkreading.com)

• What is Shadow IT and why is it so risky? (thehackernews.com)

Open Source

• CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)

Passwords, Credential Stuffing & Brute Force Attacks

• RansomHouse Hackers Claim to Breach AMD With Bad Passwords (gizmodo.com)

• Breaking Down the Zola Hack and Why Password Reuse is so Dangerous (bleepingcomputer.com)

• Raccoon Stealer is back with a new version to steal your passwords (bleepingcomputer.com)

Social Media

• Verified Twitter accounts hacked to send fake suspension notices (bleepingcomputer.com)

• Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign (darkreading.com)

• New YTStealer malware steals accounts from YouTube Creators (bleepingcomputer.com)

• Facebook 2FA phish arrives just 28 minutes after scam domain created – Naked Security (sophos.com)

Training, Education and Awareness

• Time Constraints Hamper Security Awareness Programs (darkreading.com)

Privacy

• ‘Supercookies’ Have Privacy Experts Sounding the Alarm | WIRED

• UK should immediately ban use of live facial recognition, warns report | Financial Times (ft.com)

• Snoopers’ Charter Ruled Partially Unlawful - Infosecurity Magazine

• We must stop sleepwalking towards a surveillance state | Financial Times (ft.com)

Parental Controls and Child Safety

• How parents can talk about online safety and personal info protection with their kids - Help Net Security

Regulations, Fines and Legislation

• Manx government department fined over data breach - BBC News

• Clearview fine: The unacceptable face of modern surveillance - Help Net Security

• UK security services must seek approval to access telecoms data, judges rule | UK security and counter-terrorism | The Guardian

Law Enforcement Action and Take Downs

• Global Police Crack Down on Online Sexual Exploitation - Infosecurity Magazine

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lethal drinking water, runs on banks and panic buying: What a real Undeclared War cyber attack could mean (inews.co.uk)

• Microsoft's Defending Ukraine report offers fresh details on digital conflict and disinformation | CSO Online

• Clear Rules Needed to Prevent Conflict and Struggle in Cyber Space, Says NCSC Chief - Infosecurity Magazine

• NATO to create cyber rapid response force, increase cyber defence aid to Ukraine - CyberScoop

• Could the Russian cyber attack on Lithuania draw a military response from NATO? | World News | Sky News

• Evilnum hackers return in new operation targeting migration orgs (bleepingcomputer.com)

• Commercial cyber products must be used responsibly, says NCSC CEO (computerweekly.com)

• G7 to tackle cyber threats and disinformation from Russia: communique | Reuters

• Google Warns of New Spyware Targeting iOS and Android Users - IT Security Guru

• Apple revokes certificates for Hermit spyware app - 9to5Mac

• China lured graduate jobseekers into digital espionage | Ars Technica

• FCC commissioner calls TikTok Chinese spyware and wants it pulled from mobile app stores (androidpolice.com)

• Google warns Hermit spyware is infecting phones. What is it and how do you protect yourself from it? | Mashable

Nation State Actors

Nation State Actors – Russia

• Ukraine targeted by almost 800 cyber attacks since the war started (bleepingcomputer.com)

• Russia-linked actors may be behind an explosion at a liquefied natural gas plant in Texas - Security Affairs

• Russian Hacker Group Says Cyber Attacks Continue On Lithuania (informationsecuritybuzz.com)

• Russian hacktivists take down Norway govt sites in DDoS attacks (bleepingcomputer.com)

• Russia's Killnet hacker group says it attacked Lithuania | Reuters

Nation State Actors – China

• Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

• Chinese Hackers Target Building Management Systems | SecurityWeek.Com

• China lured graduate jobseekers into digital espionage | Ars Technica

Nation State Actors – North Korea

• Experts blame North Korea-linked Lazarus APT for Harmony hack - Security Affairs

Vulnerability Management

• 18 Zero-Days Exploited So Far in 2022 (darkreading.com)

• Why more zero-day vulnerabilities are being found in the wild | CSO Online

• Cyber Attacks via Unpatched Systems Cost Orgs More Than Phishing (darkreading.com)

• Solving the indirect vulnerability enigma - fixing indirect vulnerabilities without breaking your dependency tree (thehackernews.com)

• Microsoft's quiet mishandling of vulnerabilities is becoming a public mess - OnMSFT.com

Vulnerabilities

• MITRE shares this year's list of most dangerous software bugs (bleepingcomputer.com)

• Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration (darkreading.com)

• How and why threat actors target Microsoft Active Directory | CSO Online

• Atlassian Confluence Exploits Peak at 100K Daily (darkreading.com)

• Patch Now: Linux Container-Escape Flaw in Azure Service Fabric (darkreading.com)

• Zoho ManageEngine ADAudit Plus bug gets public RCE exploit (bleepingcomputer.com)

• OpenSSL 3.0.5 awaits release to fix potential security flaw • The Register

• CISA: Adopt Modern Auth now for Exchange Online • The Register

• CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild (thehackernews.com)

• CISA orders agencies to patch Windows LSA bug exploited in the wild (bleepingcomputer.com)

• Mitel VoIP Bug Exploited in Ransomware Attacks | Threatpost

• Log4Shell Vulnerability in VMware Leads to Data Exfiltration and Ransomware (trendmicro.com)

• Jenkins discloses dozens of zero-day bugs in multiple plugins (bleepingcomputer.com)

• New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers (thehackernews.com)

Sector Specific

Critical National Infrastructure (CNI)

• Stress and Burnout Could Lead to Exodus of CNI Cyber Security Leaders - Infosecurity Magazine

Financial Services Sector

• Android Spyware 'Revive' Upgraded to Banking Trojan - Infosecurity Magazine

FinTech

• A Fintech Horror Story: How One Company Prioritizes Cyber Security (darkreading.com)

• Security and compliance concerns limit ‘open finance’ expansion, say executives (scmagazine.com)

Telecoms

• Why the next-gen telecom ecosystem needs better regulations (techtarget.com)

OT, ICS, IIoT, SCADA and Cyber-Physical Systems

• APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor (thehackernews.com)

• Cyber-Physical Security: Benchmarking to Advance Your Journey | SecurityWeek.Com

• Critical Security Flaws Identified in CODESYS ICS Automation Software (thehackernews.com)

• Microsoft Exchange bug abused to hack building automation systems (bleepingcomputer.com)

• 5 Cyber Security Tips for Smart Buildings - IT Security Guru

• Chinese Hackers Target Building Management Systems | SecurityWeek.Com

• OT security: Helping under-resourced critical infrastructure organisations - Help Net Security

Energy & Utilities

Oil, Gas and Mining

Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia | SecurityWeek.Com

Food and Agriculture

• Wiltshire Farm Foods Cyberattack (informationsecuritybuzz.com)

Education and Academia

• Threat Actor Claims Responsibility For IBM and Stanford University Hack - Infosecurity Magazine (infosecurity-magazine.com)

Web3

• Securing the Metaverse and Web3 | SecurityWeek.Com

• Cyber security and the metaverse: Identifying the weak spots | VentureBeat

Reports Published in the Last Week

• State of Email Security | Mimecast

• Q1 2022 Incident Response Insights from Tetra Defense | Arctic Wolf

• State of Data Exfiltration and Extortion 2022 - Titaniam

• SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organisation’s Cyber Security | SANS Institute

• Defending Ukraine: Early Lessons from the Cyber War - Microsoft On the Issues

Other News

• Cyber Attacks Gain Steam in Early '22: Tetra Defense Report - MSSP Alert

• FBI warns crooks are using deepfake videos in job interviews • The Register

• Destructive firmware attacks pose a significant threat to businesses - Help Net Security

• 48% of security practitioners seeing 3x increase in alerts per day - Help Net Security

• Adversarial machine learning explained: How attackers disrupt AI and ML systems | CSO Online

• Companies are desperate for cyber security workers—more than 700K positions need to be filled | Fortune

• 82% Cyber Breaches In Verizon’s Report Preventable, Says MyCena (informationsecuritybuzz.com)

• SolarWinds hack explained: Everything you need to know (techtarget.com)

• Properly securing APIs is becoming increasingly urgent - Help Net Security

• 97% Of UK Business Leaders Expect Quantum Computing to Disrupt Their Sectors - Infosecurity Magazine

• LGBTQ+ folks warned of dating app extortion scams • The Register

• What is Zero Trust and why would you want it? • The Register

• Tencent admits to poisoned QR code attack on QQ accounts • The Register

• Exploring the insecurity of readily available Wi-Fi networks - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

An analysis of incident response provided by Tetra defence revealed that the majority (82%) of incidents were initially caused by an external exposure of a known vulnerability on the victim’s network, which highlights the importance of conducting vulnerability scanning to identify systems in use which are vulnerable, and then patching the systems in a timely manner.

What’s the risk to me or my business?

Vulnerability management is a key component to Cyber Security in order to protect the confidentiality, integrity and availability of systems. Unpatched exposed systems can allow an attacker access to a network, allowing for lateral intrusion, bypassing organisational and people controls.

What can I do?

It is important to have appropriate policies and technologies in place to identify and patch known vulnerabilities, in accordance with the usage, exposure and criticality of a vulnerability. The focus, driven by the organisations risk management posture, should be on patching exposed vulnerabilities which are present on an organisations’ systems, instead of just focusing on critical vulnerabilities based on the CVS rating which are not exposed, or from which exploitation is prevented by other security controls within the organisation.

Further details can be found here: Patchable and Preventable Security Issues Lead Causes of Q1 Attacks | Threatpost

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft is permanently disabling ‘Basic Authentication’ for Exchange Online (M365) in October 2022, which will prevent any users from accessing email on the service if they are using a ‘Basic Authentication’ method. ‘Basic authentication’ allows for legacy applications that do not support ‘Modern Authentication’ to access email on Exchange Online, but comes with several security risks including no full support for multi-factor authentication.

What’s the risk to me or my business?

If any users are currently using ‘Basic Authentication’ to access emails, using protocols such as POP, IMAP and Active Sync, then they will be unable to access email after Microsoft disables this features on October 01 2022. Due to security concerns with ‘Basic Authentication’, organisations should be making every effort to move to ‘Modern Authentication’ for Exchange Online.

What can I do?

Work with your MSP to firstly check which users are still currently using ‘Basic Authentication’, and complete migration work to applications which support ‘Modern Authentication’. Once it has been confirmed that no users are using ‘Basic Authentication’, then this method should be disabled.

Technical Summary

Microsoft has already rolled out updates for many applications including Outlook for Desktop and the various Outlook mobile applications, meaning users may have already moved onto ‘Modern Authentication’. The guidance provided by CISA contains details on how to check for current usage of ‘Basic Authentication’, and putting in an authentication policy, or a conditional access policy to prevent Basic Authentication from being used going forward.

Further details can be found here: Action Recommended: Switch to Modern Authentication in Exchange Online Before Basic Authentication Deprecation (cisa.gov)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Raspberry Robin is the name given to a worm that is being used to infect Windows devices through removable USB drives. The worm disguises itself as a legitimate folder within the drive, when in fact it contains a malicious shortcut (LNK) file. When opened, it launches privileged processes, bypassing user account control to install itself on the device, and connect to a command and control server. This could then allow for lateral movement on the device or network.

What’s the risk to me or my business?

The worm appears to look legitimate and can bypasses some basic security controls on a device. This could cause an unaware user to infect a system, believing that the file is legitimate. This worm is now being seen more prominently in the wild across multiple organisations.

What can I do?

Work with your MSP to ensure that endpoint protection is enabled on user devices, and that it is scanning removable drives on insertion. Policies should be put into place to prevent software launching from a removable drive. Training should be supplied to users to ensure that they do not plug untrusted USB drives into corporate computers.

Technical Summary

Red Canary originally identified and named the worm, which makes use of legitimate processes built into Windows in order to establish persistence on the end user device and make contact with command and control (C2) infrastructure. These processes include CMD and msiexec.exe (Windows Installer). Additional malware is then downloaded via msiexc.exe, of which include regsvr32.exe, rundll32.exe and dllhost.exe to repeatedly attempt to connect to command and control, often via TOR nodes.

Further details can be found here: Raspberry Robin gets the worm early (redcanary.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• The NCSC Sets Out the UK’s Cyber Threat Landscape

The current state of the UK’s cyber threat landscape was outlined by the National Cyber Security Centre (NCSC), during a keynote address on the final day of Infosecurity Europe 2022.

They described the cyber threats posed by nation-states, particularly Russia and China. Russia remains “one of the world’s most prolific cyber actors and dedicates significant resources to conducting cyber operations across the globe.”  The NCSC and international partner organisations have attributed a number of high-profile attacks related to the conflict to Russian state actors, including the Viasat incident on the eve of the invasion of Ukraine on February 24. Therefore, the NCSC recommends that organisations prepare for a dynamic situation that is liable to change rapidly.

The NCSC emphasised that a more significant long-term threat comes from China, citing GCHQ director Jeremy Fleming’s assertion that “Russia is affecting the weather, but China is shaping the climate.” She described the nation’s “highly sophisticated” activities in cyberspace, born out of its “increasing ambitions to project its influence beyond its borders.” This includes a keen interest in the UK’s commercial secrets.

In addition to nation-state attacks, the NCSC noted that cyber crime is continuing to rise, with ransomware a continuing concern. Attacks are expected to grow in scale, with threat actors likely to increasingly target managed service providers (MSPs) to gain access to a wider range of targets. More generally, cyber capabilities will become more commoditised over the next few years, meaning they are increasingly available to a larger group of would-be attackers who are willing to pay.

https://www.infosecurity-magazine.com/news/ncsc-uk-cyber-threat-landscape/

• We're Now Truly in The Era of Ransomware as Pure Extortion Without the Encryption

Increasingly cyber crime rings tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable.

The FBI and CISA this month warned about a lesser-known extortion gang called Karakurt, which demands ransoms as high as $13 million. Karakurt doesn't target any specific sectors or industries, and the gang's victims haven't had any of their documents encrypted and held to ransom. Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don't receive a payment.

Some of these thieves offer discounted ransoms to corporations to encourage them to pay sooner, with the demanded payment getting larger the longer it takes to cough up the cash (or Bitcoin, as the case may be).

Additionally, some crime groups offer sliding-scale payment systems. So you pay for what you get, and depending on the amount of ransom paid you get a control panel, you get customer support, you get all of the tools you need."

https://www.theregister.com/2022/06/25/ransomware_gangs_extortion_feature/

• 5 Social Engineering Assumptions That Are Wrong

Social engineering is involved in the vast majority of cyber attacks, but a new report from Proofpoint has revealed five common social engineering assumptions that are not only wrong but are repeatedly subverted by malicious actors in their attacks.

1. Threat actors don’t have conversations with targets.

2. Legitimate services are safe from social engineering abuse.

3. Attackers only use computers, not telephones.

4. Replying to existing email conversations is safe.

5. Fraudsters only use business-related content as lures.

Commenting on the report’s findings, Sherrod DeGrippo, Proofpoint’s Vice-President Threat Research and Detection, stated that the vendor has attempted to debunk faulty assumptions made by organisations and security teams so they can better protect employees against cyber crime. “Despite defenders’ best efforts, cyber criminals continue to defraud, extort and ransom companies for billions of dollars annually. Security-focused decision makers have prioritised bolstering defences around physical and cloud-based infrastructure, which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviours and interests.”

Indeed, cyber criminals will go to creative and occasionally unusual lengths to carry out social engineering campaigns, making it more difficult for users to avoid falling victim to them.

https://www.csoonline.com/article/3664932/5-social-engineering-assumptions-that-are-wrong.html#tk.rss_news

• Gartner: Regulation, Human Costs Will Create Stormy Cyber Security Weather Ahead

Security teams should prepare for what researchers say will be a challenging environment through 2023, with increased pressure from government regulators, partners, and threat actors.

Gartner kicked off its Security & Risk Management Summit with the release of its analysts' assessments of the work ahead, which Richard Addiscott, the company's senior director analyst, discussed during his opening keynote address.

“We can’t fall into old habits and try to treat everything the same as we did in the past,” Addiscott said. “Most security and risk leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program, and our architecture.”

Topping Gartner's list of eight predictions is a rise in the government regulation of consumer privacy rights and ransomware response, a widespread shift by enterprises to unify security platforms, more zero trust, and, troublingly, the prediction that by 2025 threat actors will likely have figured out how to "weaponise operational technology environments successfully to cause human casualties”, the cyber security report said.

https://www.darkreading.com/attacks-breaches/gartner-regulation-human-cost-stormy-cybersecurity-weather

• Ransomware Attacks - This Is the Data That Cyber Criminals Really Want to Steal

There are certain types of data that criminals target the most, according to an analysis of attacks.

Data theft and extortion has become a common – and unfortunately effective – part of ransomware attacks, where in addition to encrypting data and demanding a ransom payment for the decryption key, gangs steal information and threaten to publish it if a payment isn't received.

These so-called double extortion attacks have become an effective tool in the arsenal of ransomware gangs, who leverage them to force victims to pay up, even in cases where data could be restored from offline backups, because the threat of sensitive information being published is too great.

Any stolen data is potentially useful to ransomware gangs, but according to analysis by researchers at cyber security company Rapid7, of 161 disclosed ransomware incidents where data was published, some data is seen as more valuable than others.

According to the report, financial services is the sector that is most likely to have customer data exposed, with 82% of incidents involving ransomware gangs accessing and making threats to release this data. Stealing and publishing sensitive customer information would undermine consumer trust in financial services organisations: while being hacked in the first place would be damaging enough, some business leaders might view paying a ransom to avoid further damage caused by data leaks to be worth it.

The second most-leaked type of file in ransomware attacks against financial services firms, featuring in 59% of disclosures from victims, is employee personally identifiable information (PII) and data related to human resources. 

https://www.zdnet.com/article/ransomware-attacks-this-is-the-data-that-cyber-criminals-really-want-to-steal/

• Cloud Email Threats Soar 101% in a Year

The number of email-borne cyber-threats blocked by Trend Micro surged by triple digits last year, highlighting the continued risk from conventional attack vectors.

The vendor stopped over 33.6 million such threats reaching customers via cloud-based email in 2021, a 101% increase. This included 16.5 million phishing emails, a 138% year-on-year increase, of which 6.5 million were credential phishing attempts.

Trend Micro also blocked 3.3 million malicious files in cloud-based emails, including a 134% increase in known threats and a 221% increase in unknown malware.

The news comes as Proofpoint warned in a new report of the continued dangers posed by social engineering, and the mistaken assumptions many users make. 

Many users don’t realise that threat actors may spend considerable time and effort building a rapport over email with their victims, especially if they’re trying to conduct a business email compromise (BEC) attack, it said.

https://www.infosecurity-magazine.com/news/cloud-email-threats-soar-101-in-a/

• 80% of Firms Suffered Identity-Related Breaches in Last 12 Months

Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.

In a survey of IT and identity professionals from Dimensional Research, almost every organisation — 98% — experienced rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.

The number and complexity of identities organisations are having to manage and secure is increasing. Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts.

For the most part, organisations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.

https://www.darkreading.com/operations/identity-related-breaches-last-12-months

• After Being Breached Once, Many Companies Are Likely to Be Hit Again

Cymulate announced the results of a survey, revealing that two-thirds of companies who have been hit by cyber crime in the past year have been hit more than once, with almost 10% experiencing 10 or so more attacks a year.

Research taken from 858 security professionals surveyed across North America, EMEA, APAC and LATAM across a wide range of industries including technology, banking, finance and government, also highlighted larger companies hit by cyber crime are experiencing shorter disruption time and damage to business with 40% reported low damage compared with medium-size businesses (less than 2,500 employees) which had longer recovery times and more business affecting damage.

Other highlights

• 40% of respondents admitted to being breached over the past 12 months.

• After being breached once, statistics showed they were more likely to be hit again than not (66%).

• Malware (55%), and more specifically ransomware (40%) and DDoS (32%) were the main forms of cyber attacks experienced by those surveyed.

• Attacks primarily occurred via end-user phishing (56%), via third parties connected to the enterprise (37%) or direct attacks on enterprise networks (34%).

• 22% of companies publicly disclosed cyber attacks in the worst-case breaches, with 35% needing to hire security consultants, 12% dismissing their current security professionals and 12% hiring public relations consultants to deal with the repercussions to their reputations. Top three best practices for cyber attack prevention, mitigation and remediation include multi-factor authentication (67%), proactive corporate phishing and awareness campaigns (53%), and well-planned and practiced incident response plans (44%). Least privilege also ranked highly, at 43%.

• 29% of attacks come from insider threats – intentionally or unintentionally.

• Leadership and cyber security teams who meet regularly to discuss risk reduction are more cyber security-ready – those who met 15 times a year incurred zero breaches whereas those who suffered six or more breaches met under nine times on average.

https://www.helpnetsecurity.com/2022/06/21/companies-hit-by-cybercrime/

• Do You Have Ransomware Insurance? Look at the Fine Print

Insurance exists to protect the insured party against catastrophe, but the insurer needs protection so that its policies are not abused – and that's where the fine print comes in. However, in the case of ransomware insurance, the fine print is becoming contentious and arguably undermining the usefulness of ransomware insurance.

In recent years, ransomware insurance has grown as a product field because organisations are trying to buy protection against the catastrophic effects of a successful ransomware attack. Why try to buy insurance? Well, a single, successful attack can just about wipe out a large organisation, or lead to crippling costs – NotPetya alone led to a total of $10bn in damages.

Ransomware attacks are notoriously difficult to protect against completely. Like any other potentially catastrophic event, insurers stepped in to offer an insurance product. In exchange for a premium, insurers promise to cover many of the damages resulting from a ransomware attack.

Depending on the policy, a ransomware policy could cover loss of income if the attack disrupts operations, or loss of valuable data, if data is erased due to the ransomware event. A policy may also cover you for extortion – in others, it will refund the ransom demanded by the criminal.

The exact payout and terms will of course be defined in the policy document, also called the "fine print." Critically, fine print also contains exclusions, in other words circumstances under which the policy won't pay out. And therein lies the problem.

https://thehackernews.com/2022/06/do-you-have-ransomware-insurance-look.html

• The Price of Stolen Info: Everything on Sale on The Dark Web

What is the price for personal information, including credit cards and bank accounts, on the dark web?

Privacy Affairs researchers concluded that criminals using the dark web need only spend $1,115 for a complete set of a person’s account details, enabling them to create fake IDs and forge private documents, such as passports and driver’s licenses.

Access to other information is becoming even cheaper. The Dark Web Price Index 2022 – based on data scanning dark web marketplaces, forums, and websites, revealed:

• Credit card details and associated information cost between $17-$120

• Online banking login information costs $45

• Hacked Facebook accounts cost $45

• Cloned VISA with PIN cost $20

• Stolen PayPal account details, with minimum $1000 balances, cost $20.

In December 2021, about 4.5 million credit cards went up for sale on the dark web, the study found. The average price ranged from $1-$20.

Scammers can buy full credit card details, including CVV number, card number, associated dates, and even the email, physical address and phone number. This enables them to penetrate the credit card processing chain, overriding any security countermeasures.

https://www.helpnetsecurity.com/2022/06/22/stolen-info-sale-dark-web/

• How Companies Are Prioritising Infosec and Compliance

New research conducted by Enterprise Management Associates (EMA), examines the impact of the compliance budget on security strategy and priorities. It describes areas for which companies prioritise information security and compliance, which leaders control information security spending, how compliance has shifted the overall security strategy of the organisation, and the solutions and tools on which organisations are focusing their technology spending.

The findings cover three critical areas of an organisation’s security and compliance posture: information security and IT audit and compliance, data security and data privacy, and security and compliance spending.

One key takeaway is that merging security and compliance priorities addresses regulatory control gaps while improving the organisation’s security posture. Respondents revealed insights on how they handle compliance, who is responsible for compliance and security responsibilities, and what compliance-related security challenges organisations face.

Additional findings:

• Companies found the need to shift their information security strategy to address compliance priorities (93%).

• Information security and IT compliance priorities are generally aligned (89%).

• Existing security tools have to address data privacy considerations going forward (76%).

• Managing an organisation’s multiple IT environments and the controls that govern those environments is the greatest challenge in the IT audit and compliance space (39%).

https://www.helpnetsecurity.com/2022/06/24/companies-infosec-compliance-priorities/

• Businesses Risk ‘Catastrophic Financial Loss’ from Cyber Attacks, US Watchdog Warns

A US Government watchdog has warned that private insurance companies are increasingly backing out of covering damages from major cyber attacks — leaving businesses facing “catastrophic financial loss” unless another insurance model can be found.

The growing challenge of covering cyber risk is outlined in a new report from the Government Accountability Office (GAO), which calls for a government assessment of whether a federal cyber insurance option is needed.

The report draws on threat assessments from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Justice, to quantify the risk of cyber attacks on critical infrastructure, identifying vulnerable technologies that might be attacked and a range of threat actors capable of exploiting them.

Citing an annual threat assessment released by the ODNI, the report finds that hacking groups linked to Russia, China, Iran, and North Korea pose the greatest threat to US infrastructure — along with certain non-state actors like organised cyber criminal gangs.

Given the wide and increasingly skilled range of actors willing to target US entities, the number of cyber incidents is rising at an alarming rate.

https://www.theverge.com/2022/6/23/23180115/gao-infrastructure-catastrophic-financial-loss-cyberattacks-insurance

Threats

Ransomware

• Attackers exploited a Mitel VOIP zero-day to compromise a network Security Affairs

• Chinese hackers use ransomware as decoy for cyber espionage (bleepingcomputer.com)

• If you don't store valuable data, ransomware is impotent • The Register

• Ransomware-as-a-Service: Learn to Enhance Cyber security Approaches (analyticsinsight.net)

• Mitigate Ransomware in a Remote-First World (thehackernews.com)

• Delivery Firm Yodel Scrambling to Restore Operations Following Cyber attack | SecurityWeek.Com

• Black Basta Ransomware Becomes Major Threat in Two Months | SecurityWeek.Com

• These hackers are spreading ransomware as a distraction - to hide their cyber spying | ZDNet

• Conti ransomware hacking spree breaches over 40 orgs in a month (bleepingcomputer.com)

• Conti effectively created an extortion-oriented IT company, says Group-IB - Help Net Security

• Conti ransomware finally shuts down data leak, negotiation sites (bleepingcomputer.com)

• Conti ransomware group's pulse stops, but did it fake its own death? | Malwarebytes Labs

• Without Conti on the Scene, LockBit 2.0 Leads Ransomware Attacks (darkreading.com)

• Cyber attack: Gloucester council services still not back to normal - BBC News

Phishing & Email Based Attacks

• Your email is a major source of security risks and it's getting worse | ZDNet

• New Phishing Attack Infects Devices with Cobalt Strike- IT Security Guru

• Voicemail phishing emails steal Microsoft credentials • The Register

• The Risk of Multichannel Phishing Is on the Horizon (darkreading.com)

• Cops arrests nine suspected of stealing millions via email • The Register

• Cyber criminals Use Azure Front Door in Phishing Attacks - Security Affairs

• Microsoft Exchange servers hacked by new ToddyCat APT gang (bleepingcomputer.com)

• Cyber attackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign (darkreading.com)

Other Social Engineering

• Proofpoint: Social engineering attacks slipping past users (techtarget.com)

• #InfosecurityEurope2022: Actions Not Words: Hacking the Human Through Social Engineering - Infosecurity Magazine

• Inside a large-scale phishing campaign targeting millions of Facebook users - Help Net Security

Malware

• RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer (thehackernews.com)

• Organisations Battling Phishing Malware, Viruses the Most (darkreading.com)

• This Linux botnet has found a novel way of spreading to new devices | ZDNet

• New 'Quantum' Builder Lets Attackers Easily Create Malicious Windows Shortcuts (thehackernews.com)

• NSA warns against silly mistake in the fight against Windows malware | TechRadar

Mobile

• This Android malware is so dangerous, even Google is worried | TechRadar

• Google is notifying Android users targeted by Hermit government-grade spyware | TechCrunch

• Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware (thehackernews.com)

• This phone-wiping Android banking trojan is getting nastier | ZDNet

• BRATA Android Malware Group Now Classified As Advanced Persistent Threat - Infosecurity Magazine

• Spurred by Roe overturn, senators seek FTC probe of iOS and Android tracking | Ars Technica

Internet of Things – IoT

• Hackers can target Eufy Homebase 2 to spy on you (komando.com)

• Vulnerabilities in the Jacuzzi SmartTub app could allow to access users’ data - Security Affairs - Security Affairs

Data Breaches/Leaks

• US Bank Data Breach Impacts Over 1.5 Million Customers - Infosecurity Magazine

• CafePress fined $500,000 for breach affecting 23 million users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Hackers steal $100 million from California cryptocurrency firm - CNN

• DARPA study finds blockchain not as decentralised as assumed • The Register

Insider Risk and Insider Threats

• Former Amazon Worker Convicted of Capital One Data Breach - Infosecurity Magazine

Fraud, Scams & Financial Crime

• Why Fraud On Linkedin A ‘Significant Threat’ To Platform And Consumer – Information Security Buzz

Supply Chain and Third Parties

• IT pros are not very confident in their organisation's supply chain security - Help Net Security

• #InfosecurityEurope2022: Tackling Widespread Data Breaches from Third Parties - Infosecurity Magazine

Cloud/SaaS

• Risk Disconnect in the Cloud (darkreading.com)

• Microsoft 365 Users in US Face Raging Spate of Attacks (darkreading.com)

• 7 Steps to Stronger SaaS Security (darkreading.com)

• Getting a Better Handle on Identity Management in the Cloud (darkreading.com)

• Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service (thehackernews.com)

Identity and Access Management

• Risky behaviour reduced when executives put focus on identity security - Help Net Security

• Access management issues may create security holes (techtarget.com)

• IAM Research: Inadequate Programs Leave Organisations Open to Cyber Attacks - MSSP Alert

• Why 84% Of US Firms Hit With Identity-Related Breaches In 2021 – Information Security Buzz

Open Source

• Open-source software risks persist, according to new reports | CSO Online

• Less Than Half of Organisations Have Open Source Security Policy - Infosecurity Magazine

• Blind trust in open source security is hurting us: Report | ZDNet

Training, Education and Awareness

• #InfosecurityEurope2022: Security Awareness Must Be in the Moment - Infosecurity Magazine

Privacy

• Privacy-focused Brave Search grew by 5,000% in a year (bleepingcomputer.com)

• Supreme Court's Roe v. Wade reversal sparks calls for strengthening privacy - CyberScoop

Regulations, Fines and Legislation

• Do Privacy and Data Protection Regulations Create as Many Problems as They Solve? | SecurityWeek.Com

Law Enforcement Action and Take Downs

• Phishing gang behind millions in losses dismantled by police (bleepingcomputer.com)

• Euro Police Target Crime Groups Grooming Ukrainian Refugees Online - Infosecurity Magazine

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies | SecurityWeek.Com

• Italian spyware firm is hacking into iOS and Android devices, Google says | Computerworld

• NSO claims 'more than 5' EU states used its Pegasus spyware • The Register

• #InfosecurityEurope2022: Geopolitical Tensions a “Danger” to Cyber security - Infosecurity Magazine

• Examples of Cyber Warfare #TrendTalksBizSec (trendmicro.com)

• Ukraine deploys a DDoS protection service to survive the cyberwar | VentureBeat

• Lithuania warns of rise in DDoS attacks against government sites (bleepingcomputer.com)

• Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign (darkreading.com)

• Ukrainian cyber security officials disclose two new hacking campaigns - IT Security Guru

• Scalper bots out of control in Israel, selling state appointments (bleepingcomputer.com)

• Research questions potentially dangerous implications of Ukraine's IT Army - CyberScoop

• Lithuania under cyber-attack after ban on Russian railway goodsSecurity Affairs

• #InfosecurityEurope2022: Disinformation Warfare – How Do We Tackle Fake News? - Infosecurity Magazine

Nation State Actors

Nation State Actors – Russia

• Microsoft reveals extent of attacks by Russian hackers on Ukraine allies - and why Estonia is striking exception | World News | Sky News

• Russia Steps Up Cyber-Espionage Against Ukraine Allies - Infosecurity Magazine

• Ukrainian organisations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons | ZDNet

• Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug | Threatpost

• Russian APT28 hacker accused of the NATO think tank hack in Germany - Security Affairs

• Russia fines Google for spreading ‘unreliable’ info defaming its army (bleepingcomputer.com)

Nation State Actors – China

• Chinese APT 'Bronze Starlight' Uses Ransomware to Disguise Cyberespionage | SecurityWeek.Com

• Chinese Tropic Trooper APT spreads a hacking tool laced with a backdoor - Security Affairs

• Chinese hackers target script kiddies with info-stealer trojan (bleepingcomputer.com)

Nation State Actors – Iran

• False Air Raid Sirens in Israel Possibly Triggered by Iranian Cyber Attack | SecurityWeek.Com

Nation State Actors – Misc APT

• Elusive ToddyCat APT Targets Microsoft Exchange Servers | Threatpost

• APT Groups Swarming on VMware Servers with Log4Shell (darkreading.com)

• How APTs Are Achieving Persistence Through IoT, OT, and Network Devices (darkreading.com)

Vulnerability Management

• Why We're Getting Vulnerability Management Wrong (darkreading.com)

Vulnerabilities

• Cisco warns of security holes in its security appliances • The Register

• Citrix Releases Security Updates for Hypervisor | CISA

• Google Patches 14 Vulnerabilities With Release of Chrome 103 | SecurityWeek.Com

• Cisco will not address critical RCE in end-of-life Small Business RV routers - Security Affairs

• Google expert detailed a 5-Year-Old flaw in Apple Safari exploited in the wild - Security Affairs

• Oracle spent 6 months to fix 'Mega' flaws in the Fusion Middleware - Security Affairs

• Researchers criticize Oracle's vulnerability disclosure process (techtarget.com)

• Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks (thehackernews.com)

Sector Specific

Financial Services Sector

• Flagstar Bank discloses data breach impacting 1.5 million customers (bleepingcomputer.com)

• 7 Cyber security Best Practices for Financial Services Firms - MSSP Alert

• Why Financial Institutions Must Double Down on Open Source Investments (darkreading.com)

• 10 Biggest Data Breaches in Finance | UpGuard

SMBs – Small and Medium Businesses

• How tool sprawl is becoming a common issue for SMEs - Help Net Security

• Middle market companies under attack: Threats coming from all directions - Help Net Security

• #InfosecurityEurope2022: How Should SMEs Defend Against Cyber-Risks? - Infosecurity Magazine

Legal

• #InfosecurityEurope2022: Lawyers Update Security for New Ways of Working - Infosecurity Magazine

Health/Medical/Pharma Sector

• Healthcare breaches on the rise in 2022 (techtarget.com)

Retail/eCommerce

• Magecart attacks are still around. And they are becoming more stealthy | ZDNet

• Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign- IT Security Guru

Manufacturing

• Automotive fabric supplier TB Kawashima announces cyber attack (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Researchers disclose 56 vulnerabilities impacting thousands of OT devices - Help Net Security

• Operational Technology (OT) Security and Cyber attacks: Research Reveals Key Trends - MSSP Alert

• How To Minimise Your OT Blind Spots – Information Security Buzz

Reports Published in the Last Week

• State of Open Source Security 2022 | Snyk

Other News

• Threat Intelligence Services Are Universally Valued by IT Staff (darkreading.com)

• #InfosecurityEurope2022 Firms Face Emerging Threats as Bad Actors Evade Defences - Infosecurity Magazine

• Security pros increasingly plan to adopt MDR services in the next 12 months - Help Net Security

• Board members and the C-suite need secure communication tools - Help Net Security

• Adobe Acrobat may block antivirus tools from monitoring PDF files (bleepingcomputer.com)

• 7 Ways to Avoid Worst-Case Cyber Scenarios (darkreading.com)

• 3 threats dirty data poses to the enterprise (techtarget.com)

• Data recovery depends on how good your backup strategy is - Help Net Security

• Unsecured APIs Could Be Costing Firms $75bn Per Year - Infosecurity Magazine

• The Rise, Fall, and Rebirth of the Presumption of Compromise (darkreading.com)

• AI Is Not a Security Silver Bullet (darkreading.com)

• #InfosecurityEurope2022: Are You Prepared For The Next Big Crisis? - Infosecurity Magazine

• Ongoing PowerShell security threats prompt a call to action (techtarget.com)

• Despite known security issues, VPN usage continues to thrive - Help Net Security

• Space-based assets aren’t immune to cyber attacks | CSO Online

• Cyber security expert on how $13K of fuel was stolen from station (wtvr.com)

• Cloudflare Outage Knocks Hundreds of Websites Offline - Infosecurity Magazine (infosecurity-magazine.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• How Organisations Can Protect Themselves in The Emerging Risk Landscape

ThoughtLab’s 2022 cyber security benchmarking study ‘Cyber Security Solutions for a Riskier World’ revealed that the pandemic has brought cyber security to a critical inflection point. The number of material breaches that respondents suffered rose 20.5% from 2020 to 2021, and cyber security budgets as a percentage of firms’ total revenue jumped 51%, from 0.53% to 0.80%.

During that time, cyber security has become a strategic business imperative, requiring CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders, and the board.

https://www.helpnetsecurity.com/2022/06/13/cybersecurity-strategic-business-imperative-video/

• Phishing Reaches All-Time High in Early 2022

The Anti-Phishing Working Group (APWG) Phishing Activity Trends Report reveals that in the first quarter of 2022 there were 1,025,968 total phishing attacks—the worst quarter for phishing observed to date. This quarter was the first time the three-month total has exceeded one million. There were 384,291 attacks in March 2022, which was a record monthly total.

In the first quarter of 2022, OpSec Security reported that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.6 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well, while attacks against retail/ecommerce sites fell from 17.3 to 14.6 percent after the holiday shopping season.

Phishing against social media services rose markedly, from 8.5 percent of all attacks in 4Q2021 to 12.5 percent in 1Q2022. Phishing against cryptocurrency targets—such as cryptocurrency exchanges and wallet providers—inched up from 6.5 in the previous quarter to 6.6 percent of attacks.

https://www.helpnetsecurity.com/2022/06/15/2022-total-phishing-attacks/

• Ransomware Attacks Are Surging, with More Dangerous Hybrid Attacks to Come. Is Your Cyber Security Up to Date?

Time to reassess your cyber security strategies. Again.

Ransomware attacks on businesses have increased by one-third in the past year, according to a recent report by the Boston-based cyber security company Cybereason. 

Most (73 percent of businesses) were hit by at least one ransomware attack in the past year, and 68 percent of businesses that paid a ransom were hit again in less than a month for a higher ransom, according to the survey, which polled 1,456 cyber security professionals at global companies with 700 or more employees.

These attacks have big implications: Thirty-seven percent of companies were forced to lay off employees after paying ransoms, and 33 percent were forced to temporarily suspend business.

Since the invasion of Ukraine, cyber security experts have insisted businesses improve their lines of defence to protect against an increased risk of ransomware attacks from Russia. ​Ransomware attacks have also increased since the start of the pandemic--the rise of remote work increased vulnerability for many businesses, which hackers have taken advantage of, a 2020 FBI memo noted. So, enterprises of all sizes are at risk from many more points of attack.

https://www.inc.com/rebecca-deczynski/ransomware-attacks-increasing-cyber-security-advice.html

• The Challenges of Managing Increased Complexity as Hybrid IT Accelerates

SolarWinds released the findings of its ninth annual IT Trends Report which examines the acceleration of digital transformation efforts and its impact on IT departments. The report found the acceleration of hybrid IT has increased network complexity for most organisations and caused several worrisome challenges for IT professionals.

Hybrid and remote work have amplified the impact of distributed and complex IT environments. Running workloads and applications across both cloud and on-premises infrastructure can be challenging, and many organisations are increasingly experiencing—and ultimately hindered by—these pain points.

As more and more mission-critical workloads move to connected cloud architectures that span public, private, hybrid, and multi-cloud environments, enterprises recognise they need to invest in the tools that will help them ensure consistent policies and performance across all platforms and end users. However, they simultaneously face challenges such as budget, time constraints, and barriers to implementing observability as a strategy to keep pace with hybrid IT realities.

However professionals feel less confident in their organisation’s ability to manage IT. While 54% of respondents state they leverage monitoring strategies to manage this complexity, 49% revealed they lack visibility into the majority of their organisation’s apps and infrastructure. This lack of visibility impacts their ability to conduct anomaly detection, easy root-cause analysis, and other critical processes to ensure the availability, performance, and security of business-critical applications.

https://www.helpnetsecurity.com/2022/06/16/hybrid-it-acceleration-challenges/

• 72% Of Middle Market Companies Expect to Experience a Cyber Attack

Middle market companies face an increasingly volatile cyber security environment, with threats coming from more directions than ever before and more skilled criminals targeting the segment, according to an RSM US and US Chamber of Commerce report.

However, there is good news as the number of breaches reported in the last year among middle market companies slightly decreased with protections becoming more available and executives understanding the consequences related to potential incidents. Twenty-two percent of middle market leaders claimed that their company experienced a data breach in the last year, representing a drop from 28% in last year’s survey, suggesting that even with enhanced protections in place and the decrease in attacks, companies cannot afford to let their guard down.

The middle market encountered a roller coaster of risks in the last year, from lingering threats related to the COVID-19 pandemic to geopolitical conflicts and economic uncertainty.

The small drop in reported breaches is encouraging, and largely attributed to middle market companies beginning to implement better identity and access management controls. Yet, even with the decline in reported attacks, companies recognise the risks posed by the current dynamic threat environment, with 72% of executives anticipating that unauthorised users will attempt to access data or systems in 2022, a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015.

https://www.helpnetsecurity.com/2022/06/16/middle-market-companies-cybersecurity/

• Malware's Destruction Trajectory and How to Defeat It

Malware and targeted attacks on operating systems and firmware have become increasingly destructive in nature, and these more nefarious attack methods are rising in prevalence. And just to add insult to injury, there are more of them. Today’s attacks are hitting more often, and they are hitting harder.

In the first three decades of its existence, malware was primarily restricted to mischief and attempts by virus creators to discover if their creations would work. But now the threat landscape has changed from simple vandalism to lucrative cyber crime and state-sponsored attacks.

Wiper malware, in particular, has gained traction in recent months. The FortiGuard Labs research team has seen at least seven different malware attacks targeting Ukrainian infrastructure or Ukrainian companies so far this year. The primary reason for using Wiper malware is its sheer destructiveness – the intent is to cripple infrastructure. What does the increased presence of Wiper malware strains indicate? And what do security leaders need to know and do to keep their organisation safe? Read more…

https://www.securityweek.com/malwares-destruction-trajectory-and-how-defeat-it

• Which Stolen Data Are Ransomware Gangs Most Likely to Disclose?

If your organisation gets hit by a ransomware gang that has also managed to steal company data before hitting the “encrypt” button, which types of data are more likely to end up being disclosed as you debate internally on whether you should pay the ransomware gang off?

Rapid7 analysed 161 data disclosures performed by ransomware gangs using the double extortion approach between April 2020 and February 2022, and found that:

• The most commonly leaked data is financial (63%), followed by customer/patient data (48%)

• Files containing intellectual property (e.g., trade secrets, research data, etc.) are rarely disclosed (12%) by ransomware gangs, but if the organisation is part of the pharmaceutical industry, the risk of IP data being disclosed is considerably higher (43%), “likely due to the high value placed on research and development within this industry.”

https://www.helpnetsecurity.com/2022/06/17/ransomware-data-disclosed/

• Threat Actors Becoming More Creative Exploiting the Human Factor

Threat actors exhibited "ceaseless creativity" last year when attacking the Achilles heel of every organisation—its human capital—according to Proofpoint's annual The Human Factor 2022 report. The report, released June 2, draws on a multi-trillion datapoint graph created from the company's deployments to identify the latest attack trends by malicious players.

"Last year, attackers demonstrated just how unscrupulous they really are, making protecting people from cyber threats an ongoing—and often eye-opening—challenge for organisations,” Proofpoint said in a statement.

The combination of remote work and the blurring of work and personal life on smartphones have influenced attacker techniques, the report notes. During the year, SMS phishing, or smishing, attempts more than doubled in the United States, while in the UK, 50% of phishing lures focused on delivery notifications. An expectation that more people were likely working from home even drove good, old-fashioned voice scams, with more than 100,000 telephone attacks a day being launched by cyber criminals.

https://www.csoonline.com/article/3663478/threat-actors-becoming-more-creative-exploiting-the-human-factor.html#tk.rss_news

• 66% Of Organisations Store 21%-60% Of Their Sensitive Data in The Cloud

A Thales report, conducted by 451 Research, reveals that 45% of businesses have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from the previous year, raising even greater concerns regarding the protection of sensitive data from cyber criminals.

Globally, cloud adoption and notably multicloud adoption, remains on the rise. In 2021, organisations worldwide were using an average amount of 110 software as a service (SaaS) applications, compared with just eight in 2015, showcasing a startlingly rapid increase.

With increasing complexity of multicloud environments comes an even greater need for robust cyber security. When asked what percentage of their sensitive data is stored in the cloud, 66% said between 21-60%. However, only 25% said they could fully classify all data.

https://www.helpnetsecurity.com/2022/06/16/cloud-based-data-breach-video/

• Travel-related Cyber Crime Takes Off as Industry Rebounds

An upsurge in the tourism industry after the COVID-19 pandemic grabs the attention of cyber criminals to scam the tourists.

Researchers are warning a post-COVID upsurge in travel has painted a bullseye on the travel industry and has spurred related cyber crimes.

Criminal activity includes an uptick in adversaries targeting the theft of airline mileage reward points, website credentials for travel websites and travel-related databases breaches, according to a report by Intel 471.

The impact of the attacks are hacked accounts stripped of value. But also, researchers say the consequences of recent attacks can also include flight delays and cancelations as airlines grapple with mitigating hacks.

https://threatpost.com/travel-related-cybercrime-takes-off/179962/

• How Should You Think About Security When Considering Digital Transformation Projects?

Digital transformation helps businesses keep operating and stay competitive. Here are the ways to think about security so that businesses reap the benefits without taking on associated risks.

Multiple factors contribute to the sheer number of digital transformation projects underway today: the proliferation of the Internet of Things (IoT), expanding artificial intelligence (AI) capabilities, the sudden shift to a remote workforce prompted by the global COVID-19 pandemic, and the rapid rate of cloud migration. Digital transformation is no longer a nice-to-have; it’s a must-have in order to survive and thrive in today’s business world.

CISOs and their security teams need to think about security in the digital age from both an internal and an external perspective. For the former, security teams should introduce and adopt digital enablers to transform the information security organisation. Digital enablers include the cloud, IoT, AI/machine learning (ML), and automation to transform the information security organisation.

For the latter, they should address potential risks as new digital enablers are introduced by the business to drive growth.

Here are five specific areas security teams should prioritise to achieve security-first digital transformation:

1. Security operations modernisation

2. Developer-centric security

3. Cloud strategy and execution

4. Connected devices

5. Big data and analytics

As important as it is to keep the business operating and competitive, organisations must transform securely. Keeping security at the forefront gives the business the benefits of digital transformation without the associated risks.

https://www.darkreading.com/edge-ask-the-experts/how-should-i-think-about-security-when-considering-digital-transformation-projects-

• Internet Explorer Now Retired but Still an Attacker Target

Microsoft's official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that's been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That's because some organisations are still using Internet Explorer (IE) despite Microsoft's long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organisations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn't dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman's Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea's MBN pointed to several large organisations still running IE.

https://www.darkreading.com/vulnerabilities-threats/internet-explorer-will-likely-remain-an-attacker-target-for-some-time

Threats

Ransomware

• Ransomware attacks are increasing with more dangerous hybrids ahead | CSO Online

• Why do organisations need to prioritize ransomware preparedness? - Help Net Security

• Ransomware and Phishing Remain IT's Biggest Concerns (darkreading.com)

• The attacker’s toolkit: Ransomware-as-a-service | VentureBeat

• Ransomware gang publishes stolen victim data on the public Internet - Help Net Security

• Researchers Discover Way to Attack SharePoint and OneDrive Files with Ransomware | SecurityWeek.Com

• ALPHV/BlackCat ransomware gang starts publishing victims' data on the clear web - Security Affairs

• Ransomware gang creates site for employees to search for their stolen data (bleepingcomputer.com)

• Microsoft: Exchange servers hacked to deploy BlackCat ransomware (bleepingcomputer.com)

• Conti's Attack Against Costa Rica Sparks a New Ransomware Era | WIRED UK

• Hello XD ransomware now drops a backdoor while encrypting (bleepingcomputer.com)

• Alphv ransomware gang ups pressure with new extortion scheme (techtarget.com)

• Costa Rica Chaos a Warning That Ransomware Threat Remains | SecurityWeek.Com

• DeadBolt ransomware takes another shot at QNAP storage • The Register

• The many lives of BlackCat ransomware - Microsoft Security Blog

• Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (thehackernews.com)

• BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers - Security Affairs

• Ransomware gangs target Japan as a feeding ground | Financial Times (ft.com)

• Africa's biggest supermarket hit by ransomware attacks | TechRadar

Phishing & Email Based Attacks

• NakedPages Phishing Toolkit is Now Available on Cyber crime Forums - Infosecurity Magazine

• New phishing attack infects devices with Cobalt Strike (bleepingcomputer.com)

Other Social Engineering

• How social engineering attacks are evolving beyond email - Help Net Security

• 2,000 People Arrested Worldwide for Social Engineering Schemes | SecurityWeek.Com

• Facebook Messenger Scam Duped Millions | Threatpost

• Heineken giving away free beer for Father's Day? It's a WhatsApp scam (bitdefender.com)

Malware

• Businesses are leaving bot attacks unchallenged for almost four months - Help Net Security

• New Syslogk Linux rootkit uses magic packets to trigger backdoor (bleepingcomputer.com)

• Linux Malware Deemed ‘Nearly Impossible’ to Detect | Threatpost

• Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices (thehackernews.com)

• PSA: Beware of Clipboard Malware | NiceHash

• New Emotet Variant Stealing Users’ Credit Card Information From Google Chrome – Information Security Buzz

• Akamai Warns Of "Panchan" Linux Botnet That Leverages Golang Concurrency, Systemd - Phoronix

• Websites Hosting Fake Cracks Spread Updated CopperStealer Malware (trendmicro.com)

Mobile

• Over a billion Google Play Store app downloads could be infected by malware | TechRadar

• Android malware on the Google Play Store gets 2 million downloads (bleepingcomputer.com)

• MaliBot: A New Android Banking Trojan Spotted in the Wild (thehackernews.com)

• Cyber security Researchers Find Several Google Play Store Apps Stealing Users Data - Infosecurity Magazine

• Chinese Hackers Distribute Backdoored Web3 Wallets for iOS and Android Users (thehackernews.com)

• Android Spyware 'Hermit' Discovered in Targeted Attacks (darkreading.com)

Internet of Things - IoT

• Anker Eufy smart home hubs exposed to RCE attacks by critical flaw (bleepingcomputer.com)

• Researcher Shows How Tesla Key Card Feature Can Be Abused to Steal Cars | SecurityWeek.Com

Data Breaches/Leaks

• Unsecured Elasticsearch server leaks a million records • The Register

Organised Crime & Criminal Actors

• Cyber Criminals Smuggle Ukrainian Men Across Border - Infosecurity Magazine

• iCloud hacker gets 9 years in prison for stealing nude photos (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (thehackernews.com)

Insider Risk and Insider Threats

• At Second Trial, Ex-CIA Employee Defends Himself in Big Leak | SecurityWeek.Com

Fraud, Scams & Financial Crime

• BNPL (Buy Now Pay Later) Fraud Alert as Account Takeovers Surge - Infosecurity Magazine (infosecurity-magazine.com)

• INTERPOL raids hundreds of scammy call centers in sweep - CyberScoop

• Fraud trends and scam tactics consumers should be aware of - Help Net Security

Dark Web

• 24 Billion Usernames And Passwords Found On The Dark Web – Information Security Buzz

Supply Chain and Third Parties

• How confident are IT pros in the security of their organisation's supply chain? - Help Net Security

Denial of Service DoS/DDoS

• A tiny botnet launched the largest DDoS attack on record | ZDNet

• Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second (thehackernews.com)

• DDoS Subscription Service Operator Gets 2 Years in Prison (darkreading.com)

Cloud/SaaS

• Increased cloud complexity needs stronger cyber security - Help Net Security

• Beware the 'Secret Agent' Cloud Middleware (darkreading.com)

• SaaS security: How to avoid “death by 1000 apps” - Help Net Security

• Quantifying the SaaS Supply Chain and Its Risks (darkreading.com)

• 83% of IT pros are using either hybrid or multi-cloud - Help Net Security

Privacy

• Location data poses risks to individuals, organisations | CSO Online

Passwords, Credential Stuffing & Brute Force Attacks

• 24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far (darkreading.com)

• Strong passwords still a priority strategy for enterprises - Help Net Security

• The future is passwordless. What's slowing it down? - Help Net Security

• Brute-Force Attacks: How to Defend Against Them - MSSP Alert

• Staffing Firm Robert Half Says Hackers Targeted Over 1,000 Customer Accounts | SecurityWeek.Com

Travel

• Cyber Criminals Capitalizing on Resurgence in Travel (darkreading.com)

Regulations, Fines and Legislation

• Privacy Watchdog Set to Keep Millions in Fines for Legal Costs - Infosecurity Magazine

• Canada wants companies to report cyber attacks and hacking incidents | Reuters

• A closer look at the US SEC Cyber Security Disclosure rule - Help Net Security

Law Enforcement Action and Take Downs

• Interpol anti-fraud op leads to 2,000 arrests, $50m seized • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber-Espionage Campaign (darkreading.com)

• Sophisticated Android Spyware 'Hermit' Used by Governments | SecurityWeek.Com

• Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks (thehackernews.com)

• Vladimir Putin forced by cyber attack in Russia to delay keynote speech | The Independent

• Iranian hacking campaign that included former US ambassador exposed - CyberScoop

Nation State Actors

Nation State Actors – Russia

• Russia Reportedly Warns of "Direct Military Clash" if Cyber-Attacks on its Infrastructure Continue - IT Security Guru

• Russian hackers start targeting Ukraine with Follina exploits (bleepingcomputer.com)

• Mixed results for Russia's aggressive Ukraine information war, experts say - CyberScoop

Nation State Actors – China

• Chinese Gallium hackers backdoor finance, govt orgs using new PingPull malware (bleepingcomputer.com)

• China-linked APT Flew Under Radar for Decade | Threatpost

• Chinese APT exploited Sophos Firewall Zero-Day before it was fixed - Security Affairs

Nation State Actors – Iran

• New Iranian Spear-Phishing Campaign Hijacks Email Conversations- IT Security Guru

• State-Sponsored Phishing Attack Targeted Israeli Military Officials | Threatpost

Vulnerability Management

• Only 10% of vulnerabilities are remediated each month - Help Net Security

• Vulnerability management mistakes CISOs still make | CSO Online

• Mind the gap: How to ensure your vulnerability detection methods are up to scratch - Help Net Security

Vulnerabilities

• Microsoft fixes Follina and 55 other CVEs - Help Net Security

• Details of Twice-Patched Windows RDP Vulnerability Disclosed | SecurityWeek.Com

• New Hertzbleed side-channel attack affects Intel, AMD CPUs (bleepingcomputer.com)

• Time to throw out those older, vulnerable Cisco SMB routers • The Register

• Critical Citrix Bugs Impact All ADM Servers, Agents (darkreading.com)

• Time to update: Google patches seven Chrome browser bugs, four rated 'high' risk | ZDNet

• Critical Flaw in Cisco Secure Email and Web Manager Lets Attackers Bypass Authentication (thehackernews.com)

• Cisco fixed a critical Bypass Authentication flaw in Cisco ESA and Secure Email and Web Manager- Security Affairs

• Why Log4j Is Still The Problem When The Patch Is Released 6 Months Ago? – Information Security Buzz

• Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (thehackernews.com)

• Sophos Firewall zero-day bug exploited weeks before fix (bleepingcomputer.com)

• Researchers Disclose Rooting Backdoor in Mitel IP Phones for Businesses (thehackernews.com)

• NinjaForms WordPress plugin, actively exploited in wild, receives forced security update • Graham Cluley

• How to mitigate Active Directory attacks that use the KrbRelayUp toolset | CSO Online

• Hertzbleed disclosure raises questions for Intel (techtarget.com)

• Critical Atlassian Confluence flaw remains under attack (techtarget.com)

• Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike (bleepingcomputer.com)

• Technical Details Released for 'SynLapse' RCE Vulnerability Reported in Microsoft Azure (thehackernews.com)

• Zimbra bug allows stealing email logins with no user interaction (bleepingcomputer.com)

• Microsoft takes months to fix critical Azure Synapse bug (techtarget.com)

• PACMAN, a new attack technique against Apple M1 CPUs - Security Affairs

• Critical Code Execution Vulnerability Patched in Splunk Enterprise | SecurityWeek.Com

• High-Severity RCE Vulnerability Reported in Popular Fastjson Library (thehackernews.com)

• This Security Exploit Could Have Major PS5 And PS4 Implications (slashgear.com)

Sector Specific

Financial Services Sector

• Chinese GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (paloaltonetworks.com)

Telecoms

• Chinese GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (paloaltonetworks.com)

Government

• Chinese GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (paloaltonetworks.com)

Health/Medical/Pharma Sector

• Ransomware Risk in Healthcare Endangers Patients | Threatpost

• Kaiser Permanente Says Data Breach Hit 69,000 Patients (gizmodo.com)

Transport and Aviation

• Cyber Criminals Capitalizing on Resurgence in Travel (darkreading.com)

CNI, OT, ICS, IIoT and SCADA

• Tackling 5 Challenges Facing Critical National Infrastructure Today (darkreading.com)

• State of OT Security in 2022: Big Survey Key Insights (trendmicro.com)

• Over a Dozen Flaws Found in Siemens' Industrial Network Management System (thehackernews.com)

• Eight ICS Zero Days Could Open Doors for Hackers - Infosecurity Magazine

Web3

• Web3 and IAM: Marching toward disruption | CSO Online

Reports Published in the Last Week

• Voice of the CISO 2022 | Proofpoint

• 3 Big Takeaways From the Verizon DBIR 2022 (darkreading.com)

• Other News

• Why We Need Security Knowledge and Not Just Threat Intel (darkreading.com)

• Once is never enough: The need for continuous penetration testing - Help Net Security

• CISOs Gain False Confidence in the Calm After the Storm of the Pandemic (darkreading.com)

• 9 ways hackers will use machine learning to launch attacks | CSO Online

• API security warrants its own specific solution - Help Net Security

• Cyber Security Courses Ramp Up Amid Shortage of Professionals | SecurityWeek.Com

• How Russian sanctions may be helping US cyber security (techtarget.com)

• UK Security Practitioners Lack The Confidence To Stop Attacks – Information Security Buzz

• How Can Security Partnerships Help to Mitigate the Increasing Cyber Threat? (darkreading.com)

• 45% of cyber security pros are considering quitting the industry due to stress - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Citrix Application Delivery and Management (Citrix ADM), is a web-based software application used for managing Citrix deployments for an organisation.  Two vulnerabilities have been disclosed by Citrix, one of which could allow for a remote, unauthenticated user to reset the administrator password on the server, granting administrator access after a reboot.

What’s the risk to me or my business?

This vulnerability could lead to a remote user gaining privileged access to the system which facilitates Citrix deployments, which in turn could be used to access business data through these servers leading to further compromise.

What can I do?

Contact your Managed Service Provider to confirm if Citrix ADM (Hosted) is currently being used to manage Citrix deployments for you organisation and confirm if the vulnerability is being managed and patched in line with Citrix guidance. It is important to note that the Citrix ADM Service, which is the cloud solution, is not affected by this vulnerability. Only hosted solutions are affected.

Technical Summary

Only limited technical details have been supplied by Citrix so far relating to the two vulnerabilities. CVE-2022-27511, which currently does not have a CVS rating, allows a remote, unauthenticated user to corrupt a system which can lead to the reset of the administrator password on reboot, which they can then login with using the default credentials over SSH.

CVE-2022-27512, which also does not currently have a CVS rating, allows temporary disruption to the ADM license service, which can prevent new licences from being issued or renewed from the Citrix ADM.

Further details can be found here: Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft’s June Patch Tuesday provides updates across all Windows platforms to address critical security issues. This includes updates that address a critical zero-day flaw which allows remote malicious access to the Microsoft Windows Support Diagnostic Tool (MSDT) through Microsoft Office, which has commonly been named ‘Follina’.

Internet Explorer is also set to officially retire today, meaning that going forward any legacy applications will need to be accessed using Microsoft Edge’s Internet Explorer Mode.

Security updates have also been released for other Microsoft products to tackle different issues.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

If legacy applications are still present that require Internet Explorer, then access to these should be advised through Microsoft Edge’s Internet Explorer Mode. As these applications are very likely to be unsupported themselves, steps should be taken to either move away from the legacy applications, or to establish firm risk-based controls for protection and use of the applications.

Technical Summary

CVE-2022-30190 relate to the ‘Follina’ vulnerability. The timeline for the actual disclosure of this issue to Microsoft is not completely clear, there are reports that the issue was originally identified within a university dissertation back in August 2020, with multiple occasions after that where the issue had been reported to Microsoft without a formal CVE being raised. Microsoft has now raised a formal CVE: CVE-2022-30190 - Security Update Guide - Microsoft - Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability and has supplied mitigation steps: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center. As a high-level summary, the exploit works by having word download template information from an external source over the internet, which contains malicious code that can execute the MSDT software, which in itself can execute PowerShell commands.

Further details on specific updates within this months Patch Tuesday can be found here: Microsoft Windows Security Updates June 2022 overview - gHacks Tech News

Information on Microsoft Edge’s Internet Explorer Mode can be found here: What is Internet Explorer mode? | Microsoft Docs

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Business Email Compromise (BEC) Attacks Have Risen 53% Year-Over-Year

Armorblox released a report which highlights the use of language-based attacks that bypass existing email security controls. The report uncovers how the continued increase in remote working has made critical business workflows even more vulnerable to new forms of email-based attacks, often resulting in financial fraud or credential theft.

Language-based attacks have become the new normal for business email compromise (BEC) with 74% of these attacks using language as the main attack vector.

Security teams spend a massive amount of time configuring rules and exceptions in their email security solutions to block impersonation emails – both for executives and other employees. Despite all of that manual work and rule writing, 70% of impersonation emails evaded email security controls.

https://www.helpnetsecurity.com/2022/06/06/language-based-attacks-email-video/

• Ransomware Attacks Setting New Records

Zscaler released the findings of its annual ThreatLabz Ransomware Report, which revealed an 80 percent increase in ransomware attacks year-over-year.

In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report details which industries are being targeted the most by cyber criminals, explains the damage caused by double-extortion and supply chain attacks, and catalogues the most active ransomware groups operating today.

Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable. Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high.

The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be a disruption of the target organisation and theft of sensitive information for the purposes of ransom. The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment. In 2019, many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware.

https://www.helpnetsecurity.com/2022/06/07/ransomware-attacks-increase/

• Hackers Are Now Hiding Inside Networks for Longer. That's Not a Good Sign

Cyber criminals are spending more time inside networks before they're discovered, and that's allowing them to do more damage.

The amount of time cyber criminal intruders are spending inside victims' networks is increasing, providing them with the ability to carry out higher complexity campaigns and more damaging cyber attacks.

According to analysis by cyber security researchers at Sophos, who examined incidents targeting organisations around the world and across a wide range of industry sectors, the median dwell time that cyber criminals spend inside compromised networks is now 15 days, up from 11 days the previous year.

Dwell time is the amount of time hackers are inside the network before they're discovered or before they leave – and being able to spend an increased amount of time inside a compromised network undetected means they're able to more carefully conduct malicious activity, such as monitoring users, stealing data or laying the foundations for a malware or ransomware attack.

https://www.zdnet.com/article/hackers-are-now-hiding-inside-networks-for-longer-thats-not-a-good-sign/

• Paying Ransomware Paints Bigger Bullseye on Target’s Back

Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.

Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.

New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cyber security professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.

The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way so why not hit the same company, demand a higher ransom, and get paid again?

https://threatpost.com/paying-ransomware-bullseye-back/179915/

• Organisations Fix Only 1 in 10 Vulnerabilities Monthly

New research from SecurityScorecard features a couple of eye-popping “only” findings: Only 10 percent of vulnerabilities are remediated each month, and only 60 percent of companies have improved their security profile despite a 15-fold increase in the number of cyber incidents in the last three years.

That’s not good. The research, which sought to measure how long it took the 1.6 million organisations assessed to remediate vulnerabilities in the three-year period from 2019 to 2022, also found the following:

·       53% had at least one exposed vulnerability to the internet, while 22% of organisations amassed more than 1,000 vulnerabilities each, confirming more progress is required to protect organisations’ critical assets.

·       The financial sector is among the slowest remediation rates (median to fix 50% = 426 days), while utilities ranked among the fastest (median = 270 days).

·       Despite a 15-fold increase in exploitation activity for vulnerabilities with published exploit code, there was little evidence that organisations in the financial sector fixed exploited flaws faster.

·       The IT sector (62.6%) and public sector (61.6%) had the highest prevalence of open vulnerabilities.

·       The financial sector (48.6%) exhibited the lowest proportion of open vulnerabilities; however, there is less than a 10% difference between this and other sectors in terms of industries with the most open vulnerabilities.

·       It typically takes organisations 12 months to remediate half of the vulnerabilities in their internet-facing infrastructure.

·       When firms have fewer than 10 open vulnerabilities, it can take about a month to close just half of them, but when the list grows into the hundreds, it takes up to a year to reach the halfway point.

https://www.msspalert.com/cybersecurity-research/organizations-fix-only-1-in-10-vulnerabilities-monthly/

• Cyber Attack Surface "Spiralling Out of Control"

Global organisations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.

The security vendor polled over 6200 IT and business decision-makers to compile its new study, ‘Mapping the digital attack surface: Why global organisations are struggling to manage cyber risk’.

It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.

These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.

On average, respondents estimated having just 62% visibility of their attack surface.

https://www.infosecurity-magazine.com/news/cyberattack-surface-out-of-control/

• Phishing Hits All-Time High in Q1 2022

The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG).

The industry, law enforcement and government coalition’s new Phishing Activity Trends Report also revealed that March was the worst month on record for phishing, with 384,291 attacks detected.

The financial sector was the worst hit, accounting for 24% of all detected attacks, although webmail and SaaS providers were also popular targets.

Attacks spoofing retailers dropped 17% from the previous quarter to 15% following the busy holiday shopping season, while those against social media services rose significantly, from nearly 9% percent of all attacks to 13% over the same period.

https://www.infosecurity-magazine.com/news/phishing-hits-all-time-high-q1/

• Ransomware's ROI Retreat Will Drive More BEC Attacks

Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe.

A presentation at the RSA Conference last week laid out analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months.

Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, but crackdowns on just one group can make an enormous dent.

Ransomware is a centralised ecosystem with small numbers of operators responsible for the majority of attacks.

The recent disappearance of Pysa, left just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate.

Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyber attacks, far outpacing ransomware losses.

Ransomware has had a moment over the past couple of years, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cyber criminals to rely on its infrastructure to do business, adding "friction" to the transactions.

BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop. 

https://www.darkreading.com/threat-intelligence/retreat-of-ransomware-roi-will-drive-bec-attacks-analyst-warns

• The Real Cost of Cyber Attacks: What Organisations Should Be Prepared For

With each passing year, hackers and cyber criminals of all kinds are becoming more sophisticated, malicious, and greedy conducting brazen and often destructive cyber-attacks that can severely disrupt a company’s business operations. And this is a big problem, because, first and foremost, customers rely on a company’s ability to deliver services or products in a timely manner. Cyber attacks not only can affect customers’ data, but they can impact service delivery.

Data breaches and costs associated with them have been on the rise for the past few years, but, according to a 2021 report, the average cost per breach increased from $3.86 million in 2020 to $4.24 million in 2021. The report also identified four categories contributing most global data breach costs – Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), and Notification (6%).

Ransomware attacks cost an average of $4.62 million (the cost of a ransom is not included), and destructive wiper-style attacks cost an average of $4.69 million, the report said.

For a business, a data breach is not just a loss of data, it can also have a long-lasting impact on operations and undermine customers’ trust in the company. In fact, a survey revealed that 87% of consumers are willing to take their business elsewhere if they don’t trust a company is handling their data responsibly. Therefore, the reputational damage might be detrimental to a business’ ability to attract new customers.

https://informationsecuritybuzz.com/articles/the-real-cost-of-cyber-attacks-what-organizations-should-be-prepared-for/

• Why Smishing and Vishing Attempts Surged In 2021

In The Human Factor Report 2022, security vendor Proofpoint found that SMS phishing (smishing) attacks more than doubled year-on-year in 2021. The report is based on their analysis of over 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28 million cloud accounts and 1.7 billion mobile messages.

The study details the most common attack surfaces and methods including categories of risk, vulnerabilities, attacks, Russian Aligned APT’s, and Privilege as a vector.

Key Findings:

• Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk

• Attackers attempt to initiate more than 100,000 telephone-oriented attacks every day.

• Malicious URLS are 3-4x more common than malicious attachments.

• Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures are themed around delivery notification.

• More than 20 million messages attempted to deliver malware linked to eventual ransomware attack

• Data loss prevention alerts have stabilised as businesses adopt permanent hybrid work models.

• 80% of businesses are attacked by a compromised supplier account in any given month.

• 35% of cloud tenants that received a suspicious login also saw suspicious post-access activity.

https://informationsecuritybuzz.com/expert-comments/why-smishing-and-vishing-attempts-surged-in-2021/

• Know Your Enemy! Learn How Cyber Crime Adversaries Get In…

Cyber security vendor Sophos dug into the incident reports of 144 real-life cyber attacks investigated by its Rapid Response team during 2021.

What they found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.

Notably:

• Unpatched vulnerabilities were the entry point for close to 50% of the attackers.

• Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.

• Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)

• RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.

Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.

In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.

This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.

As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.

After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.

https://nakedsecurity.sophos.com/2022/06/07/know-your-enemy-learn-how-cybercrime-adversaries-get-in/

• Small Businesses Struggle with an Increase in Cyber Attacks

Part of the problem: They don’t believe they are targets, so they don’t make security a priority. Cyber attacks are becoming more common for small businesses, and many aren’t prepared to deal with an attack.

As small businesses have accelerated their adoption of new technologies for remote work, communication, production and sales during the pandemic, their expanded computer networks have created new vulnerabilities to phishing and ransomware attacks. But many small businesses still don’t expect to be targeted by hackers, so preparing for a cyber attack is well down their list of priorities.

https://www.wsj.com/articles/small-business-cyberattacks-increase-11654540786

Threats

Ransomware

• Ransomware attacks have increased by 80% year-over-year - Help Net Security

• How the Russia-Ukraine war makes ransomware payments harder | CSO Online

• How Poor Communication Opens the Door to Ransomware and Extortion (darkreading.com)

• Cuba ransomware returns to extorting victims with updated encryptor (bleepingcomputer.com)

• Vice Society gang adds the Italian City of Palermo to its data leak site - Security Affairs

• Qbot - known channel for ransomware - delivered via phishing and Follina exploit - Help Net Security

• Black Basta Ransomware Targets ESXi Servers in Active Campaign (darkreading.com)

• Mandiant: Cyber extortion schemes increasing pressure to pay (techtarget.com)

• Roblox Game Pass store used to sell ransomware decryptor (bleepingcomputer.com)

• Costa Rican government held up by ransomware … again • The Register

• Gloucester Council IT Systems Still Not Fully Operational Six Months After Cyber-Attack - Infosecurity Magazine

• BEEF ALERT: Ransomware Group Very Mad at Being Associated with Lavish Russian Hackers (vice.com)

• Ransomware Pressure Forcing UK CISOs to Consider Quitting - Infosecurity Magazine

BEC – Business Email Compromise

• Business Email Compromise Scams Are Poised to Eclipse Ransomware | WIRED

Phishing & Email Based Attacks

• Evasive phishing mixes reverse tunnels and URL shortening services (bleepingcomputer.com)

• Proofpoint: We Block Up to Two Million Extortion Emails Daily - Infosecurity Magazine

• Massive Facebook Messenger phishing operation generates millions (bleepingcomputer.com)

• Facebook phishing campaign nets millions in IDs and cash • The Register

Other Social Engineering

• Smishing and Vishing Attempts Surged in 2021 - Infosecurity Magazine

Malware

• Symantec sees more malware operators exploiting Follina • The Register

• Potent Emotet Variant Spreads Via Stolen Email Credentials | Threatpost

• Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)

• This advanced new malware strain leaves you practically defenceless | TechRadar

• Be on the lookout for this malware that hijacks your browser and generates bogus search results | PC Gamer

• MacOS malware attacks slipping through the cracks (techtarget.com)

• 11 infamous malware attacks: The first and the worst | CSO Online

• 9 types of computer virus and how they do their dirty work | CSO Online

Mobile

• Android June 2022 updates bring fix for critical RCE vulnerability (bleepingcomputer.com)

IoT

• New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)

• How to Compromise a Printer in Three Simple Steps | CrowdStrike

Data Breaches/Leaks

• Since 2004, the average American has had at least 7 data breaches (scmagazine.com)

Organised Crime & Criminal Actors

• World Economic Forum wants a global map of online crime • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Threat actors exploit recently disclosed Atlassian Confluence flaw in cryptomining campaign - Security Affairs

• Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users (thehackernews.com)

• 7 NFT Scams That Could Be Targeting Your Brand (darkreading.com)

• Hackers stole +$250,000 in Ethereum from Bored Ape Yacht ClubSecurity Affairs

Fraud, Scams & Financial Crime

• Pandemic-related identity fraud: How serious is it? - Help Net Security

• Apple Release 2021 Fraud Prevention Analysis- IT Security Guru

AML/CFT/Sanctions

• Information, AML/CFT steps are key to fighting international digital crime, DOJ report says (cointelegraph.com)

Insurance

• Microsoft flags common pitfalls for cyber insurance (techtarget.com)

Dark Web

• Dark web sites selling alleged Western weapons sent to Ukraine (bleepingcomputer.com)

Software Supply Chain

• 82% of CIOs believe their software supply chains are vulnerable - Help Net Security

• Boards, CEOs demand software supply chain security improvements - Help Net Security

Denial of Service DoS/DDoS

• Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)

Cloud/SaaS

• Cloud Security Tops Ransomware As Primary RSA Conference Attendee Concern - MSSP Alert

• Only 13.5% of IT pros have mastered security in the cloud native space - Help Net Security

• Is Cloud Security Losing Sight of Endpoints? - MSSP Alert

• OMIGOD: Cloud providers still using secret middleware • The Register

• Getting to grips with SaaS security - Help Net Security

Attack Surface Management

• Taming the Digital Asset Tsunami | Threatpost

Open Source

• Symbiote, a nearly-impossible-to-detect Linux malware - Security Affairs

Privacy

• Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones (thehackernews.com)

• New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing (thehackernews.com)

Parental Controls and Child Safety

• Digital fingerprints of a million child abuse images made - BBC News

Law Enforcement Action and Take Downs

• US dismantled and seized SSNDOB cyber crime marketplace - Security Affairs

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• “Cyber Spetsnaz” is Attacking Government Agencies - Security Affairs

• Russian Ministry Website Reportedly Hacked- IT Security Guru

• Ordinary Ukrainians wage war with digital tools and drones | Financial Times (ft.com)

• Ukraine's secret cyber-defence: Excellent backups • The Register

• Major DDoS attacks increasing after invasion of Ukraine (techtarget.com)

Nation State Actors

Nation State Actors – Russia

• Russia escalates threats against West in response to cyber attacks - CyberScoop

• Russia, China, oppose US cyber support of Ukraine • The Register

Nation State Actors – China

• Russia, China, oppose US cyber support of Ukraine • The Register

• Chinese hacking group Aoqin Dragon quietly spied orgs for a decade (bleepingcomputer.com)

• China Is "Scanning" One Of World's Most Surveilled City; Now Risks Being Blinded By A Bill In The UK Parliament (eurasiantimes.com)

• People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA

• US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)

Nation State Actors – Iran

• Microsoft seized 41 domains used by Iran-linked Bohrium APT - Security Affairs

• Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)

Nation State Actors – Misc APT

• State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and US (thehackernews.com)

Vulnerability Management

• CISA warning: Hackers are exploiting these 36 "significant" cyber security vulnerabilities - so patch now | ZDNet

• How CISA's list of 'must-patch' vulnerabilities has expanded both in size, and who's using it - CyberScoop

• Even the Most Advanced Threats Rely on Unpatched Systems (thehackernews.com)

Vulnerabilities

• Windows zero-day exploited in US local govt phishing attacks (bleepingcomputer.com)

• DogWalk zero-day Windows bug receives patch - but not from Microsoft (bitdefender.com)

• Chrome 102 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices | ZDNet

• Ubuntu Users Get a Massive Linux Kernel Update, 35 Security Vulnerabilities Patched - 9to5Linux

• Vulnerability discovered in Apple M1 chip • The Register

• Threat Actors Start Exploiting Meeting Owl Pro Vulnerability Days After Disclosure | SecurityWeek.Com

• Critical U-Boot Vulnerability Allows Rooting of Embedded Systems | SecurityWeek.Com

Sector Specific

Financial Services Sector

• Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry (darkreading.com)

Telecoms

• String of attacks on French telecom infrastructure preceded April attack on fiber optic cables (cyberscoop.com)

• US: Chinese govt hackers breached telcos to snoop on network traffic (bleepingcomputer.com)

• People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA

Health/Medical/Pharma Sector

• Healthcare-specific cyber security problems and how to address them - Help Net Security

• Data for 2 million patients stolen in largest healthcare breach so far of 2022 (scmagazine.com)

Retail/eCommerce

• Online gun shops in the US hacked to steal credit cards (bleepingcomputer.com)

Energy & Utilities

• Iranian hackers target energy sector with new DNS backdoor (bleepingcomputer.com)

• US Water Utilities Prime Cyber Attack Target, Experts | Threatpost

Education and Academia

• Ransomware attacks keeping the educational sector on its toes - Help Net Security

• Personal Information of Over 30,000 Students Exposed in Unprotected Database | SecurityWeek.Com

Reports Published in the Last Week

• The Human Factor Report 2022 | Proofpoint US

• Router security report 2021 | Securelist

Other News

• 'Shields Up': the new normal in cyberspace - CyberScoop

• 37 Major Companies and Organisations Pledge to Enhance Cyber Resiliency and Counter Evolving Global Threats (darkreading.com)

• This hacking group quietly spied on their targets for 10 years | ZDNet

• Identity-based Attacks and Living-of-the-land Tactics Represent Top Threats - MSSP Alert

• Over Half of CISOs Struggling for Board Investment - Infosecurity Magazine

• Cisco EVP: Cyber security poverty line is human-rights issue • The Register

• Zero trust segmentation eliminates 5 cyber disasters per year and saves $20+ million annually - Help Net Security

• Top three most critical areas of web security - Help Net Security

• How the Colonial Pipeline attack has changed cyber security | CSO Online

• Five Eyes alliance’s top cop: tech is the future of Policing • The Register

• The costs and damages of DNS attacks - Help Net Security

• An Emerging Threat: Attacking 5G Via Network Slices (darkreading.com)

• How AI Is Useful — and Not Useful — for Cyber security (darkreading.com)

• Only 43% of security pros can respond to critical alerts in less than an hour - Help Net Security

• Now Is the Time to Plan for Post-Quantum Cryptography (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Turbulent Cyber Insurance Market Sees Rising Prices And Sinking Coverage

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester.

Organisations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organisations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organisation bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

https://www.darkreading.com/edge-articles/turbulent-cyber-insurance-market-sees-rising-prices-and-sinking-coverage

• Ransomware Attacks Still The #1 Threat To Businesses And Organisations

In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organisations worldwide.

High-profile attacks disrupted operations of companies in various sectors.

For example, the Colonial Pipeline attack interrupted critical infrastructure, the JBS Foods attack influenced food processing, and the CNA breach disrupted the insurance industry.

Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continued to evolve.

They are not only becoming more technologically sophisticated but are also extensively leveraging the growing cyber crime ecosystem looking to find new partners, services and tools for their operations.

https://www.helpnetsecurity.com/2022/05/30/ransomware-trends-video/

• Third Of UK Firms Have Experienced A Security Breach Since 2020

Cyber threats are behind soaring fraud and economic crime in the UK, where rates are now second only globally to South Africa, according to PwC.

The consulting giant’s latest Global Economic Crime Survey revealed that nearly two-thirds (64%) of UK businesses experienced fraud, corruption or other economic/financial crime during the past 24 months, a significant increase on the 56% recorded in 2020, and 50% in 2018.

It’s also much higher than the 2022 global average of 46%, PwC said.

Cyber crime was the most commonly reported fraud type, although figures here dropped from 42% in 2020 to 32% in 2022. Included for the first time in the report, supply chain incidents accounted for 19%.

Most (51%) reported fraud cases in the UK were traced back to external parties, versus just 43% globally. The top three culprits were cited as customers, hackers and vendors/suppliers.

https://www.infosecurity-magazine.com/news/third-uk-security-breach-2020/

• There Is No Good Digital Transformation Without Cyber Security

Network engineers and CIOs agree that cyber security issues represent the biggest risk for organisations that fail to put networks at the heart of digital transformation plans. According to research commissioned by Opengear, 53% of network engineers and 52% of CIOs polled in the US, UK, France, Germany, and Australia rank cyber security among the list of their biggest risks.

The concerns are fuelled by an escalating number of cyber attacks. In fact, 61% of CIOs report an increase in cyber security attacks/breaches from 2020-21 compared to the preceding two years. For digital transformation of networking, 70% of network engineers say security is the most important focus area, and 31% say network security is their biggest networking priority.

Digital transformation is a priority, but cyber security risk remains. CIOs also understand the importance of the issues. 51% of network engineers say their CIOs have consulted them on investments to deliver digital transformation plans, the highest priority in the survey.

What’s more, 41% of CIOs rank cyber security among their organisation’s most important investment priorities over the next year, with 35% stating it is among the biggest over the next five years. In both cases, cyber security ranks higher than any other factor.

https://www.helpnetsecurity.com/2022/05/31/digital-transformation-cybersecurity-risk/

• Ransomware Gang Now Hacks Corporate Websites To Show Ransom Notes

A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes.

This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.

When ransomware gangs extort a victim, they typically give them a short window, usually a few weeks, to negotiate and pay a ransom before they start leaking data.

During this negotiation process, the threat actors promise to keep the attack secret, provide a decryption key, and delete all data if a ransom is paid.

After this period, the threat actors will use various methods to increase pressure, including DDoS attacks on corporate websites, emailing customers and business partners, and calling executives with threats.

These tactics are all done privately or with minimal exposure on their data leak sites, which are usually only visited by cyber security researchers and the media.

However, this is the first time we have seen a ransomware gang defacing a website to very publicly display a ransom note.

https://www.bleepingcomputer.com/news/security/ransomware-gang-now-hacks-corporate-websites-to-show-ransom-notes/

• Attackers Are Leveraging Follina, A Critical Microsoft Windows Vulnerability Affecting Nearly All Versions of Windows and Windows Server. What Can You Do?

As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.

Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwhelming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.

https://www.helpnetsecurity.com/2022/06/03/patch-cve-2022-30190/

• Ransomware Attacks Need Less Than Four Days To Encrypt Systems

The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.

This change reflects a more streamlined approach that developed gradually over the years to make large-scale operations more profitable.

At the same time, improvements in incident response and threat detection have forced threat actors to move quicker, to leave defenders with a smaller reaction margin.

The data was collected by researchers at IBM's X-Force team from incidents analysed in 2021. They also noticed a closer collaboration between initial access brokers and ransomware operators.

Previously, network access brokers might wait for multiple days or even weeks before they found a buyer for their network access.

In addition, some ransomware gangs now have direct control over the initial infection vector, an example being Conti taking over the TrickBot malware operation.

Malware that breaches corporate networks is quickly leveraged to enable post-exploitation stages of the attack, sometimes completing its objectives in mere minutes.

https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/

• 57% Of All Digital Crimes In 2021Were Scams

Group-IB shares its analysis of the landscape of the most widespread cyber threat in the world: scams. Accounting for 57% of all financially motivated cyber crime, the scam industry is becoming more structured and involves more and more parties divided into hierarchical groups.

The number of such groups jumped to a record high of 390, which is 3.5 times more than last year, when the maximum number of active groups was close to 110. Due to SaaS (Scam-as-a-Service), in 2021 the number of cyber criminals in one scam gang increased 10 times compared to 2020 and now reaches 100.

Traffic has become the circulatory system of scam projects: researchers emphasise that the number of websites used for purchasing and providing “grey” and illegal traffic and that lure victims into fraudulent schemes has increased by 1.5 times. Scammers are going into 2022 on a new level of scam attack automation: no more non-targeted users. Scammers are now attracting specific groups of victims to increase conversion rates. Social media are more often becoming the first point of contact between scammers and their potential victims.

https://www.helpnetsecurity.com/2022/05/31/scams-widespread-cyber-threat/

• Intelligence Is Key To Strategic Business Decisions

Businesses have a growing need for greater relevance in the intelligence they use to inform critical decision-making. Currently just 18% of professionals responsible for security, risk, or compliance in their organisation feel that the intelligence they receive is “very specific and focused on their business”, a S-RM research reveals.

6 in 10 respondents also say the intelligence they receive takes too much time to analyse, meaning it does not always result in better informed decision making. This was the top reason behind dissatisfaction with external intelligence, identified by over 200 professionals working at companies with revenues of over $250 million.

The second most likely reason was that information was not tailored to business needs (47%), followed by too much information (35%).

Growing demand for the use of strategic intelligence has been prompted by increasing cyber (51%) and regulatory concerns (50%). And while these two factors have been climbing the boardroom agenda for years, geopolitical uncertainty has made the need to respond to these developments more acute. In particular, the Russia-Ukraine conflict has created a complex sanctions regime for businesses to operate.

Additionally, navigating the complexities of the COVID-19 pandemic has been a key challenge for businesses in the past three years, with 40% citing this as a catalyst in driving a growing need for strategic intelligence.

https://www.helpnetsecurity.com/2022/06/03/intelligence-decision-making/

• How Cyber Criminals Are Targeting Executives At Home And Their Families

Top executives and their families are increasingly being targeted on their personal devices and home networks, as sophisticated threat actors look for new ways to bypass corporate security and get direct access to highly sensitive data.

https://www.helpnetsecurity.com/2022/06/01/cybercriminals-targeting-executives-video/

Threats

Ransomware

• Cyber criminals Expand Attack Radius and Ransomware Pain Points | Threatpost

• FBI, CISA warn: Don't get caught in Karakurt's web • The Register

• Conti ransomware targeted Intel firmware for stealthy attacks (bleepingcomputer.com)

• GoodWill Ransomware victims have to perform socially driven activities to decryption their dataSecurity Affairs

• YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links (darkreading.com)

• Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks (thehackernews.com)

• Evil Corp switches to LockBit ransomware to evade sanctions (bleepingcomputer.com)

• Ransomware attack sends New Jersey county back to 1977 • The Register

• Ransomware roundup: System-locking malware dominates headlines | CSO Online

• What if ransomware evolved to hit IoT in the enterprise? • The Register

• How Costa Rica found itself at war over ransomware | CSO Online

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

• Foxconn confirms ransomware attack disrupted production in Mexico (bleepingcomputer.com)

• Hanesbrands says it suffered a ransomware attack on May 24 and has informed law enforcement - MarketWatch

• Why Ransomware Timeline Shrinks By 94%? – Information Security Buzz

• Hundreds of Elasticsearch databases targeted in ransom attacks (bleepingcomputer.com)

BEC – Business Email Compromise

• Why Stopping Business Email Compromise (BEC) Needs To Be A Priority For MSPs - MSSP Alert

• Language-based BEC attacks rising - Help Net Security

Phishing & Email Based Attacks

• Watch out for phishing emails that inject spyware trio • The Register

• Existential Phishing Schemes | The New Yorker

• Telegram’s blogging platform abused in phishing attacks (bleepingcomputer.com)

Other Social Engineering

• Hacker steals Verizon employee database after tricking worker into granting remote access (bitdefender.com)

• Vishing attacks: What they are and how organisations can protect themselves - Help Net Security

• Beware the Smish! Home delivery scams with a professional feel… – Naked Security (sophos.com)

Malware

• New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers (thehackernews.com)

• LuoYu APT delivers WinDealer malware via man-on-the-side attacks - Security Affairs

• EnemyBot malware adds enterprise flaws to exploit arsenal • The Register

• Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network (thehackernews.com)

• Logic bombs explained: Definition, examples, and prevention | CSO Online

Mobile

• Top 10 Android banking trojans target apps with 1 billion downloads (bleepingcomputer.com)

• WhatsApp accounts hijacked by call forwarding | Malwarebytes Labs

• SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (thehackernews.com)

• SMSFactory Android malware sneakily subscribes to premium services (bleepingcomputer.com)

• Phishers Having a Field Day on WhatsApp, Telegraph (darkreading.com)

• Apple blocked 1.6 millions apps from defrauding users in 2021 (bleepingcomputer.com)

Organised Crime & Criminal Actors

• FBI warns of Ukrainian charities impersonated to steal donations (bleepingcomputer.com)

• Euro Cops Bust $47m Money Laundering Operation - Infosecurity Magazine (infosecurity-magazine.com)

• Three Nigerian Users of Agent Tesla RAT Arrested | SecurityWeek.Com

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Americans report losing over $1 billion to cryptocurrency scams (bleepingcomputer.com)

• Clipminer malware gang stole $1.7M by hijacking crypto payments (bleepingcomputer.com)

• Bored Ape Yacht Club, Otherside NFTs stolen in Discord server hack (bleepingcomputer.com)

• WatchDog hacking group launches new Docker cryptojacking campaign (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• $39.5 billion lost to phone scams in last year - Help Net Security

• Fast loan scam: Here's how it works and why Lloyds Bank has put out an urgent warning | This is Money

• Britain's biggest bank issues 'urgent warning' over new scam (telegraph.co.uk)

• Scams account for most of all financially motivated cyber crime - Help Net Security

AML/CFT/Sanctions

• Evil Corp Pivots LockBit to Dodge US Sanctions | Threatpost

Supply Chain and Third Parties

• To better manage cyber security risk, extend zero-trust principles to third parties | TechCrunch

Denial of Service DoS/DDoS

• DDoS threats growing in sophistication, size, and frequency - Help Net Security

• DDoS attackers continue to innovate, devising new threats and altering attack strategies - Help Net Security

Open Source

• Linux malware is on the rise—6 types of attacks to look for | CSO Online

• The Open Source Software Security Mobilization Plan: Takeaways for security leaders | CSO Online

Privacy

• Vodafone plans carrier-level user tracking for targeted ads (bleepingcomputer.com)

• Europe's hope to scan devices for unlawful files criticized • The Register

Passwords & Credential Stuffing

• Why are many businesses still not using a password manager? - Help Net Security

Regulations, Fines and Legislation

• ExpressVPN Removes Servers in India After Refusing to Comply with Government Order (thehackernews.com)

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• NSA general confirms US offensive cyber ops in Ukraine war • The Register

• Deadly Secret: Electronic Warfare Shapes Russia-Ukraine War | SecurityWeek.Com

• Anonymous: Operation Russia after 100 days of war - Security Affairs

• Chinese LuoYu hackers deploy cyber-espionage malware via app updates (bleepingcomputer.com)

Nation State Actors

Nation State Actors – Russia

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Nation State Actors – China

• China-linked TA413 group actively exploits Microsoft Follina Zero-Day flawSecurity Affairs

• Chinese state media propaganda found in 88% of Google, Bing news searches - CyberScoop

• Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor (thehackernews.com)

• How Beijing’s surveillance cameras crept into Britain’s corridors of power (telegraph.co.uk)

Nation State Actors – North Korea

• The day the NHS was held to ransom by North Korean cyber hackers (telegraph.co.uk)

Nation State Actors – Iran

• Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium (darkreading.com)

• Iranian hackers planned attack on Boston Children's Hospital last summer, FBI director says - CyberScoop

Nation State Actors – Misc APT

• Microsoft blocks Polonium hackers from using OneDrive in attacks (bleepingcomputer.com)

• Snake carried out over 1,000 attacks since April 2020 - Security Affairs

• SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years (thehackernews.com)

Vulnerability Management

• Focus resources on patching most threatening vulns: research • The Register

Vulnerabilities

• CISA adds 75 vulnerabilities to catalogue in 3 days- IT Security Guru

• Fighting Follina: Application Vulnerabilities and Detection Possibilities (darkreading.com)

• Yet another zero-day (sort of) in Windows “search URL” handling – Naked Security (sophos.com)

• Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation (thehackernews.com)

• Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover (darkreading.com)

• Microsoft Azure vulnerabilities pose new cloud security risk - Protocol

• GitLab Issues Security Patch for Critical Account Takeover Vulnerability (thehackernews.com)

• New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email (thehackernews.com)

Sector Specific

Financial Services Sector

• Germany issues fresh warning to banks of cyber attacks due to Ukraine war | Reuters

Government

• Experts warn of ransomware attacks on government orgs of small states - Security Affairs

Health/Medical/Pharma Sector

• Twice as Many Healthcare Organisations Now Pay Ransom - Infosecurity Magazine

• Novartis says no sensitive data was compromised in cyber attack (bleepingcomputer.com)

• Costa Rica’s public health agency hit by Hive ransomware (bleepingcomputer.com)

Transport and Aviation

• Turkish airline suffers 6.5TB data leak - IT Security Guru

CNI, OT, ICS, IIoT and SCADA

• Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms | SecurityWeek.Com

• Industrial IoT ransomware attacks control systems directly (scmagazine.com)

• Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks (thehackernews.com)

Food and Agriculture

• JBS Foods cyber attack highlights industry vulnerabilities to Russian hackers - ABC News

Web3

• Why web3 companies get hacked so often, according to crypto VC Grace Isford | TechCrunch

Other News

• How Failing to Prioritize Cyber Security can Hurt Your Company (analyticsinsight.net)

• Cyber security needs a whole-of-society effort | The Hill

• 40% of enterprises don't include business-critical systems in their cyber security monitoring - Help Net Security

• Bad news: The cyber security skills crisis is about to get even worse | ZDNet

• Nearly Three-Quarters of Firms Suffer Downtime from DNS Attacks - Infosecurity Magazine

• CIOs and network engineers rank cyber security among the biggest risks - Help Net Security

• How USB Drives Can Be a Danger to Your Computer (howtogeek.com)

• Australian digital driver's licenses hackable in minutes • The Register

• Over 3.6 million MySQL servers found exposed on the Internet (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• How Confident Are Companies In Managing Their Current Threat Exposure?

Crossword Cybersecurity has released a report based on the findings of a survey of over 200 CISOs and senior UK cyber security professionals. The paper reveals companies are more concerned and exposed to cyber threats than ever before, with 61 percent describing themselves as at best only “fairly confident” at managing their current cyber security threat exposure, which should raise some eyebrows around the boardroom.

Respondents also feared their cyber strategy would not keep pace with the rate of tech innovation and changes in the threat landscape. 40 percent of organisations believe their existing cyber strategy will be outdated in two years, and a further 37 percent within three years. Additional investment is needed to address longer term planning, with 44 percent saying they only have sufficient resources in their organisation to focus on the immediate and mid-term cyber threats and tech trends.

https://www.helpnetsecurity.com/2022/05/26/organizations-cyber-strategy/

• 'There's No Ceiling': Ransomware's Alarming Growth Signals A New Era, Verizon DBIR Finds

Ransomware has become so efficient, and the underground economy so professional, that traditional monetisation of stolen data may be on its way out.

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analysed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cyber criminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cyber crime has become so commoditised, so much like a business now, and it's just too darn efficient of a methodology for monetising their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

https://www.darkreading.com/attacks-breaches/ransomware-alarming-growth-verizon-dbir

• Paying Ransom Doesn’t Guarantee Data Recovery

A Veeam report has found that 72% of organisations had partial or complete attacks on their backup repositories, dramatically impacting the ability to recover data without paying the ransom.

Additionally, 76% of organisations admitted to paying the ransom. But while 52% paid the ransom and were able to recover data, 24% paid the ransom but were still not able to recover data.

https://www.helpnetsecurity.com/2022/05/24/paying-ransom-recover-data-video/

• Report: Frequency Of Cyber Attacks in 2022 Has Increased By Almost 3M

Kaspersky has released a new report revealing a growing number of cyber attacks on small businesses in 2022 so far. Researchers compared the period between January and April 2022 to the same period in 2021, finding increases in the numbers of Trojan-PSW detections, internet attacks and attacks on Remote Desktop Protocol.

In 2022, the number of Trojan-PSW (Password Stealing Ware) detections increased globally by almost a quarter compared to the same period in 2021 一 4,003,323 to 3,029,903. Trojan-PSW is a malware that steals passwords, along with other account information, which then allows attackers to gain access to the company network and steal sensitive information.

Internet attacks grew from 32,500,000 globally in the analysed period of 2021 to almost 35,400,000 in 2022. These can include web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet command & control centres and more.

The number of attacks on Remote Desktop Protocol grew in the U.S. (while dropping slightly globally), going from 47.5 million attacks in the first trimester of 2021 to 51 million in the same period of 2022. With the widespread shift toward remote work, many companies have introduced Remote Desktop Protocol (RDP), a technology that enables computers on the same corporate network to be linked together and accessed remotely, even when the employees are at home.

With small business owners typically handling numerous responsibilities at the same time, cyber security is often an afterthought. However, this disregard for IT security is being exploited by cyber criminals. The Kaspersky study sought to assess the threats that pose an increasing danger to entrepreneurs.

https://venturebeat.com/2022/05/20/report-frequency-of-cyberattacks-in-2022-has-increased-by-almost-3m/

• New Zoom Flaws Could Let Attackers Hack Victims Just By Sending Them A Message

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

https://thehackernews.com/2022/05/new-zoom-flaws-could-let-attackers-hack.html

• VMware, Airline Targeted As Ransomware Chaos Reigns

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

https://www.darkreading.com/attacks-breaches/vmware-airline-targeted-as-ransomware-chaos-reigns

• Crypto Hacks Aren't A Niche Concern; They Impact Wider Society

Million-dollar crypto heists are becoming more common as the currency starts to go mainstream; prevention and enforcement haven't kept pace.

The attack against the Ronin Network in March was quickly speculated to be one of the largest cryptocurrency hacks of all time. Approximately $540 million was stolen from the cryptocurrency and NFT games company in a combination of USDC and Etherium, with $400 million of the stolen funds owned by customers playing the game Axie Infinity.

This attack was the latest in a string of thefts perpetrated against crypto and should be a jolt to both the digital asset and cyber security communities to bring the security of cryptocurrencies into line.

The current vogue of large-scale crypto heists goes as far back as the 2014 Mt. Gox hack (another cryptocurrency exchange built around a game, Magic: The Gathering), which went into bankruptcy after losing $460 million of assets.

However, the trend has been gathering pace. In the months leading up to the Ronin Network attack, cyber criminals stole nearly $200 million worth of cryptocurrency from the crypto trading platform BitMart, attacked 400 Crypto.com users, and orchestrated NFT-related scams, to name but a few incidents.

There is often an uncomfortable tendency to see these attacks as something that takes place in isolation in a remote part of the Internet when they actually have a huge impact on thousands of people.

https://www.darkreading.com/attacks-breaches/crypto-hacks-aren-t-a-niche-concern-they-impact-wider-society

• State Of Cyber Security Report 2022 Names Ransomware And Nation-State Attacks As Biggest Threats

Ransomware is the biggest concern for cyber security professionals, according to results of the Infosecurity Group’s 2022 State of Cybersecurity Report, produced by Infosecurity Europe and Infosecurity Magazine.

Cyber Security Professionals' Number One Concern: Ransomware.

This attack vector was voted as the biggest cyber security trend (28%) by the survey respondents (including CISOs, CTOs, CIOs and academics), marking a significant change from the previous report in 2020, where ransomware did not break the top three. This follows surging ransomware incidents in 2021, with ransom demands and payments growing significantly last year. A number of these attacks have also impacted critical industries, for example, taking down the US’ largest fuel pipeline.

The survey respondents also highlighted the evolving tactics and capabilities of ransomware attackers. This includes threat actors becoming more sophisticated as they evolve into loosely coupled service-based operations.

A number of cyber security professionals believe that cyber-criminal groups will become more guarded in their approach due to new initiatives by governments and law enforcement to tackle these activities.

Cyber Security Professionals' Number Two Concern: Nation-State Attacks.

The second biggest concern for survey respondents was geopolitics/nation-state attacks (24%), particularly the shifting hostilities from the Russia-Ukraine conflict into cyberspace. Russia already had a reputation for conducting offensive cyber operations prior to the conflict, and the Ukrainian government and critical services have experienced numerous attacks both before and since the war began.

https://www.infosecurity-magazine.com/news/2022-state-industry-report/

• Vishing (Voice Phishing) Cases Reach All Time High

Vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2021 to Q1 2022), according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs.

In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022.

https://www.helpnetsecurity.com/2022/05/24/vishing-cases-increased/

• DeFi (Decentralised Finance) Is Getting Pummelled By Cyber Criminals

Decentralised finance lost $1.8 billion to cyber attacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Decentralised finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralised infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cyber criminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.

Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyber attacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cyber security practices of the sector.

DeFi averaged five attacks per week last year, with most of them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.

Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.

https://www.darkreading.com/attacks-breaches/defi-pummeled-by-cybercriminals

Threats

Ransomware

• Ransomware Attacks Increasing at “Alarming” Rate - Infosecurity Magazine

• VMware, Airline Targeted as Ransomware Chaos Reigns (darkreading.com)

• Clop ransomware gang is back, hits 21 victims in a single month (bleepingcomputer.com)

• Link Found Connecting Chaos, Onyx and Yashma Ransomware | Threatpost

• Ransomware demands three good demands to restore files • The Register

• Ransomware Cheerscrypt targets VMware ESXi systems • The Register

• New Chaos Malware Variant Ditches Wiper for Encryption (darkreading.com)

• CLOP Ransomware Activity Spiked in April (darkreading.com)

• Industrial Spy data extortion market gets into the ransomware game (bleepingcomputer.com)

• BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (bleepingcomputer.com)

• Conti Ransomware Operation Shut Down After Splitting into Smaller Groups (thehackernews.com)

• Suspected phishing email crime boss arrested in Nigeria • The Register

BEC – Business Email Compromise

• Interpol arrests alleged leader of the SilverTerrier BEC gang (bleepingcomputer.com)

• Cyber security breach at the city of Portland led to fraudulent $1.4M transaction | KATU

Phishing & Email Based Attacks

• Intuit warns of QuickBooks phishing threatening to suspend accounts (bleepingcomputer.com)

• NCSC Report Reveals Phishing Lures Increasingly Disguised as Vaccine Appointments - Infosecurity Magazine

• Suspected phishing email crime boss arrested in Nigeria • The Register

Other Social Engineering

• Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report (darkreading.com)

Malware

• BPFDoor malware uses Solaris vulnerability to get root privileges (bleepingcomputer.com)

• Snake Keylogger Spreads Through Malicious PDFs | Threatpost

• New Windows Subsystem for Linux malware steals browser auth cookies (bleepingcomputer.com)

• This Windows malware uses PowerShell to subvert Chrome • The Register

• Hackers have found a new way to smuggle malware onto your device | TechRadar

• Cyber Security Community Warned of Fake PoC Exploits Delivering Malware | SecurityWeek.Com

• Popular Python and PHP libraries hijacked to steal AWS keys (bleepingcomputer.com)

• New Attack Shows Weaponized PDF Files Remain a Threat (darkreading.com)

Mobile

• Microsoft finds severe bugs in Android apps from large mobile providers (bleepingcomputer.com)

• Google warns Android smartphones targeted by dangerous Predator spyware | TechRadar

• New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps (bleepingcomputer.com)

BYOD

• Spring Cleaning Checklist for Keeping Your Devices Safe at Work (darkreading.com)

Data Breaches/Leaks

• GM Discloses Data Breach of Cars' Locations, Mileage, Service (gizmodo.com)

• MGM Resorts' customer data now leaked on Telegram for free • The Register

Organised Crime & Criminal Actors

• REvil prosecutions reach a 'dead end,' Russian media reports - CyberScoop

• Scammer Behind $568M International Cyber Crime Syndicate Gets 4 Years (darkreading.com)

• Multi-Continental Operation Leads to Arrest of Cyber Crime Gang Leader - Infosecurity Magazine

Cryptocurrency/Cryptomining/Cryptojacking/NFTs

• Hacker Steals $1.4 Million in NFTs From Collector In One Sweep (vice.com)

• 8 ways to avoid NFT scams (techtarget.com)

Insider Risk and Insider Threats

• 68% of Legal Sector Data Breaches Caused by Insider Threats - Infosecurity Magazine

• Verizon Report: Ransomware, Human Error Among Top Security Risks | Threatpost

Dark Web

• Military cyber weapons could become available on dark web: Interpol (cnbc.com)

• Darknet market Versus shuts down after hacker leaks security flaw (bleepingcomputer.com)

Supply Chain and Third Parties

• Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs - SentinelOne

Denial of Service DoS/DDoS

• Cybergang Claims REvil is Back, Executes DDoS Attacks | Threatpost

• DDoS Extortion Attack Flagged as Possible REvil Resurgence (darkreading.com)

• Anatomy of a DDoS amplification attack - Microsoft Security Blog

Cloud/SaaS

• Security has become more difficult, IT leaders say - Help Net Security

Attack Surface Management

• Where is attack surface management headed? - Help Net Security

Open Source

• Open source is becoming a national security risk | CSO Online

Privacy

• Twitter fined $150M for misusing 2FA data (techtarget.com)

• Zuckerberg sued by DC attorney general over Cambridge Analytica data scandal | Meta | The Guardian

Passwords & Credential Stuffing

• Strong Password Policy Isn't Enough, Study Shows (darkreading.com)

• Verizon DBIR: Stolen credentials led to nearly 50% of attacks (techtarget.com)

Regulations, Fines and Legislation

• How to navigate GDPR complexity - Help Net Security

• GDPR Anniversary, Expert Insight On What Lead To GDPR Fines – Information Security Buzz

• Indian stock markets given ten day deadline to file reports • The Register

Spyware, Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine - CyberScoop

• Predator spyware uses in Chrome, Android zero-day exploits • The Register

• Unknown APT group is targeting Russian government entities - Security Affairs

• Hackers target Russian govt with fake Windows updates pushing RATs (bleepingcomputer.com)

• Remote bricking of Ukrainian tractors raises agriculture security concerns | CSO Online

• Anonymous Declares Cyber-War On Pro-Russian Hacker Gang Killnet – Information Security Buzz

• Ex-spymaster and fellow Brexiteers' emails stolen, leaked • The Register

Nation State Actors

Nation State Actors – Russia

• Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (thehackernews.com)

• Russian Hackers Believed to Be Behind Leak of Hard Brexit Plans - Infosecurity Magazine

• Russian Gamaredon APT could fuel a new round of DDoS attacks - Security Affairs

• Putin aimed cyber attack at me, says former MI6 chief Sir Richard Dearlove | News | The Times

Nation State Actors – China

• Trend Micro Patches Vulnerability Exploited by Chinese Cyber Spies | SecurityWeek.Com

• Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes (thehackernews.com)

Nation State Actors – Iran

• Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (hackread.com)

Vulnerabilities

• CISA ‘Strongly Urges’ You To Patch 75 Actively Exploited Security Bugs (forbes.com)

• CISA adds 41 vulnerabilities to list of bugs used in cyber attacks (bleepingcomputer.com)

• Exploit released for critical VMware auth bypass bug, patch now (bleepingcomputer.com)

• Zoom Patches ‘Zero-Click’ RCE Bug | Threatpost

• Zyxel addresses four flaws affecting APs, AP controllers, and firewalls - Security Affairs

• Critical New Google Chrome Security Warning For All Users, Update Now (forbes.com)

• Patching the latest Active Directory vulnerabilities is not enough | CSO Online

• Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021 (darkreading.com)

• Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched (thehackernews.com)

• 'Fixed' Chrome extension flaw could allow hackers to record both your webcam and desktop feeds | PC Gamer

Sector Specific

SMBs – Small and Medium Businesses

• Small Business Cyber Security: Do SMB Owners Underestimate Risk? - MSSP Alert

Legal

• 68% of Legal Sector Data Breaches Caused by Insider Threats - Infosecurity Magazine

Health/Medical/Pharma Sector

• teiss - News - American healthcare tech giant Omnicell suffers a major ransomware attack

• Web app attacks on the rise in healthcare as insider challenges remain (scmagazine.com)

Retail/eCommerce

• Microsoft: Credit card stealers are getting much stealthier (bleepingcomputer.com)

• Microsoft warns of new highly evasive web skimming campaigns - Security Affairs

Transport and Aviation

• Hundreds Stranded After Ransomware Attack on Indian Airline | SecurityWeek.Com

• SpiceJet airline passengers stranded after ransomware attack (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Taking the Danger Out of IT/OT Convergence (darkreading.com)

• Critical Flaws in Popular ICS Platform Can Trigger RCE | Threatpost

Energy & Utilities

• Can we trust the cyber security of the energy sector? - Help Net Security

Oil, Gas and Mining

• Oil and gas companies take cyber resilience pledge - IT Security Guru

Education and Academia

• FBI: compromised US academic credentials available on crime forums - Security Affairs

• Ed tech illegally tracked school children during pandemic - IT Security Guru

Reports Published in the Last Week

• 2022 Data Breach Investigations Report | Verizon

• State of Cyber Security Report 2022 - Infosecurity Magazine

• 2022 Voice of the CISO | Proofpoint US

Other News

• IP and cyber security disputes are top legal concerns for tech companies | TechCrunch

• Verizon DBIR: Stolen credentials led to nearly 50% of attacks (techtarget.com)

• Managed Detection and Response (MDR): Who's Responsible for the R? - MSSP Alert

• Survey Evidences Leaders Lack Confidence in Cyber-Risk Management - Infosecurity Magazine

• Flaw in PayPal can allow attackers to steal money from users' account - Security Affairs

• When it comes to remote work, 71% of IT leaders say security is the main challenge - Help Net Security

• Most organisations do not follow data backup best practices - Help Net Security

• There are systems 'guarding' your data in cyberspace – but who is guarding the guards? (theconversation.com)

• Why are current cyber security incident response efforts failing? - Help Net Security

• Nation-state malware will be a commodity on dark web soon, Interpol warns - Security Affairs

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Executive Summary

A critical flaw has been discovered within Zyxel Firewall products, allowing for a malicious user to bypass the Authentication requirement on the device, enabling unauthorised privileged access. The bug impacts several Zyxel Firewall Network Access Control (NAC) systems as detailed within the technical summary. The bug, achieves a 9.8 on the Common Vulnerability Scoring System (CVSS).

What’s the risk to my business?

Due to the severity of the bug, and the ability for attackers to gain unauthorised privileged access to critical perimeter defence, the risk to businesses operating affected Zyxel Firewalls is high.

What can I do?

The bug has been reported, and a patch has been issued. Businesses operating these devices are urged to implement as soon as possible.

Technical Summary

Zyxel have issued a patch for bug CVE-2022-0342, which was disclosed on 03/28/2022. Zyxel’s investigation has only been focused on devices within their warranty and support period. The following Zyxel products are confirmed to be affected, with the appropriate patches listed:

·       USG/ZyWALL, running version ZLD V4.20 to ZLD V4.70 | Fixed in Patch ZLD V4.71

·       USG FLEX, running version ZLD V4.50 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·       ATP, running version ZLD V4.32 to ZLD V5.20 | Fixed in Patch ZLD V5.21 Patch 1

·       VPN, running version ZLD V4.30 to ZLD V5.20 | Fixed in Patch ZLD V5.21

·       NSG, running version V1.20 to V1.33 Patch 4 | Fixed in Hotfix V1.33p4_WK11, available from vendor. Fix will be included in standard patch V1.33 Patch 5 when released in May 2022.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity