Executive Summary

Cisco has released patches to address two high-severity and one medium severity security flaws within their product range. One vulnerability, which affects Cisco Catalyst 8000V software can allow a remote malicious actor to trigger a denial of service condition. The other high vulnerability could allow for an unauthenticated attacker who has access to a VPN network to change configuration settings, or cause the system to reload. Cisco also disclosed knowledge of an IPSec VPN Server Authentication Bypass vulnerability which could allow a malicious attacker to bypass authentication onto the VPN escalate to administrator privileges on an affected device. As affected devices are now out of support, with an end-of-life notice issued, Cisco will not be providing a patch for these devices.

What’s the risk to me or my business?

The first high vulnerability relates the Cisco cloud virtual routing software, 8000V Edge and Nvidia MLX5 network cards. The vulnerability itself was disclosed by Nvidia, and affects underlying software which is utilised by Cisco, and can be used by a malicious attacker to cause an error condition on the device, which would then cause denial of service. If hybrid business systems are being routed using this product, then there is a possibility of down-time until the issue is patched.

The second vulnerability relates to the CSD-WAN vManage software containers, that could allow an attacker who already has access to the organisations VPN0 network to further compromise critical network infrastructure resulting in a potential loss of confidentiality, integrity, and availability.

The third medium severity vulnerability relates to the Cisco Webex Meetings app, which could allow an unauthenticated remote attacker to change the content of links and messages within the application interface, which could lead to a phishing or spoofing attack.

Vulnerability that won’t be fixed in End of Life Devices

Separate to this, Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).

This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPSec VPN Server feature is enabled.

As this vulnerability could allow an unauthenticated malicious attacker to bypass authentication and gain access to the IPSec VPN network and can gain administrative access, compromising the confidentiality, integrity and availability of the network, any unsupported devices should be replaced.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisation’s vulnerability management process to limit availability impact to the business. It is also critical to ensure that all devices in use by an organisation are currently being supported by the vendor, as otherwise like in this case, critical security vulnerabilities could be disclosed without any option but to purchase new equipment. The affected equipment stopped receiving software support from Cisco in December 2020.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-28199: A remote denial of service vulnerability relating to the DPDK Nvidia Library feature, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to cause an error condition on the device, resulting in the device reloading or failing to receive traffic, resulting in a DoS condition. Affected Software:

 ·      Cisco Catalyst 8000V Edge Software

·       Adaptive Security Virtual Appliance (ASAv)

·       Secure Firewall Threat Defense Virtual (formerly FTDv)

 Further information on this specific vulnerability can be found here: Vulnerability in NVIDIA Data Plane Development Kit Affecting Cisco Products: August 2022

 CVE-2022-20696: A remote vulnerability with a CVSS 3.0 rating of 7.5, which allows a malicious attacker who has the ability to send network traffic to interfaces within the VPN0 logical network to exploit the lack of sufficient protection mechanisms on the messaging server container ports, allowing the attacker to view and inject messages into the messaging service, which could allow for configuration changes or cause the system to reload. Affected software:

·       Cisco SD-WAN vManage Software

Further information on this specific vulnerability can be found here: Cisco SD-WAN vManage Software Unauthenticated Access to Messaging Services Vulnerability

CVE-2022-20863: A vulnerability with a CVSS 3.0 rating of 4.3, which allows an unauthenticated malicious attacker to exploit a vulnerability within the character rendering of the Cisco Webex Meetings interface to modify the display of links or other content within the interface, allowing an attacker to potentially conduct phishing or spoofing attackers.

 Further information on this specific vulnerability can be found here: Cisco Webex Meetings App Character Interface Manipulation Vulnerability

 CVE-2022-20923: A vulnerability with a CVSS 3.0 rating of 4.0, which allows an unauthenticated, remote attacker to exploit a vulnerability within the password validation algorithm to bypass authentication controls and gain access to the IPSec VPN Network. The attacker may even be able to obtain privileges at administrator level depending on the credentials used. No patch will be released for this vulnerability. Affected products:

 ·      RV110W Wireless-N VPN Firewall

·       RV130 VPN Router

·       RV130W Wireless-N Multifunction VPN Router

·       RV215W Wireless-N VPN Router

 Further information on this specific vulnerability can be found here: Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers IPSec VPN Server Authentication Bypass Vulnerability

 Need help understanding your gaps, or just want some advice? Get in touch with us.

The emails are being received from the domain “@mail-gfsc.com” and may contain malicious links or attachments. The commission are directing users to forward these emails to phishing@gfsc.gg, and to follow the guidance put in place with the Commission’s Cyber Rules and Guidance 2021. Further information from the commission can be found here: Spoof emails | GFSC

If you suspect you may have been targeted by one of these campaigns and would like to assist us in raising awareness of the risk to others, please contact us via phishing@blackarrowcyber.com

Update: 25/11/2022: There has been a number of sources that have noted a steady increase in these attacks.

Executive Summary

EvilProxy, a Phishing-as-a-Service (PaaS) platform allows low-skill malicious actors to bypass Multi-Factor Authentication from multiple different service providers, using techniques similar to those outlined in the previous cyber advisory on 19/07/2022, where Microsoft detected a new phishing campaign that had the potential to bypass MFA if additional controls were not in place. Malicious actors can pay for the service via a subscription model that allows them to setup and manage phishing campaigns in a similar fashion to phishing simulation training.

What’s the risk to me or my business?

As advanced phishing techniques become available to low-skill threat actors, it is expected that there will be an increase in phishing campaigns going forward. These particular campaigns are more dangerous as they have the potential to bypass security controls such as Multi-Factor Authentication.

What can I do?

Continue to follow the advice issued with the previous threat alert: Black Arrow Cyber Advisory 19/07/2022 – Microsoft identifies Phishing campaign which can bypass MFA. As this platform can be used against different services including Apple and Google, it is important to have these controls in place across the business estate where possible.

A full breakdown of this particular phishing platform is available here: New EvilProxy service lets all hackers use advanced phishing tactics (bleepingcomputer.com)

Update: Microsoft Detection and Response Team (DART) has provided an updated blog post on how these attacks have increased and evolved over time, with the focus being on stealing cookies in comparison to stealing credentials. Recommended protections include management and oversight on end user devices to ensure that they are kept up to date with patches and anti-virus definitions, reducing the lifetime of authenticated sessions and the implementation of Conditional Access application control. Further information can be found here: Token tactics: How to prevent, detect, and respond to cloud token theft - Microsoft Security Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

• Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

• Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

• Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

• Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

• An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

• Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

• 69% are concerned about threats from the cyber crime underground.

• 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

• Only 38% believe that they’re very likely to detect it if it was released.

• 48% have no documented cyber crime threat intelligence policy in place.

• Only 41% believe their current security program is very effective.

• 49% are not satisfied with the visibility they have of the cyber crime underground.

• Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

• Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

• New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

• Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

• Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

• Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

• Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/

Threats

Ransomware

• Global Ransomware Damages to Exceed $30bn by 2023 - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers - MSSP Alert

• Cyber Attack: Spike in Ransomware Threat to More Than 1.2 Million Per Month Between January-June, Says Report | LatestLY

• LockBit ransomware gang gets aggressive with triple-extortion tactic (bleepingcomputer.com)

• New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim (thehackernews.com)

• Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks (thehackernews.com)

• Ragnar Locker Brags About TAP Air Portugal Breach (darkreading.com)

• Police ‘negotiating with hackers’ who hit Paris hospital computer system | World | The Times

• Advanced cyber-attack: NHS doctors' paperwork piles up - BBC News

• Another Ransomware For Linux Likely In Development - Security Affairs

• Montenegro hit by ransomware attack, hackers demand $10 million (bleepingcomputer.com)

• Should ransomware payments be banned? A few considerations - Help Net Security

• Researchers Spot Snowballing BianLian Ransomware Gang Activity (darkreading.com)

• Ragnar Locker continues trend of ransomware targeting energy sector | CSO Online

• BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)

• Italian Oil Major Becomes Victim Of Ransomware Attack | OilPrice.com

• Damart clothing store hit by Hive ransomware, $2 million demanded (bleepingcomputer.com)

• Baker & Taylor's Systems Remain Offline a Week After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Gloucester Council planning site still disrupted from cyber attack - BBC News

BEC – Business Email Compromise

• How BEC attacks on human capital management systems are increasing - Help Net Security

Malware

• Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog

• A study on malicious plugins in WordPress Marketplaces - Security Affairs

• Prynt Stealer Contains a Backdoor to Steal Victims' Data Stolen by Other Cyber criminals (thehackernews.com)

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• BumbleBee a New Modular Backdoor Evolved From BookWorm (trendmicro.com)

• Malicious Chrome Extensions Plague 1.4M Users (darkreading.com)

Mobile

• Mobile banking apps put 300,000 digital fingerprints at risk • The Register

• Researcher unveils smart lock hack for fingerprint theft (techtarget.com)

• Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams (darkreading.com)

• Singapore clocks higher ransomware attacks, warns of IoT risks | ZDNET

• Standards Body Publishes Guidelines for IoT Security Testing - Infosecurity Magazine (infosecurity-magazine.com)

• ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20 (realinfosec.net)

Data Breaches/Leaks

• Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests - Infosecurity Magazine (infosecurity-magazine.com)

• Okta Says Customer Data Compromised in Twilio Hack | SecurityWeek.Com

• Password Manager With 25 Million Users Confirms Breach, Expert Weighs In (informationsecuritybuzz.com)

• Neopets says hackers had access to its systems for 18 months (bleepingcomputer.com)

• Akasa Air Suffers Data Leak on First Day of Operation- IT Security Guru

• Samsung says hackers obtained some customer data in newly disclosed breach | Engadget

• Millions of student loan accounts exposed in data breach | TechRadar

• Russian streaming platform confirms data breach affecting 7.5M users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• FBI: Crooks stole $1b+ in cryptocurrency already this year • The Register

• Ukraine takes down cyber crime group hitting crypto fraud victims (bleepingcomputer.com)

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Windows malware delays coinminer install by a month to evade detection (bleepingcomputer.com)

• Cryptominer Disguised as Google Translate Targeted 11 Countries - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack (darkreading.com)

• Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers (thehackernews.com)

Insider Risk and Insider Threats

• West Yorkshire PC due in court over police computer searches - BBC News

Fraud, Scams & Financial Crime

• Big Banks vs. Big Tech: Who Is Liable For Online Fraud? (informationsecuritybuzz.com)

Insurance

• Cyber insurance has been around for 25 years. It’s still a bit of a mess. (slate.com)

• Who Pays for an Act of Cyber War? | WIRED

• Travelers, Policyholder Agree to Void Current Cyber Policy (insurancejournal.com)

• Cyber Frauds Skyrocket: Can Cyber Insurance Protect You in Real World? Experts Explain (news18.com)

• Google Cloud, Microsoft and AWS dive into cyber insurance - Protocol

• Cyber Insurance Price Hike Hits Local Governments Hard (insurancejournal.com)

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

• Cyber insurance on rise as attacks surge | Mint (livemint.com)

Dark Web

• German man charged for trying to hire fake contract killer on darkweb | Euronews

• COVID-19 data put for sale on Dark Web - Security Affairs

• NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor (darkreading.com)

Supply Chain and Third Parties

• PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks - SentinelOne

Software Supply Chain

• NSA and CISA share tips to secure the software supply chain (bleepingcomputer.com)

Denial of Service DoS/DDoS

• DDoS activity launched by patriotic hacktivists is on the rise - Help Net Security

Cloud/SaaS

• 1 in 3 organisations don't know if their public cloud data was exfiltrated - Help Net Security

• Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation (darkreading.com)

Encryption

• CISA: Prepare now for quantum computers, not when hackers use them (bleepingcomputer.com)

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

API

• The 4 Most Common OWASP API Security - IT Security Guru

Open Source

• Linux devices 'increasingly' under attack from hackers, warn security researchers | ZDNET

Passwords, Credential Stuffing & Brute Force Attacks

• LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)

Social Media

• Social media is ruining our lives and the public are finally waking up (telegraph.co.uk)

• LinkedIn New Hacking Scam (informationsecuritybuzz.com)

• Thousands lured with blue badges in Instagram phishing attack (bleepingcomputer.com)

Training, Education and Awareness

• (ISC)² Launches 'Certified in Cybersecurity' Entry-Level Certification to Address Global Workforce Gap (darkreading.com)

Privacy

• Trident Royal Navy staff reveal sensitive data on fitness app | News | The Times

• Cops wanted to keep mass surveillance app secret; privacy advocates refused | Ars Technica

• US telcos admit to storing, handing over location data • The Register

• Facebook moves to settle Cambridge Analytica lawsuit | TechCrunch

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

• Nobody’s special to the WFH software spies | Comment | The Times

Travel

• Cyber Safety for Summer Vacation | SecurityWeek.Com

Parental Controls and Child Safety

• Scammers Targeting Thousands Of Children As Young As Six, Figures Show (informationsecuritybuzz.com)

• Over a Third of Parents Do Not Know What Online Accounts Their Children Use - IT Security Guru

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Why Russia's cyber war in Ukraine hasn't played out as predicted (newatlas.com)

• Ukraine's army of hackers failed to thwart Russia and quickly gave up | New Scientist

• Cyber criminals Apparently Involved in Russia-Linked Attack on Montenegro Government | SecurityWeek.Com

• Who Pays for an Act of Cyber War? | WIRED

• Moscow gridlock as hackers send dozens of taxis to Hotel Ukraine (telegraph.co.uk)

• Finland To Offer Businesses Cybersec Vouchers In Wake Of Nato-related (informationsecuritybuzz.com)

• China-linked APT40 used ScanBox Framework in a long-running espionage campaign - Security Affairs

• Montenegro says Russian cyber attacks threaten key state functions (bleepingcomputer.com)

• Google says it cut off Russian disinformation sites from its vast ad display network - CyberScoop

• Ex-spies banned from arms exports for UAE hack-for-hire work • The Register

Nation State Actors

Nation State Actors – Russia

• Third-party hacking groups lose interest in Russia-Ukraine conflict, study claims | SC Media (scmagazine.com)

• FBI deploys cyber team to Montenegro following massive cyber attack | The Hill

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• Montenegro Sent Back to Analog by Unprecedented Cyber Attacks | Balkan Insight

Nation State Actors – China

• Chinese Hackers Target Energy Firms in South China Sea | SecurityWeek.Com

• China-linked APT40 targets wind turbines, Aust. government • The Register

Nation State Actors – Misc

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

Vulnerabilities

• Apple Quietly Releases Another Patch for Zero-Day RCE Bug (darkreading.com)

• Google Chrome emergency update fixes new zero-day used in attacks (bleepingcomputer.com)

• URGENT! Apple slips out zero-day update for older iPhones and iPads – Naked Security (sophos.com)

• WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites | SecurityWeek.Com

• Critical hole in Atlassian Bitbucket needs patching now • The Register

Reports Published in the Last Week

• Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report (trendmicro.com)

Other News

• Former Cyber criminal: These Are the Biggest Threats on the Internet (businessinsider.com)

• Stuxnet explained: The first known cyber weapon | CSO Online

• Infra Used in Cisco Hack Also Targeted Workforce Management Solution (thehackernews.com)

• Flicking the kill switch: governments embrace internet shutdowns as a form of control | Internet | The Guardian

• Okta Impersonation Technique Could be Utilized by Attackers | SecurityWeek.Com

• Remote Work Cyber Security: 12 Risks and How to Prevent Them (techtarget.com)

• Does your cyber crime prevention program work? - Help Net Security

• Does Blockchain really offer Better Digital Security? - IT Security Guru

• IT and Employees Don’t Always See Eye to Eye on Cyber Security - IT Security Guru

• New Cyber Security Regulations Are Coming. Here’s How to Prepare. (hbr.org)

• 3 Cyber Security Trends for 2022 - IT Security Guru

• Cyber security budget breakdown and best practices (techtarget.com)

• How Just-in-Time privilege elevation prevents data breaches and lateral movement - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies

Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.

In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added, noting that nation-state-sponsored attacks are particularly costly to cover.

Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyber attack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.

At a minimum (key word: minimum) these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."

Policies must also "set out a robust basis" on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.

Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence "is absolutely hard," NSA director of cybersecurity Rob Joyce said at this year's RSA Conference.

Threat analysts typically attribute an attack to a nation-state from its level of sophistication, but as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cyber crime gangs becomes increasingly difficult, he explained.

There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa. The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.

https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/

• Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says

Cyber security is now firmly on the agenda of the entire C-suite, consultancy PricewaterhouseCoopers (PwC) reports in a new survey of more than 700 business leaders across a variety of industries.

Of key enterprise issues, cyber security ranks at the top of business risks, with nearly 80% of the respondents considering it a moderate to serious risk. The warning isn’t confined to just chief information security officers, but ranges from chief executives to chief financial officers, chief operating officers, chief technology officers, chief marketing officers and includes corporate board members. Virtually all roles ranked cyber attacks high on their list of risks, PwC said.

Overall, 40% of business leaders ranked cyber security as the top serious risk facing their companies, and 38% ranked it a moderate risk.

Here are six steps businesses can take to address cyber security concerns:

1. View cyber security as a broad business concern and not just an IT issue.

2. Build cyber security and data privacy into agendas across the C-suite and board.

3. Increase investment to improve security.

4. Educate employees on effective cyber security practices.

5. For each new business initiative or transformation, make sure there’s a cyber plan in place.

6. Use data and intelligence to regularly measure cyber risks. Proactively look for blind spots in third-party relationships and supply chains.

https://www.msspalert.com/cybersecurity-research/cybersecurity-top-risk-for-enterprise-c-suite-leaders-pwc-study-says/

• Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It

Human error continues to be the leading cause of a cyber security breach. Nearly 60% of organisations experienced a data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cyber security issue, can leave an organisation vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organisations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cyber security posture. The report found that a significant number of employees aren't engaged in their organisation's cyber security efforts and don't understand the role they play. One in three employees say they don't understand the importance of cyber security at work. What's more, only 39% say they're very likely to report a cyber security incident. Why? A quarter of employees say they don't care enough about cyber security to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cyber security culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

https://www.darkreading.com/attacks-breaches/apathy-is-your-company-s-biggest-cybersecurity-vulnerability-here-s-how-to-combat-it

• The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern, as Attacks on Banks and Financial Service Double

Cyber security has eclipsed tumultuous financial markets as the biggest concern for the world’s largest sovereign wealth fund, as it faces an average of three “serious” cyber attacks each day.

The number of significant hacking attempts against Norway’s $1.2tn oil fund, Norges Bank Investment Management, has doubled in the past two to three years.

The fund, which reported its biggest half-year dollar loss last week after inflation and recession fears shook markets, suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious, according to its top executives.

“I’m worried about cyber more than I am about markets,” their CEO told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”

The fund’s top executives are even concerned that concerted cyber attacks are becoming a systemic financial risk as markets become increasingly digitised.

Their deputy CEO pointed to the 2020 attack on SolarWinds, a software provider, by Russian state-backed hackers that allowed them to breach several US government agencies, including the Treasury and Pentagon, and a number of Fortune 500 companies including Microsoft, Intel and Deloitte.

“They estimate there were 1,000 Russians [involved] in that one attack, working in a co-ordinated fashion. I mean, Jesus, that’s our whole building on one attack, so you’re up against some formidable forces there,” he said.

Cyber attacks targeting the financial industry have risen sharply in recent months. Malware attacks globally rose 11 per cent in the first half of 2022, but they doubled at banks and financial institutions, according to cyber security specialist SonicWall. Ransomware attacks dropped 23 per cent worldwide, but increased 243 per cent against financial targets in the same period.

https://www.ft.com/content/1aa6f92a-078b-4e1a-81ca-65298b8310b2

Configuration Errors to Blame for 80% of Ransomware

The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft.

The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratised the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books.

For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added.

“Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued. “Ransomware culminates an attack that can include data exfiltration and other impacts. Because of the interconnected nature of the cyber-criminal economy, seemingly unrelated intrusions can build upon each other.”

Although each attack is different, Microsoft pointed to missing or misconfigured security products and legacy configurations in enterprise apps as two key areas of risk exposure.

“Like smoke alarms, security products must be installed in the correct spaces and tested frequently. Verify that security tools are operating in their most secure configuration, and that no part of a network is unprotected,” it urged. “Consider deleting duplicative or unused apps to eliminate risky, unused services. Be mindful of where you permit remote helpdesk apps like TeamViewer. These are notoriously targeted by threat actors to gain express access to laptops.”

Although not named in the report, another system regularly misconfigured and hijacked by ransomware actors is the remote desktop protocol (RDP), which often is not protected by a strong password or two-factor authentication. It’s widely believed to be one of the top three vectors for attack.

The bad news for network defenders is they don’t have much time after initial compromise to contain an attack. Microsoft claimed the median time for an attacker to begin moving laterally inside the network after device compromise is one hour, 42 minutes. The median time for an attacker to access private data following a phishing email is one hour, 12 minutes, the firm added.

https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/

• Ransomware Surges to 1.2 Million Attacks Per Month

Ransomware threat detections have risen to over one million per month this year, with a French hospital the latest to suffer a major outage.

The 1000-bed Center Hospitalier Sud Francilien (CHSF) near Paris revealed it was hit on Sunday morning, in an attack which has knocked out all the hospital's business software, storage systems including medical imaging, and patient admissions. This has led to all but the most urgent emergency patients being diverted to other facilities in the region.

France24 cited figures claiming cyber-attacks against French hospitals surged 70% year-on-year in 2021. "Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," Valerie Caudwell, president of the medical commission at CHSF hospital, reportedly said. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Reports suggest Lockbit 3.0 may be to blame for the $10m ransom demand, which the hospital is refusing to pay.

Barracuda Networks claimed in a new report out today that education, municipalities, healthcare, infrastructure and finance have remained the top five targets for ransomware over the past 12 months. However, while attacks on local government increased only slightly, those targeting educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Overall, Barracuda claimed that ransomware detections between January and June of this year climbed to more than 1.2 million per month.

https://www.infosecurity-magazine.com/news/ransomware-surges-to-12-million/

• A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations

A phishing campaign targeted Okta users at multiple companies, successfully swiping passwords from staffers and then using them to steal company secrets.

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cyber security firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

https://gizmodo.com/oktapus-okta-hack-twilio-10000-logins-130-companies-1849457420

• This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal.

The real-life incident, as detailed by cyber security researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received. 

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.

Cyber security agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

• Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication

A Business Email Compromise (BEC) attack recently analysed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive's account, and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analysed is widespread and targets large transactions of up to several million dollars each.

The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.

This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully, the Microsoft service creates a session token which gets flagged in its systems that it fulfilled MFA. The difference is that since the attackers acted as a proxy, they now have this session token too and can use it to access the account.

This reverse proxy technique is not new and has been used to bypass MFA for several years. In fact, easy-to-use open-source attack frameworks have been created for this purpose.

https://www.csoonline.com/article/3670575/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html

• 77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On

A survey of cyber security decision makers found 77 percent think the world is now in a perpetual state of cyber warfare.

In addition, 82 percent believe geopolitics and cyber security are "intrinsically linked," and two-thirds of polled organisations reported changing their security posture in response to the Russian invasion of Ukraine.

Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyber attack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.

The survey, organised by security shop Venafi, questioned 1,100 security leaders. They said the results show cyber warfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," they stated.

It's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, everyone is a target and there's no military or government method for protecting everyone.

Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.

https://www.theregister.com/2022/08/27/in-brief-security/

• Cyber Security Governance: A Path to Cyber Maturity

Organisations need cyber security governance programs that make every employee aware of the cyber security mitigation efforts required to reduce cyber-risks.

In an increasingly challenging threat landscape, many organisations struggle with developing and implementing effective cyber security governance. The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognise that mature cyber security is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organisations are efficiently and effectively managing cyber risk."

Indeed, damages from cyber crime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cyber security now than ever before," the report stated, adding that the time is ripe for turning awareness into action.

How, then, can board leaders have confidence that their organisations are prepared against cyber attacks? The first order of business for most organisations is to enable a strong cyber security governance program.

Cyber security governance refers to the component of governance that addresses an organisation's dependence on cyber space in the presence of adversaries. The ISO/IEC 27001 standard defines cyber security governance as the following: “The system by which an organisation directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks”.

Traditionally, cyber security is viewed through the lens of a technical or operational issue to be handled in the technology space. Cyber security planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cyber security as an enterprise-wide risk management issue, along with the legal implications of cyber-risks, and not solely a technology issue.

https://www.techtarget.com/searchsecurity/post/Cybersecurity-governance-A-path-to-cyber-maturity

• The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware

Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation.

Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.

Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting better defence against ransomware.

Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.

Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organisations, it may be a threat that's even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.

https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html

Threats

Ransomware

• Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds - MSSP Alert

• [Whoa] Ransomware Strains Almost Double in Six Months from 5,400 to 10,666 (knowbe4.com)

• Ransomware: Most attacks exploit these common cyber security mistakes - so fix them now, warns Microsoft | ZDNET

• Ransomware dominates the threat landscape - Help Net Security

• We need to think about ransomware differently - Help Net Security

• Disk wiping malware knows no borders - Help Net Security

• NATO investigates hacker sale of missile firm data - BBC News           

• Cyber attackers disrupt services at French hospital, demand $10 million ransom (france24.com)

• New 'Agenda' Ransomware Customized for Each Victim | SecurityWeek.Com

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• New ransomware HavanaCrypt poses as Google software update | CSO Online

• WannaCry explained: A perfect ransomware storm | CSO Online

• LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data | SecurityWeek.Com

• New Golang Ransomware Agenda Customizes Attacks (trendmicro.com)

• New 'BianLian' Ransomware Variant on the Rise (darkreading.com)

• New 'Donut Leaks' extortion gang linked to recent ransomware attacks (bleepingcomputer.com)

• Ransomware Attacks are on the Rise | Threatpost

• Quantum ransomware attack disrupts govt agency in Dominican Republic (bleepingcomputer.com)

• Car Dealership Hit by Major Ransomware Attack - Infosecurity Magazine

• Ransomware Gang Leaks Data Allegedly Stolen from Greek Gas Supplier | SecurityWeek.Com

• Major airline technology provider Accelya attacked by ransomware group - The Record by Recorded Future

• Businesses expect the government to increase its financial assistance for all ransomware incidents - Help Net Security

BEC – Business Email Compromise

• Before Portland lost $1.4 million in cyber breach, city treasurer raised red flag - OPB

Phishing & Email Based Attacks

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users (thehackernews.com)

• Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account (darkreading.com)

• Hiding a phishing attack behind the AWS cloud • The Register

• 10 key facts about callback phishing attacks - CyberTalk 2022

Other Social Engineering; Smishing, Vishing, etc

• New social engineering tactics discovered in the wild - Help Net Security

Malware

• Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus - Security Affairs

• Fake DDoS Protection Alerts Distribute Dangerous RAT (darkreading.com)

• Meet Borat RAT, a New Unique Triple Threat (thehackernews.com)

• Donot Team group updates its Windows malware framework - Security Affairs

• How 'Kimsuky' hackers ensure their malware only reach valid targets (bleepingcomputer.com)

• Grandoreiro banking malware targets Mexico and Spain - Security Affairs

• Fake Chrome extension 'Internet Download Manager' has 200,000 installs (bleepingcomputer.com)

• Threat actors are using the Tox P2P messenger as C2 server - Security Affairs

Mobile

• Google Play Store Serving Up Chameleon-like Apps (informationsecuritybuzz.com)

• We can make our phones harder to hack but complete security is a pipe dream | John Naughton | The Guardian

Internet of Things – IoT

• Cyber criminals Are Selling Access to Chinese Surveillance Cameras | Threatpost

• IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals - Infosecurity Magazine

• Thousands of Organisations Remain at Risk from Critical Zero-Click IP Camera Bug (darkreading.com)

Data Breaches/Leaks

• LastPass data breach: threat actors stole portion of source code - Security Affairs

• Plex discloses data breach and urges password reset - Security Affairs

• Why the Twilio Breach Cuts So Deep | WIRED

• Plex was compromised, exposing usernames, emails, and passwords - The Verge

• DoorDash discloses new data breach tied to Twilio hackers (bleepingcomputer.com)

• Data on California Prisons' Visitors, Staff, Inmates Exposed | SecurityWeek.Com

• Expert Commentary On The Plex Data Breach (informationsecuritybuzz.com)

• Textile Company Sferra Discloses Data Breach | SecurityWeek.Com

• Novant Health: Oops, we leaked 1.3m patients' info to Meta • The Register

Organised Crime & Criminal Actors

• RaaS Kits Are Hiding Who The Attackers Really Are – Expert Comments (informationsecuritybuzz.com)

• Researchers warn of darkverse emerging from the metaverse | CSO Online

 Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• An anatomy of crypto-enabled cyber crime | Financial Times (ft.com)

• Cryptojackers Spread Across Computers Globally- IT Security Guru

• Hackers Are Breaking Into and Emptying Cash App Accounts (vice.com)

• Threat actors are stealing funds from General Bytes Bitcoin ATMSecurity Affairs

• How Economic Changes and Crypto's Rise Are Fuelling the use of "Cyber Mules" | SecurityWeek.Com

Fraud, Scams & Financial Crime

• Scammers Create “AI Hologram” of C-Suite Crypto Exec - Infosecurity Magazine

• Employee fraud: Beware of deepfake job applicants - Protocol

• A closer look at identity crimes committed against individuals - Help Net Security

• What type of fraud enables attackers to make a living? - Help Net Security

Insurance

• Lloyds Of London Ends Insurance Coverage For State Cyber Attacks, Expert (informationsecuritybuzz.com)

Software Supply Chain

• Why SBOMs alone aren’t enough for software supply chain security | CSO Online

Denial of Service DoS/DDoS

• DDoS attacks jump 203%, patriotic hacktivism surges - Help Net Security

• Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks - Infosecurity Magazine

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• Gambling sites are losing significant amounts of revenue due to raising DDoS attacks - Help Net Security

Cloud/SaaS

• Mitiga: Attackers evade Microsoft MFA to lurk inside M365 (techtarget.com)

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• How complicated access management protocols have impacted cloud security - Help Net Security

Identity and Access Management

• IT leaders struggling to address identity sprawl - Help Net Security

• Identity Security Pain Points and What Can Be Done (darkreading.com)

• Thoma Bravo: Securing digital identities has become a major priority - Help Net Security

Encryption

• CISA: Action required now to prepare for quantum computing cyber threats | ZDNET

• Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption (informationsecuritybuzz.com)

• US Government: Stop Dickering and Prepare for Post-Quantum Encryption Now - CNET

API

• API security incidents occur at least once a month - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential phishing attacks rise and represent a huge threat to businesses - Help Net Security

• Twilio hackers breached over 130 organisations during months-long hacking spree | TechCrunch

• FBI: Beware Residential IPs Hiding Credential Stuffing - Infosecurity Magazine

Social Media

• Experts Reaction to Poor Security At Twitter (informationsecuritybuzz.com)

Privacy

• Oracle sued over ‘worldwide surveillance machine’ by privacy rights activists | CSO Online

• Most top mobile carriers retain geolocation data for two years on average, FCC findings show - CyberScoop

Travel

• Hackers target hotel and travel companies with fake reservations (bleepingcomputer.com)

• Fake Reservation Links Prey on Weary Travelers | Threatpost

• British Airways passengers targeted in baggage scam using Twitter | The Independent

Models, Frameworks and Standards

• PCI DSS v4.0 is coming, here's how to prepare to comply (techtarget.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lloyd's of London Introduces New War Exclusion Insurance Clauses | SecurityWeek.Com

• The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks (darkreading.com)

• EU Outlines Critical Cyber Response to Ukraine War - Infosecurity Magazine

• Unprecedented cyber attack hit State Infrastructure of Montenegro - Security Affairs

• Suspected Iranian Hackers Targeted Several Israeli Organisations for Espionage (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass | ZDNET

• Microsoft Attributes New Post-Compromise Capability to Nobelium - Infosecurity Magazine

Nation State Actors – Iran

• Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (thehackernews.com)

• Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organisations (thehackernews.com)

Nation State Actors – Misc APT

• Donot Team group updates its Windows malware framework - Security Affairs

• Cyber crime Groups Increasingly Adopting Sliver Command-and-Control Framework (thehackernews.com)

Vulnerability Management

• Up to 35% more CVEs published so far this year compared to 2021 | CSO Online

• Why patching quality, vendor info on vulnerabilities are declining | CSO Online

• How fast is the financial industry fixing its software security flaws? - Help Net Security

• Highlighting What should be Patched First at the Endpoint (bleepingcomputer.com)

Vulnerabilities

• Cisco Patches High-Severity Vulnerabilities in Business Switches | SecurityWeek.Com

• CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability (thehackernews.com)

• Critical flaw impacts Atlassian Bitbucket Server and Data Center - Security Affairs

• VMware fixes privilege escalation vulnerabilities in VMware Tools - Infosecurity Magazine

• VMware LPE Bug Allows Cyber attackers to Feast on Virtual Machine Data (darkreading.com)

• Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) - Help Net Security

• Mac users urged to update Zoom, after security patch released for previously-flawed security patch (bitdefender.com)

• Zoom patches root exploit, patches patch due to root exploit • The Register

• US government really hopes you've patched your Zimbra server • The Register

• Apple security flaw ‘actively exploited’ by hackers to fully control devices | Apple | The Guardian

• Microsoft publicly discloses details on critical ChromeOS flaw - Security Affairs

• Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird | SecurityWeek.Com

• 'DirtyCred' Vulnerability Haunting Linux Kernel for 8 Years | SecurityWeek.Com

• Privilege Escalation Flaw Haunts VMware Tools | SecurityWeek.Com

Reports Published in the Last Week

• Cyber Signals: Defend against the new ransomware landscape - Microsoft

• Threat Spotlight: The untold stories of ransomware - Journey Notes (barracuda.com)

Other News

• How attackers use and abuse Microsoft MFA - Help Net Security

• There is an urgent need to reduce systemic cyber risks | Financial Times (ft.com)

• Critical infrastructure is under attack from hackers. Securing it needs to be a priority - before it's too late | ZDNET

• We Need to Talk About How Good A.I. Is Getting - The New York Times (nytimes.com)

• A lack of endpoint security strategy is leaving enterprises open to attack - Help Net Security

• NIST Weighs in on AI Risk (darkreading.com)

• Twitter whistleblower report holds security lessons (techtarget.com)

• Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack (darkreading.com)

• Data governance: 5 tips for holistic data protection - Microsoft Security Blog

• US Government Spending Billions on Cyber security (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

The password manager provider LastPass, has suffered a security incident from which technical information within the development environment was stolen. At this stage LastPass has stated that no customer data was affected by this breach.

What’s the risk to me or my business?

LastPass has stated that they have not seen any further evidence of unauthorised activity outside of the development environment, and that customer data will not have been affected by this security incident. Black Arrow will continue to monitor this situation and will provide updates if this changes.

What can I do?

While LastPass themselves do not recommend any action on the part of customers, as a precaution we would recommend that users change their master password and ensure that multi-factor authentication is enabled on their accounts.

Further information on this security incident be found here: Notice of Recent Security Incident - The LastPass Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Plex, the streaming platform aggregate, has suffered a data breach on 22/08/2022 where customer information including emails, usernames and encrypted passwords were stolen. The organisation has advised that users reset their passwords immediately.

What’s the risk to me or my business?

While it has been specified that the passwords were encrypted, it still may be possible for a malicious attacker to brute force the password, which would allow them access to the account, and potentially any other account which also uses the same email and password combination. It is also likely that users will start receiving more phishing emails and spam, which is a frequent occurrence after a data breach.

What can I do?

It is recommended that the password for the account is changed. If that password is in use for any other account associated with the email address, then this should also be changed. As a reminder it is best practice and often organisational policy for users to have different passwords for different accounts for this very reason.

Further information on this specific data breach can be found here: Important notice of a potential data breach 24th of August 2022 - Announcements - Plex Forum

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Cisco has supplied patches which address two high severity vulnerabilities within the Cisco NX-OS software, which runs on their Nexus line of switches. One vulnerability could allow an unauthenticated attacker to remotely cause denial of service to the device. A second vulnerability which also affects the Cisco FXOS, could cause an unauthenticated attacker to laterally execute code on the device, or cause denial of service to the device. Cisco also released a patch for a third high severity vulnerability within the Multi-Site Orchestrator product which could allow a remote, authenticated attacker to escalate privileges to administrator levels on affected devices.

What’s the risk to me or my business?

The first high vulnerability relates to the OSPFv3 feature, which is a routing protocol used in IPv6. As affected devices may be situated on the network perimeter and can be executed remotely, a denial of service could lead to downtime affecting availability of key network infrastructure across an organisation. It should be noted that this feature is disabled by default. The second high vulnerability could allow an attacker who already has access to the organisations network, to further compromise critical network infrastructure, resulting in a potential loss of confidentiality, integrity, and availability.  The third high vulnerability relating to the Multi-Site Orchestrator, which is used to interconnect and manage multiple locations under a single network, could allow an attacker who already has access to a non-privileged account, to escalate their privileges on affected devices, resulting in a potential loss of confidentiality, integrity and availability within the network.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisations vulnerability management process to limit availability impact to the business. Regarding the OSPFv3 vulnerability, if that feature is not in use as it is disabled by default, then this vulnerability cannot be exploited.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-20823: A remote denial of service vulnerability relating to the OSPFv3 feature of NX-OS, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to exploit incomplete input validation by sending a malicious OSPFv3 link-state advertisement (LSA) to an affected device, causing it to crash and restart multiple times which would cause the device to reload, resulting in a DoS condition. Affected devices:

·         Nexus 3000 Series Switches

·         Nexus 5500 Platform Switches

·         Nexus 5600 Platform Switches

·         Nexus 6000 Series Switches

·         Nexus 7000 Series Switches

·         Nexus 9000 Series Fabric Switches in ACI mode

·         Nexus 9000 Series Switches in standalone NX-OS mode

Further information on this specific vulnerability can be found here: Cisco NX-OS Software OSPFv3 Denial of Service Vulnerability

CVE-2022-20824: A remote arbitrary code execution vulnerability with a CVSS 3.0 rating of 8.8, which allows a malicious attacker who is on the same Layer 2 broadcast domain as the affected device (Layer 2 adjacent) to exploit an input validation vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in a DoS Condition. Affected devices:

·         Firepower 4100 Series

·         Firepower 9300 Security Appliances

·         MDS 9000 Series Multilayer Switches

·         Nexus 1000 Virtual Edge for VMware vSphere

·         Nexus 1000V Switch for Microsoft Hyper-V

·         Nexus 1000V Switch for VMware vSphere

·         Nexus 3000 Series Switches

·         Nexus 5500 Platform Switches

·         Nexus 5600 Platform Switches

·         Nexus 6000 Series Switches

·         Nexus 7000 Series Switches

·         Nexus 9000 Series Fabric Switches in ACI mode

·         Nexus 9000 Series Switches in standalone NX-OS mode

·         UCS 6200 Series Fabric Interconnects

·         UCS 6300 Series Fabric Interconnects

·         UCS 6400 Series Fabric Interconnects

Further information on this specific vulnerability can be found here: Cisco FXOS and NX-OS Software Cisco Discovery Protocol Denial of Service and Arbitrary Code Execution Vulnerability

CVE-2022-20921: A privilege escalation vulnerability with a CVSS 3.0 rating of 8.8, which allows an authenticated malicious attacker to exploit a vulnerability within the API implementation of Cisco ACI Multi-Site Orchestrator via a crafted HTTP request to elevate to administrator privileges on the affected product. It should be noted that after release 3.4, Cisco ACI MSO was renamed Cisco Nexus Dashboard Orchestrator (NDO), and Cisco NDO is not affected by this vulnerability.

Further information on this specific vulnerability can be found here: Cisco ACI Multi-Site Orchestrator Privilege Escalation Vulnerability

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Found to Neglect Cyber Security Until it is Too Late

Businesses only take cyber security seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.

For the research, the UK government surveyed IT professionals and end users in 10 UK organisations of varying sizes that have experienced cyber security breaches in the past three years. This analysed their existing level of security prior to a breach, the business impacts of the attack and how cyber security arrangements changed in the wake of the incident.

Nearly all respondents said their organisation took cyber security much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions.

While there was a consensus among participants that there is a greater need for vigilance and investment in cyber security, there was significant variation between organisations’ practices in this area. Medium and large organisations tended to have formal plans in place and budget allocated for further cyber security investment, but smaller businesses mostly did not due to resource constraints.

https://www.infosecurity-magazine.com/news/cybersecurity-seriously-breach/

• Cyber Tops Staff Retention as Biggest Business Risk

Cyber security concerns represent the most serious risk facing organisations, beating inflation, talent acquisition/retention and rising production costs, according to a new PwC study.

The PwC Pulse: Managing business risks in 2022 report was compiled from interviews with 722 US C-suite executives.

Two-fifths (40%) ranked cyber-attacks as a serious risk, rising to 51% of board members. PwC said boardrooms may be getting more attuned to cyber risk after new SEC proposals were published in March that would require directors to oversee cyber security risk and be more transparent about their cyber expertise.

In fact, executives appear to be getting more proactive with cyber security on a number of fronts.

Some 84% said they are taking action or monitoring closely policy areas related to cyber security, privacy and data protection. A further 79% said they’re revising or enhancing their cyber risk management approaches, and half (49%) pointed to increased investments in cyber security and privacy.

By way of comparison, 53% said they’re increasing investment in digital transformation and 52% in IT.

Cyber security is a strategic business enabler – technology is the central nervous system of many companies – and confirming its data is secure and protected can be brand defining.

There’s now heightened attention from a wider range of business leaders and corporate directors as they recognise that cyber security and data privacy should be part of not only a risk management strategy, but also a broader corporate strategy. C-suite and boards are actively taking steps to better understand the global threat landscape, confirm a foundational cyber security program is in place, and manage these risks to create opportunities.

https://www.infosecurity-magazine.com/news/cyber-tops-staff-retention-biggest/

• Cyber Criminals Weaponising Ransomware Data for BEC Attacks

Cyber criminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.

The ACTI team analysed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organisations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.

Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicise the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.

The data is a “rich source for information for criminals who can easily weaponise it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of [corporate and communication data].”

https://www.darkreading.com/edge-threat-monitor/cybercriminals-weaponizing-ransomware-data-for-bec-attacks

• Callback Phishing Attacks See Massive 625% Growth Since Q1 2021

Hackers are increasingly moving towards hybrid forms of phishing attacks that combine email and voice social engineering calls as a way to breach corporate networks for ransomware and data extortion attacks.

According to Agari's Q2 2022 cyber-intelligence report, phishing volumes have only increased by 6% compared to Q1 2022. However, the use of 'hybrid vishing' is seeing a massive 625% growth.

Vishing, "voice phishing," involves some form of a phone call to perform social engineering on the victim. Its hybrid form, called "callback phishing," also includes an email before the call, typically presenting the victim with a fake subscription/invoice notice.

The recipient is advised to call on the provided phone number to resolve any issues with the charge, but instead of a real customer support agent, the call is answered by phishing actors.

The scammers then offer to resolve the presented problem by tricking the victim into disclosing sensitive information or installing remote desktop tools on their system. The threat actors then connect to the victim's device remotely to install further backdoors or spread to other machines.

These callback phishing attacks were first introduced by the 'BazarCall/BazaCall' campaigns that appeared in March 2021 to gain initial access to corporate networks for ransomware attacks.

The attacks work so well that multiple ransomware and extortion gangs, such as Quantum, Zeon, and Silent Ransom Group, have adopted the same technique today to gain initial network access through an unsuspecting employee.

"Hybrid Vishing attacks reached a six-quarter high in Q2, increasing 625% from Q1 2021. This threat type also contributed to 24.6% of the overall share of Response-Based threats," details the Agari report.

"While this is the second quarter hybrid vishing attacks have declined in share due to the overall increase of response-based threats, vishing volume has steadily increased in count over the course of the year."

https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/

• Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022

Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.

The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal employees and executives, cyber criminals impersonated well-known brands in 15% of phishing emails, relying on the brands’ familiarity and reputation to convince employees to provide their login credentials. Most common among the 265 brands impersonated in these attacks were social networks and Microsoft products.

“The vast majority of cyber crime today is successful because it exploits the people behind the keyboard,” said Crane Hassold, director of threat intelligence at Abnormal Security.

“By compromising people rather than networks, it’s easier for attackers to circumvent conventional security measures. This is especially true with brand impersonation, where attackers use urgency and fear to encourage their targets to provide usernames and passwords.”

LinkedIn took the top spot for brand impersonation, but Outlook, OneDrive and Microsoft 365 appeared in 20% of all attacks. What makes these attacks particularly dangerous is that phishing emails are often the first step to compromising employee email accounts. Acquiring Microsoft credentials enables cyber criminals to access the full suite of connected products, allowing them to view sensitive data and use the account to send business email compromise attacks.

https://www.helpnetsecurity.com/2022/08/15/landscape-email-threat/

• Are Cloud Environments Secure Enough for Today’s Threats?

Cyber security is a major problem right now. Not only is it the highest priority of any given business to keep their own data and their customers’ and clients’ data secure, but changes in the workplace have had a knock-on effect on cyber security. The concept of working from home has forced businesses all around the world to address old and new cyber security threats. People taking their laptops, and therefore their data, home to public networks that can be hacked or leaving access details like passwords scribbled on notebooks has meant that access to a business and therefore their customers’ data is a lot more accessible.

The saving grace was said to be the cloud. Beyond retraining cyber security in staff workforces, the practical solution was to move data into the cloud. But we’re now a few years from the point when the cloud really gained popularity. Is it still the answer to all our cyber security problems? Is there a chance of risk to using the cloud?

Cloud data breaches do happen and misconfiguration is a leading cause of them, mainly due to businesses inadequate cyber security strategies. This is due to several factors, such as the fundamental nature of the cloud designed to be easy for anyone to access, and businesses unable to completely see or control the cloud’s infrastructure and therefore relying on the cyber security controls that are provided by the cloud service provider (or CSP).

Unauthorised access is also a risk. The internet, which is a readily available public resource to most of the world, makes it easy for hackers to access data if they have the credentials to get past the cyber security set up by the individual business. This is where the ugliness of internal cloud breaches happens. If security is not configured well or credentials like passwords and secret questions are compromised, an attacker can easily access the cloud.

However, it’s not only through an employee that hackers access credentials. Phishing is a very common means of gaining information that would allow access to a customer or business data.

Plus, the simple nature of sharing data can easily backfire on a company. A lot of data access is granted with a link to someone external, which can then be forwarded, either sold or stolen, to an attacker to access the cloud’s data.

https://www.itsecurityguru.org/2022/08/16/are-cloud-environments-secure-enough-for-todays-threats/

• Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organisations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis. Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw, which was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago that was attacked some 345,827 times last quarter.

https://www.darkreading.com/attacks-breaches/most-attacks-in-q2-targeted-old-microsoft-vulnerabilities

• Cyber Resiliency Isn't Just About Technology, It's About People

Cyber attacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organisations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cyber security world. But although cyber resiliency refers broadly to the ability of an organisation to anticipate, withstand, and recover from cyber security incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organisations that focus exclusively on technology risk are overlooking an equally important element: people.

People are often thought of as the weak link in cyber security. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cyber security technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organisation, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organisations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritise the resiliency of their people just as highly as the resiliency of their technology.

Training the organisation to recognise the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organisations will discover that their overall cyber-resiliency will improve significantly.

https://www.darkreading.com/vulnerabilities-threats/cyber-resiliency-isn-t-just-about-technology-it-s-about-people

• The “Cyber Insurance Gap” Is Threatening Most Companies

A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses either uninsured or under insured against a rising tide of ransomware attacks and other cyber threats.

• Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)

• Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000

• 37% of respondents with cyber insurance do not have any coverage for ransomware payment demands

• 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime

• 60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organisation did not have comprehensive cyber insurance

• Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy

• 34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements

https://informationsecuritybuzz.com/expert-comments/the-cyber-insurance-gap-is-threatening-most-companies/

• Easing the Cyber-Skills Crisis with Staff Augmentation

Filling cyber security roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.

There are many possible solutions to the cyber security skills shortage, but most of them take time. Cyber security education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organisational needs in years to come.

But sometimes the need to fill a gap in capability is more immediate.

An organisation in the entertainment industry recently found itself in such a position. Its primary cyber security staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organisation's environment was left vulnerable. In a scarce talent market, the organisation faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.

According to a 2021 ESG report, 57% of organisations have been impacted by the global cyber security skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cyber security staff burnout and attrition.

In this climate, more companies are turning to third parties for cyber security staff reinforcement. According to a NewtonX study, 56% of organisations are now subcontracting up to a quarter of their cyber security staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, a Converge Company.

One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cyber security staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organisation's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.

https://www.darkreading.com/operations/easing-the-cyber-skills-crisis-with-staff-augmentation

• Mailchimp Suffers Second Breach In 4 Months

Mailchimp suffered another data breach earlier this month, and this one cost it a client.

In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.

Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.

More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.

The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.

While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.

https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months

• Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack

A Minnesota computer store suing its cyber insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.

SJ Computers alleged in a November lawsuit that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.

According to its website, SJ Computers is a Microsoft Authorised Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.

Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted with prejudice last Friday.

In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.

When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realising the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.

https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/

Threats

Ransomware

• Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust | SecurityWeek.Com

• Cisco Confirms Hack: Yanluowang Ransom Gang Claims 2.8GB Of Data (informationsecuritybuzz.com)

• Ransomware is still on the rise. Here's what you need to do to stay safe from hackers | ZDNET

• Russian Man Extradited to US for Laundering Ryuk Ransomware Money | SecurityWeek.Com

• ‘Coopetition’ a growing trend among ransomware gangs (computerweekly.com)

• Hackers Attack UK Water Supplier, Sends Ransom Demand to the Wrong Company (gizmodo.com)

• SOVA malware adds ransomware feature to encrypt Android devices (bleepingcomputer.com)

• BlackByte ransomware v2 is out with new extortion novelties - Security Affairs

• Ransomware is back, healthcare sector most targeted - Help Net Security

• Why Hackers Are Now Targeting Electric Car Charging Stations (nocamels.com)

• BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing (darkreading.com)

• Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate - MarketWatch

• Argentina's Judiciary of Córdoba hit by PLAY ransomware attack (bleepingcomputer.com)

BEC – Business Email Compromise

• Three Extradited from UK to US on $5m BEC Charges - Infosecurity Magazine

Phishing & Email Based Attacks

• Response-based attacks make up 41% of all email-based scams - Help Net Security

• PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security

• Microsoft admits it can't stop scammers fooling you with their latest tricks | ZDNET

Other Social Engineering; SMishing, Vishing, etc

• This is the lamest Microsoft Office security threat we've ever seen - but people will still fall for it | TechRadar

Malware

• Hackers Deploy Bumblebee Loader to Breach Target Networks - Infosecurity Magazine

• 'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections (darkreading.com)

• Malicious browser extensions targeted almost 7 million people (bleepingcomputer.com)

• DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities (thehackernews.com)

• Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox (darkreading.com)

• This String of Emojis Is Actually Malware (vice.com)

Mobile

• SOVA Android malware now also encrypts victims' files - Security Affairs

• Malware devs already bypassed Android 13's new security feature (bleepingcomputer.com)

• Google releases Android 13 with improved privacy and security features - Help Net Security

• Android malware apps with 2 million installs found on Google Play (bleepingcomputer.com)

• Researchers Find 35 Adware Apps on Google Play - Infosecurity Magazine

• Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack (thehackernews.com)

Internet of Things – IoT

• How attackers are exploiting corporate IoT - Help Net Security

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Amazon fixes Ring Android app flaw exposing camera recordings (bleepingcomputer.com)

Data Breaches/Leaks

• Digital Ocean dumps Mailchimp after security breach • The Register

Organised Crime & Criminal Actors

• How Do Hackers Steal Credit Card Information? | TechTarget

• IT security worker who hacked businesses caught out by neighbour's Wi-Fi - Manchester Evening News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• With Plunge in Value, Cryptocurrency Crimes Decline in 2022 (darkreading.com)

• Microsoft: Cryptojackers Continue to Evolve to Be Stealthier and Spread Faster - Infosecurity Magazine

• Hardware-based threat defence against increasingly complex cryptojackers - Microsoft Security Blog

Insider Risk and Insider Threats

• Ex-HP manager jailed for $5m company card shopping spree • The Register

• Microsoft Employees Exposed Own Company’s Internal Logins (vice.com)

Fraud, Scams & Financial Crime

• SEC claims $1.3m pump-and-dump scam used hacked accounts • The Register

AML/CFT/Sanctions

• Alleged Russian Money Launderer Extradited from the Netherlands to U.S. | OPA | Department of Justice

Insurance

• Organisations are losing cyber insurance as an important risk management tool - Help Net Security

• For cyber insurance, some technology leads to higher premiums (techtarget.com)

• New Study Reveals Serious Cyber-Insurance Shortfalls - Infosecurity Magazine

Supply Chain and Third Parties

• Expert On Report Showing 297% Increase in US Breaches Tied To Supply Chain (informationsecuritybuzz.com)

• Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management (darkreading.com)

• How a Third-Party SMS Service Was Used to Take Over Signal Accounts

Denial of Service DoS/DDoS

• Google blocked the largest Layer 7 DDoS reported to date - Security Affairs

Cloud/SaaS

• Organisations Struggle to Fend Off Cloud and Web Attacks - Infosecurity Magazine

• Incident response in the cloud can be simple if you are prepared - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential Theft Is (Still) A Top Attack Method (thehackernews.com)

• FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks | SecurityWeek.Com

• Over 9,000 VNC servers exposed online without a password (bleepingcomputer.com)

Privacy

• Google fined $60 million over Android location data collection (bleepingcomputer.com)

• New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings (thehackernews.com)

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Period and pregnancy tracking apps have bad privacy protections, report finds - The Verge

Regulations, Fines and Legislation

• Financial Services & Cyber Security Regulations: New York Making Changes? - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• 5 Russia-Linked Groups Target Ukraine in Cyberwar (darkreading.com)

• Russia-linked Gamaredon APT continues to target Ukraine - Security Affairs

• Microsoft shuts down accounts linked to Russian spies • The Register

• State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims (darkreading.com)

• Estonia Repels Biggest Cyber-Attack Since 2007 - Infosecurity Magazine

• Spyware Scandals Are Ripping Through Europe | WIRED

• US Cyber Command deploys defensive operators to Croatia to hunt for malicious cyber activity - Help Net Security

• NHS cyber attacks hit record levels in four in five trusts after Russian invasion (telegraph.co.uk)

• Spyware Hunters Are Expanding Their Tool Set | WIRED

Nation State Actors

Nation State Actors – Russia

• Microsoft disrupts Russian hackers' operation on NATO targets (bleepingcomputer.com)

• Russian APT29 hackers abuse Azure services to hack Microsoft 365 users (bleepingcomputer.com)

• Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign (darkreading.com)

• Russian hackers target Ukraine with default Word template hijacker (bleepingcomputer.com)

• Estonia says it repelled major cyber attack after removing Soviet monuments | Reuters

Nation State Actors – China

• Western companies wake up to China risk | Financial Times (ft.com)

• China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (thehackernews.com)

• China-linked RedAlpha behind multi-year credential theft campaign - Security Affairs

• Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities | SecurityWeek.Com

• China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (darkreading.com)

• Chinese takeover of tech company blocked over security fears (telegraph.co.uk)

• 3 ways China's access to TikTok data is a security risk | CSO Online

• Montana flagged bugs in cow app exploited in alleged China hack | Business and Economy | Al Jazeera

• APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques - Help Net Security

Nation State Actors – North Korea

• North Korean hackers use signed macOS malware to target IT job seekers (bleepingcomputer.com)

• Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip (darkreading.com)

Vulnerability Management

• Zero Day Initiative seeing an increase in failed patches (techtarget.com)

• Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches | SecurityWeek.Com

• Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out (darkreading.com)

Vulnerabilities

• CISA adds 7 vulnerabilities to list of bugs exploited by hackers (bleepingcomputer.com)

• Google patches yet another Chrome zero-day vulnerability (techtarget.com)

• Chrome browser gets 11 security fixes with 1 zero-day – update now! – Naked Security (sophos.com)

• Cisco fixes High-Severity bug in Secure Web Appliance - Security Affairs

• Exploit out for critical Realtek flaw affecting many networking devices (bleepingcomputer.com)

• Software Patches Flaw on macOS Could Let Hackers Bypass All Security Levels - Infosecurity Magazine (infosecurity-magazine.com)

• Safari 15.6.1 fixes a zero-day flaw actively exploited in the wild - Security Affairs

• Rapid7: Cisco ASA and ASDM flaws went unpatched for months (techtarget.com)

• Windows Vulnerability Could Crack DC Server Credentials Open (darkreading.com)

• ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors (thehackernews.com)

• PoC exploit code for the critical Realtek RCE flaw released online - Security Affairs

Other News

• Exploiting stolen session cookies to bypass multi-factor authentication (MFA) - Help Net Security

• The Future of Endpoint Management | SecurityWeek.Com

• Janet Jackson music video given CVE for crashing laptops • The Register

• More Evil Markets | How It's Never Been Easier To Buy Initial Access To Compromised Networks - SentinelOne

• How aware are organisations of the importance of endpoint management security? - Help Net Security

• The Future of Cyber Security is Prevention | SecurityWeek.Com

• Signal/Twilio Incident - How Secure Are SMS Verifications? Experts Weigh (informationsecuritybuzz.com)

• DigitalOcean Discloses Impact From Recent Mailchimp Cyber Attack | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Three Ransomware Gangs Consecutively Attacked the Same Network

Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

It’s bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cyber security that includes prevention, detection and response is critical for organisations of any size and type—no business is immune.

The “Multiple Attackers: A Clear and Present Danger” whitepaper further outlines additional cases of overlapping cyber attacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target’s network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.

In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

https://www.helpnetsecurity.com/2022/08/09/ransomware-gangs-attacks/

• As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double

The number of organisations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023, according to Huntsman Security.

Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organisation will leave it exposed.

Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cyber security strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many.

Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.

With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organisations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.

In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organisations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process.

https://www.helpnetsecurity.com/2022/08/11/afford-cyber-insurance/

• Identity Cyber Attacks, Microsoft 365 Dominate Cyber Security Incidents, Expel Research Finds

Identity-based cyber attacks (including credential theft, credential abuse and long-term access key theft) accounted for 56% of all incidents in Q2 of 2022, and Microsoft 365 remained the prime target for SaaS attacks, according to Expel’s Quarterly Threat Report.

Among the key findings:

• Business email compromise (BEC) and business application compromise (BAC) access to application data represented 51% of all incidents.

• Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) accounted for 5%.

• Ransomware groups change tactics, with threat groups and their affiliates all but abandoning the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments. In Q1, a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents. In Q2, that figure fell sharply to 9%. Instead, ransomware operators opted to use disk image (ISO), short-cut (LNK) and HTML application (HTA) files to gain initial entry.

• Cloud attacks are becoming more sophisticated, with 14% of identity attacks against cloud identity providers tackling the multi-factor authentication (MFA) requirement by continuously sending push notifications.

• Microsoft 365 is a common threat target, with BEC in Microsoft Office 365 (O365) remaining the top threat to organisations in Q2. 45% of all Q2 incidents were BEC attempts in O365. No BEC attempts were identified in Google Workspaces. 19% of BEC attempts bypassed MFA in O365 using legacy protocols, a 16% increase of compared to Q1.

https://www.msspalert.com/cybersecurity-research/identity-cyberattacks-targeting-microsoft-365-dominate-cybersecurity-incidents-expel-research-finds/

• Exploit Activity Surges 150% in Q2 Thanks to Log4Shell

Detections of malware events, botnet activity and exploits all increased significantly in the second quarter of 2022, according to new data from Nuspire.

The managed security services provider (MSSP) gathered the data from its endpoint detection and response (EDR) and managed detection and response (MDR) tools to produce its Q2 2022 Quarterly Threat Report.

The company recorded an increase in malware events of over 25%, a doubling of botnet detections and a rise in exploit activity of 150% versus the first quarter.

Botnet activity in particular surged towards the end of Q2, thanks to the Torpig Mebroot botnet – a banking trojan designed to scrape credit card and payment information from infected devices, the report revealed. Nuspire claimed it is particularly difficult to detect and remove, because it targets a machine’s master boot record.

It attributed much of the surge in exploit activity to the persistent threat posed by the Log4j bugs discovered at the end of December 2021. At the time, experts warned that the ubiquity of the utility, and the difficulty many organisations have in finding all instances of the CVE due to complex Java dependencies, means it may be exploited for years.

https://www.infosecurity-magazine.com/news/exploit-activity-150-q2-log4shell/

• Ransomware Is Not Going Anywhere: Attacks Are Up 24%

Avast released a report revealing a significant increase in global ransomware attacks, up 24% from Q1/2022. Researchers also uncovered a new zero-day exploit in Chrome, as well as signals of how cyber criminals are preparing to move away from macros as an infection vector.

After months of decline, global ransomware attacks increased significantly in Q2/2022, up 24% from the previous quarter. The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%).

Businesses and consumers should be on guard and prepared for encounters with ransomware, as the threat is not going anywhere anytime soon.

The decline in ransomware attacks observed in Q4/2021 and Q1/2022 were thanks to law enforcement agencies busting ransomware group members, and caused by the war in Ukraine, which also led to disagreements within the Conti ransomware group, halting their operations. Things dramatically changed in Q2/2022. Conti members have now branched off to create new ransomware groups, like Black Basta and Karakurt, or may join other existing groups, like Hive, BlackCat, or Quantum, causing an uptick in activity.

https://www.helpnetsecurity.com/2022/08/12/increase-ransomware-attacks/

• Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It

Email remains one of the most popular methods of communication, particularly for business communications. There were 316.9 billion emails sent and received every day in 2021, and this is set to increase to 376.4 billion by 2025. But despite the scale of its use and how much people exchange confidential information over email, it is not a secure system by design.

Consequently, email is a major attack vector for organisations of all sizes. Deloitte found that 91% of all cyber attacks originate from a phishing email (an email that attempts to steal money, identity or personal information through a spoof website link that looks legitimate). The cost to organisations can be catastrophic with the National Cyber Security Centre (NCSC) reporting in August 2021 that phishing email attacks had cost UK organisations more than £5 million in the past 13 months.

It’s not enough for individuals to create complex passwords or rely on the security services of their email provider. Spam filters are not enough to stop malicious emails creeping into inboxes. Fortunately, safeguarding your emails with enterprise-grade email security doesn’t have to cost the earth or be hard to integrate so businesses of any size can protect themselves.

https://informationsecuritybuzz.com/articles/email-is-the-single-biggest-threat-to-businesses-and-heres-what-you-can-do-about-it/

• Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks

A serious vulnerability affecting the embedded Configurable Operating System (eCos) software development kit (SDK) made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks.

The security hole, tracked as CVE-2022-27255 and rated ‘high severity’, has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. An attack can be carried out through the wide area network (WAN) interface using specially crafted session initiation protocol (SIP) packets.

The Realtek eCos SDK is provided to companies that manufacture routers, access points and repeaters powered by RTL819x family SoCs. The SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device.

Realtek informed customers about the eCos SDK vulnerability in March, when it announced the availability of a patch. However, it’s up to the original equipment manufacturer (OEM) using the SDK to ensure that the patch is distributed to end-user devices.

The vulnerability can be exploited remotely — directly from the internet — to hack affected routers running with default settings. No user interaction is required for successful exploitation.

https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many-vendors-remote-attacks

• Most Companies Are at An Entry-Level When It Comes to Cloud Security

Ermetic released a study by Osterman Research that found 84% of respondents were at an entry-level (one or two rating, with four being the highest) in terms of their cloud security capabilities.

The study found that only 16% ranked on the Ermetic Cloud Security Model at the top two levels, and 80% of companies said they lack a dedicated security team responsible for protecting cloud resources from threats.

“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said the author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”

The report shows why new cloud data breaches are being reported all the time. Multi-cloud deployments, plus low investment in security, does not make for a good combination.

The new frontiers of cyber security, such as cloud security or internet of things (IoT) security are often at early stages of maturity. Organisations that are mature in their IT and data centre security are already overwhelmed and stretched thin and that’s why automation and simplification will help organisations accelerate their maturity in areas like cloud security.

There’s a mistaken belief that cloud computing environments inherently have security built-in — they don’t.

https://www.scmagazine.com/news/cloud-security/most-companies-are-at-an-entry-level-when-it-comes-to-cloud-security

• The Impact of Exploitable Misconfigurations on Network Security

Network professionals feel confident with their security and compliance practices but data suggests that they also leave their organisations open to risk, which is costing a significant amount of revenue, according to Titania.

In addition, some businesses are not minimising their attack surface effectively. Companies are prioritising firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and these devices play a vital role in reducing an organisation’s attack surface and preventing lateral movement across the network.

Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in misconfiguration risk management.

The study, which surveyed 160 senior cyber security decision-makers revealed:

• Misconfigurations cost organisations millions, up to 9% of their annual revenue but the true cost is likely to be higher.

• Compliance is a top priority, with 75% of organisations across all sectors saying their business relies on compliance to deliver security. Whilst almost every organisation reported that it is meeting its security and compliance requirements, this is at odds with a number of the other findings from the survey and other reports that show a decline in organisations maintaining full compliance with regulated data security standards.

• Remediation prioritisation is a challenge. 75% said their network security tools meant they could categorise and prioritise compliance risks ‘very effectively’. However, 70% report difficulties prioritising remediation based on risk and also claim inaccurate automation as the top challenges when meeting security and compliance requirements.

• Routers and switches are mostly overlooked. 96% of organisations prioritise the configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks.

https://www.helpnetsecurity.com/2022/08/12/impact-exploitable-misconfigurations-network-security/

• Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims

A new ransomware group dubbed Industrial Spy that first emerged in April 2022 is specialising in exfiltration and double extortion tactics and has the potential to do significant damage, Zscaler’s threat tracking team said.

The threat crew has shown that it possesses the capability to breach organisations and have been “actively adding unencrypted data from two or three victims every month,” Zscaler said. In some instances, the threat group appears to only exfiltrate and ransom data. In other cases, they encrypt, exfiltrate and ransom the data, the cloud security provider said.

At this point, it’s not clear who’s behind the threat entry or if it’s nation-state affiliated. The group started as a data extortion marketplace where criminals could buy large companies’ internal data, promoting the marketplace through Readme.txt files downloaded using malware downloaders.

In May, 2022, the threat group introduced their own ransomware to create double extortion attacks that combine data theft with file encryption.

What you need to know:

• Industrial Spy started by ransoming stolen data and more recently has combined these attacks with ransomware.

• The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.

• The ransomware utilises a combination of RSA and 3DES to encrypt files.

• Industrial Spy lacks many common features present in modern ransomware families.

• The Industrial Spy ransomware family is relatively basic, and parts of the code appear to be in development.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/new-ransomware-family-industrial-spy-emerges-to-exfiltrate-data-extort-victims/

• UK NHS Service Recovery May Take a Month After MSP Ransomware Attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS). Customers of seven solutions from the British MSP have been impacted either directly or indirectly, the company said. The first has stated it could take a month to recover systems to full service.

The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM. It caused a major outage to NHS emergency services across the UK.

Advanced did not disclose the ransomware group behind the attack but said that it took immediate action to mitigate the risk and isolated Health and Care environments where the incident was detected. The company is working with forensic experts from Microsoft (DART) and Mandiant, who are also helping bring the affected systems back online securely and with added defences:

• Implementing additional blocking rules and further restricting privileged accounts for Advanced staff

• Scanning all impacted systems and ensuring they are fully patched

• Resetting credentials

• Deploying additional endpoint detection and response agents

• Conducting 24/7 monitoring

After implementing the security measures above, Advanced said it would restore connectivity to its environments and assist customers to gradually reconnect safely and securely.

https://www.bleepingcomputer.com/news/security/uk-nhs-service-recovery-may-take-a-month-after-msp-ransomware-attack/

• A Single Flaw Broke Every Layer of Security in MacOS

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam. It's basically one vulnerability that could be applied to three different locations.

https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos/

Threats

Ransomware

• Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (bleepingcomputer.com)

• Ransomware, email compromise are top security threats, but deepfakes increase | CSO Online

• Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics | Threatpost

• Black Basta: New ransomware threat aiming for the big league | CSO Online

• Could criminalizing ransomware payments put a stop to the current crime wave? - Help Net Security

• 7-Eleven Denmark confirms ransomware attack behind store closures (bleepingcomputer.com)

• Update: Colosseum Dental Benelux pays ransom to threat actors (databreaches.net)

• SolidBit Ransomware Group Recruiting New Affiliates on Dark Web - Infosecurity Magazine

• Fears for patient data after ransomware attack on NHS software supplier | NHS | The Guardian

• US reveals 'Target' pic of Conti man with $10m reward offer • The Register

• Organisations would like the government to help with ransomware demand costs - Help Net Security

• Hacker uses new RAT malware in Cuba Ransomware attacks (bleepingcomputer.com)

• Maui ransomware linked to North Korean group Andariel • The Register

• How to Stop Zeppelin Ransomware Attacks: CISA, FBI Mitigation Guidance - MSSP Alert

• Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)

• US govt will pay you $10 million for info on Conti ransomware members (bleepingcomputer.com)

Phishing & Email Based Attacks

• LogoKit update: The phishing kit leveraging open redirect vulnerabilities - Help Net Security

• Phishing site masquerading "Have I Been Pwned" website detected. Be careful as very similar URL (exploitone.com)

Other Social Engineering; SMishing, Vishing, etc

• Hackers Behind Twilio Breach Also Targeted Cloudflare Employees (thehackernews.com)

• SMS phishing nabs Twilio employee credentials, allowed access customer data (scmagazine.com)

Malware

• Cyber criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports - Infosecurity Magazine

• Emotet Tops List of July's Most Widely Used Malware - Infosecurity Magazine

• Top malware strains observed in 2021 | Security Magazine

• Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass (bleepingcomputer.com)

Mobile

• Google researchers dissect Android spyware, zero days (techtarget.com)

• Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)

• Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments (thehackernews.com)

• Hackers install Dracarys Android malware using modified Signal app (bleepingcomputer.com)

Internet of Things – IoT

• The Time Is Now for IoT Security Standards (darkreading.com)

• Introducing the book: If It's Smart, It's Vulnerable - Help Net Security

Organised Crime & Criminal Actors

• Cisco hacked by access broker with Lapsus$ ties (techtarget.com)

• New dark web markets claim association with criminal cartels (bleepingcomputer.com)

• Dark Utilities C2 service draws thousands of cyber criminals • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Email marketing firm hacked to steal crypto-focused mailing lists (bleepingcomputer.com)

• Swan Bitcoin Discloses Data Leak Due to Phishing Attack on Newsletter Provider - Decrypt

• Phishers Swim Around 2FA in Coinbase Account Heists | Threatpost

• Crypto and the US government are headed for a decisive showdown | Ars Technica

• Cameo’s CEO fell victim to the latest Bored Ape NFT heist - The Verge

Fraud, Scams & Financial Crime

• “Hi Mum” Phishing Scam Swindles Unsuspecting Parents (informationsecuritybuzz.com)

• How hackers are stealing credit cards from classifieds sites (bleepingcomputer.com)

• Why robotexts are scammers' favourite new tool - CyberScoop

AML/CFT/Sanctions

• US Sanctions Crypto 'Laundering' Service Tornado | SecurityWeek.Com

• Virtual Currency Platform ‘Tornado Cash’ Accused of Aiding APTs | Threatpost

• Greece Flies Russian Money Launderer to US: Lawyer | SecurityWeek.Com

Insurance

• BlackBerry Study: Most SMBs Have Less Than $600K in Ransomware Coverage - MSSP Alert

• Number Of Firms Unable To Access Cyber-Insurance Set To Double (informationsecuritybuzz.com)

• Australian court finds insurer not liable for ransomware clean-up costs - Security - iTnews

Cloud/SaaS

• Implementing zero trust for a secure hybrid working enterprise - Help Net Security

• How to Clear Security Obstacles and Achieve Cloud Nirvana (darkreading.com)

• Why SAP systems need to be brought into the cyber security fold - Help Net Security

Open Source

• Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)

Social Media

• Facebook's Metaverse is Expanding the Attack Surface (trendmicro.com)

• Meta's chatbot says the company 'exploits people' - BBC News

• Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost

Training, Education and Awareness

• 25% of employees don't care enough about cyber security to report a security incident - Help Net Security

Privacy

• Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost

Travel

• Don't get stung by these fake holiday cyber-scams this summer | TechRadar

Parental Controls and Child Safety

• Predator Pleads Guilty After Targeting Thousands of Young Girls Online - Infosecurity Magazine

• Huge rise in self-generated child sexual abuse content online, report finds | Internet safety | The Guardian

• Online sexual blackmail of primary school children surges since lockdown (telegraph.co.uk)

Models, Frameworks and Standards

• Compliance Certifications: Worth the Effort? (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russia's digital attacks are haphazard, chaotic, says top Ukrainian cyber official - CyberScoop

• Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China | SecurityWeek.Com

• Killnet Releases 'Proof' of its Attack Against Lockheed Martin | SecurityWeek.Com

• Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook (thehackernews.com)

• New Hacker Forum Takes Pro-Ukraine Stance | Threatpost

• Ex Twitter employee found guilty of spying for Saudi Arabia - Security Affairs

• Ex-CIA security boss predicts coming crackdown on spyware • The Register

Nation State Actors

Nation State Actors – Russia

• Russia Is Escalating Ukraine Hacking, Black Hat Research Says (gizmodo.com)

• Russian invasion has destabilized cyber security norms • The Register

• Russia-Ukraine Conflict Holds Cyberwar Lessons (darkreading.com)

• Industroyer2: How Ukraine avoided another blackout attack (techtarget.com)

Nation State Actors – China

• Chinese Hackers May Be Behind Attacks Targeting Eastern Europe and Afghanistan - Infosecurity Magazine

• China-linked spies used six backdoors to steal defence info • The Register

• Mandiant researchers uncover significant new disinformation campaign (securitybrief.co.nz)

• Stats say Chinese researchers are not deterred by China's vulnerability law (scmagazine.com)

• Chinese scammers target kids with promise of extra gaming • The Register

• Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)

Nation State Actors – North Korea

• North Korea Allegedly Stole Millions of Dollars Worth of Crypto Assets - IT Security Guru

• Maui ransomware linked to North Korean group Andariel • The Register

• North Korean hackers target crypto experts with fake Coinbase job offers (bleepingcomputer.com)

Vulnerability Management

• Google's bug bounty boss: Finding vulns is 'totally useless' • The Register

• Patch Madness: Vendor Bug Advisories Are Broken, So Broken (darkreading.com)

• Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks (darkreading.com)

Vulnerabilities

• Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws | Threatpost

• Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions (thehackernews.com)

• Yet another Microsoft RCE bug under active exploit • The Register

• Palo Alto Networks: New PAN-OS DDoS flaw exploited in attacks (bleepingcomputer.com)

• CISA adds UnRAR and Windows flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• Zimbra auth bypass bug exploited to breach over 1,000 servers (bleepingcomputer.com)

• Researchers Debut Fresh RCE Vector for Common Google API Tool (darkreading.com)

• Surge in CVEs as Microsoft Fixes Exploited Zero Day Bugs - Infosecurity Magazine

• Risky Business: Enterprises Can’t Shake Log4j flaw - Security Affairs

• Years after claiming DogWalk wasn't a vulnerability, Microsoft confirms flaw is being exploited and issues patch (bitdefender.com)

• Three flaws allow attackers to bypass UEFI Secure Boot feature - Security Affairs

• Windows devices with newest CPUs are susceptible to data damage (bleepingcomputer.com)

• Critical Flaws Disclosed in Device42 IT Asset Management Software (thehackernews.com)

• Cisco fixed a flaw in ASA, FTD devices that can give access to RSA private key - Security Affairs

• Organisations Warned of Critical Vulnerabilities in NetModule Routers | SecurityWeek.Com

• 4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls (darkreading.com)

• New vulnerability in AMD Ryzen CPUs could seriously jeopardize performance | TechRadar

• ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data | SecurityWeek.Com

• Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• Microsoft 365 outage triggered by Meraki firewall false positive (bleepingcomputer.com)

• Why VPN no longer has a place in a secure work environment | TechRadar

• VMware: The threat of lateral movement is growing (techtarget.com)

• 36% of orgs expose insecure FTP protocol to the internet, and some still use Telnet - Help Net Security

• 5 key things learned from CISOs of smaller enterprises survey - Help Net Security

• Stolen credentials are the most common attack vector companies face - Help Net Security

• Your cyber security staff are burned out - and many have thought about quitting | ZDNet

• Researchers Use ‘Invisible Finger’ to Remotely Control Touchscreens (vice.com)

• Businesses are struggling to balance security and end-user experience - Help Net Security

• Starlink Successfully Hacked Using $25 Modchip | Threatpost

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Microsoft’s August Patch Tuesday provides updates to address security issues across its product range, including several critical patches. The standout patch in this release is for a Zero-Day flaw, affecting both client and server version of Windows, that is being actively exploited in the wild. This flaw is present within the Microsoft Windows Support Diagnostic Tool (MSDT), which is the same windows component that previously made headlines with the Follina zero day (CVE-2022-30190).

Security updates have also been released for other Microsoft products to tackle different issues, including privilege escalation flaws within Microsoft Exchange servers.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible, particularly as this release contains a patch for an actively exploited Zero-day.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The Zero-Day exploit, CVE-2022-34713, requires an end user to either open a crafted file sent as an email attachment, or through a link clicked on a website. This then in turn exploits the vulnerability within the Windows component, granting access to the malicious attacker to execute remote code on the victims computer. Microsoft reinforces the message that further awareness is required to upskill employees to be wary of these types of attacks, since malicious documents and links are a common attack vector which are still being used by attackers to great effect. Further information on this particular vulnerability is available here: CVE-2022-34713 - Security Update Guide - Microsoft - Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Further details on other specific updates within this Patch Tuesday can be found here: Microsoft Windows Security Updates August 2022 overview - gHacks Tech News

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Cisco has supplied patches which address multiple vulnerabilities for their Small Business routers. Three of these vulnerabilities could be used by an unauthenticated attacker to remotely execute code on the device, or cause denial of service to the device.

What’s the risk to me or my business?

The critical vulnerability relates to the web-based management interface, which can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied out of band where possible, due to the severity of this issue.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-20842: A remote code execution vulnerability with a CVSS 3.0 rating of 9.8, which allows a malicious attacker to exploit insufficient validation on user-supplied input by providing a crafted HTTP input to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in DOS. Affected devices:

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

CVE-2022-20827: A command injection vulnerability with a CVSS 3.0 rating of 9.0, which allows a malicious attacker to exploit insufficient validation on the web filter database update feature, to perform command injection and execute commands with root privileges. Affected devices:

·         RV160 VPN Routers

·         RV160W Wireless-AC VPN Routers

·         RV260 VPN Routers

·         RV260P VPN Routers with PoE

·         RV260W Wireless-AC VPN Routers

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

CVE-2022-20841: A command injection vulnerability with a CVSS 3.0 rating of 8.3, which allows a malicious attacker to exploit insufficient validation on the Open Plug and Play command, to perform command injection and execute commands on the underlying operating system via a man-in-the-middle attack or from another compromised device on the network. Affected devices:

·         RV160 VPN Routers

·         RV160W Wireless-AC VPN Routers

·         RV260 VPN Routers

·         RV260P VPN Routers with PoE

·         RV260W Wireless-AC VPN Routers

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

Further technical information including links to software patches for specific affected devices can be found here: Cisco Small Business RV Series Routers Vulnerabilities

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Trellix Threat Labs Vulnerability research team discovered an unauthenticated remote code execution vulnerability which affects multiple DrayTek routers, which have their management interface configured to be accessible directly via the internet. This attack can also be performed by a malicious actor who has access within the local network, which is the default configuration for these devices.

What’s the risk to me or my business?

This is a one-click attack that can be performed without any user interaction, and can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.

What can I do?

The vendor has released patches for this issue on their website, which should be applied out of band due to the severity of this issue. To mitigate this issue externally, management interfaces should never be configured to be directly accessible via the internet interface, however even with this mitigation it is important that the patch is applied promptly due to the threat of further compromise from an attacker with local network access.

Technical Summary

The following is a breakdown of the vulnerability with the affected DrayTek products.

CVE-2022-32548: This vulnerability has been given a CVSS 3.0 rating of 10.0, the attack works by compromising a buffer overflow vulnerability within the login page, which allows an attacker to provide a carefully crafted username and/or password which could allow an attacker to take control of the “DrayOS” which runs on the routers. Affected models with affected firmware versions include:

• Vigor3910 < 4.3.1.1

• Vigor1000B < 4.3.1.1

• Vigor2962 Series < 4.3.1.1

• Vigor2927 Series < 4.4.0

• Vigor2927 LTE Series < 4.4.0

• Vigor2915 Series < 4.3.3.2

• Vigor2952 / 2952P < 3.9.7.2

• Vigor3220 Series < 3.9.7.2

• Vigor2926 Series < 3.9.8.1

• Vigor2926 LTE Series < 3.9.8.1

• Vigor2862 Series < 3.9.8.1

• Vigor2862 LTE Series < 3.9.8.1

• Vigor2620 LTE Series < 3.9.8.1

• VigorLTE 200n < 3.9.8.1

• Vigor2133 Series < 3.9.6.4

• Vigor2762 Series < 3.9.6.4

• Vigor167 < 5.1.1

• Vigor130 < 3.8.5

• VigorNIC 132 < 3.8.5

• Vigor165 < 4.2.4

• Vigor166 < 4.2.4

• Vigor2135 Series < 4.4.2

• Vigor2765 Series < 4.4.2

• Vigor2766 Series < 4.4.2

• Vigor2832 < 3.9.6

• Vigor2865 Series < 4.4.0

• Vigor2865 LTE Series < 4.4.0

• Vigor2866 Series < 4.4.0

• Vigor2866 LTE Series < 4.4.0

Further technical information on the vulnerability can be found here: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers (trellix.com)

Patches are available from the vendors website here: Latest Firmwares | DrayTek

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 02/08/2022 that updates have been released for multiple products in their range to address multiple different vulnerabilities, recommending that these are patched immediately, due to one of the vulnerabilities allowing a malicious user who already has network access to gain administrator access on the affected VMware system.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. Business services may be hosted on VMware infrastructure, which if exploited could impact Confidentiality, Integrity, or Availability for these services.

What can I do?

As patches have been released, it is important that these are applied as soon as possible.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following is a break down of the different vulnerabilities with the affected VMware products.

CVE-2022-31656: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Affected VMware products:

·         VMware Workspace One Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31658: Important severity range with maximum CVSSv3 base core of 8.0, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31659: Important severity range with maximum CVSSv3 base core of 8.0, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

CVE-2022-31660, CVE-2022-31661, CVE-2022-31664: Important severity range with maximum CVSSv3 base core of 7.8, malicious actor with local access to the system can escalate privileges to ‘root’. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31665: Important severity range with maximum CVSSv3 base core of 7.6, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31657: Moderate severity range with maximum CVSSv3 base core of 5.9, malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

CVE-2022-31662: Moderate severity range with maximum CVSSv3 base core of 5.3, malicious actor with network access may be able to access arbitrary files. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         Connectors

·         vRealize Automation

CVE-2022-31663: Moderate severity range with maximum CVSSv3 base core of 4.7. Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0021 (vmware.com), VMSA-2022-0021: Questions & Answers | VMware

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 1 in 3 Employees Don’t Understand Why Cyber Security Is Important

According to a new Tessian report, 30% of employees do not think they personally play a role in maintaining their company’s cyber security posture.

What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cyber security to mention it.

Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organisation’s security 8 out 10, on average, three-quarters of organisations experienced a security incident in the last 12 months.

The report suggests this could stem from a reliance on traditional training programs: 48% of security leaders say training is one of the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.

https://www.helpnetsecurity.com/2022/07/28/employees-dont-understand-why-cybersecurity-is-important/

• As Companies Calculate Cyber Risk, the Right Data Makes a Big Difference

The proposed US Securities and Exchange Commission’s stronger rules for reporting cyber attacks will have ramifications beyond increased disclosure of attacks to the public. By requiring not just quick reporting of incidents, but also disclosure of cyber policies and risk management, such regulation will ultimately bring more accountability for cyber security to the highest levels of corporate leadership. Other jurisdictions will very likely follow the US in requiring more stringent cyber controls and governance.

This means that boards and executives everywhere will need to increase their understanding of cyber security, not only from a tech point of view, but from a risk and business exposure point of view. The CFO, CMO and the rest of the C-suite and board will want and need to know what financial exposure the business faces from a data breach, and how likely it is that breaches will happen. This is the only way they will be able to develop cyber policies and plans and react properly to the proposed regulations.

Companies will therefore need to be able to calculate and put a dollar value on their exposure to cyber risk. This is the starting point for the ability to make cyber security decisions not in a vacuum, but as part of overall business decisions. To accurately quantify cyber security exposure, companies need to understand what the threats are and which data and business assets are at risk, and they then need to multiply the cost of a breach by the probability that such an event will take place in order to put a dollar figure on their exposure.

While there are many automated tools, including those that use artificial intelligence (AI), that can help with this, the key to doing this well is to make sure calculations are rooted in real and relevant data – which is different for each company or organisation.

https://venturebeat.com/2022/07/22/as-companies-calculate-cyber-risk-the-right-data-makes-a-big-difference/

• Only 25% Of Organisations Consider Their Biggest Threat to Be from Inside the Business

A worrying 73.5% of organisations feel they have wasted the majority of their cyber security budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal, according to Gurucul.

Only 25% of organisations consider their biggest threat to be from inside the business, despite insider threats increasing by 47% over the past two years. With only a quarter of businesses seeing their biggest threat emanating from inside their organisation, it seems over 70% saw the biggest cyber security challenges emanating from external threats such as ransomware. In fact, although external threats account for many security incidents, we must never forget to look beyond those external malicious and bad actors to insider threats to effectively secure corporate data and IP.

The survey also found 33% of respondents said they are able to detect threats within hours, while 27.07% even claimed they can detect threats in real-time. However, challenges persist with 33% of respondents stating that it still takes their organisation days and weeks to detect threats, with 6% not being able to detect them at all.

https://www.helpnetsecurity.com/2022/07/28/biggest-threat-inside-the-business/

• The Global Average Cost of a Data Breach Reaches an All-Time High of $4.35 Million

IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organisations.

With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.

The perpetuality of cyber attacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organisations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organisations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.

The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022. The research, which was sponsored and analysed by IBM Security, was conducted by the Ponemon Institute.

https://www.helpnetsecurity.com/2022/07/27/2022-cost-of-a-data-breach-report/

• Race Against Time: Hackers Start Hunting for Victims Just 15 Minutes After a Bug Is Disclosed

Attackers are becoming faster at exploiting previously undisclosed zero-day flaws, according to Palo Alto Networks.  This means that the amount of time that system admins have to patch systems before exploitation happens is shrinking fast..

The company warns in its 2022 report covering 600 incident response (IR) cases that attackers typically start scanning for vulnerabilities within 15 minutes of one being announced.

Among this group are 2021's most significant flaws, including the Exchange Server ProxyShell and ProxyLogon sets of flaws, the persistent Apache Log4j flaws aka Log4Shell, the SonicWall zero-day flaws, and Zoho ManageEngine ADSelfService Plus.

While phishing remains the biggest method for initial access, accounting for 37% of IR cases, software vulnerabilities accounted of 31%. Brute-force credential attacks (like password spraying) accounted for 9%, while smaller categories included previously compromised credentials (6%), insider threat (5%), social engineering (5%), and abuse of trusted relationships/tools (4%).    

Over 87% of the flaws identified as the source of initial access fell into one of six vulnerability categories.

https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/

• Ransomware-as-a-Service Groups Forced to Change Tack as Payments Decline

Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.

The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.

It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.

The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.

“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.

“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”

In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.

The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.

As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.

Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.

https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/

• Phishers Targeted Financial Services Most During H1 2022

Banks received the lion’s share of phishing attacks during the first half of 2022, according to figures published by cyber security company Vade.

The analysis also found that attackers were most likely to send their phishing emails on weekdays, with most arriving between Monday and Wednesday. Attacks tapered off towards the end of the week, Vade said.

While financial services scored highest on a per-sector basis, Microsoft was the most impersonated brand overall. The company’s Microsoft 365 cloud productivity services are a huge draw for cyber-criminals hoping to access accounts using phishing attacks.

Phishing attacks on Microsoft customers have become more creative, according to Vade, which identified several phone-based attacks. It highlighted a campaign impersonating Microsoft’s Defender anti-malware product, fraudulently warning that the company had debited a subscription fee. It encouraged victims to fix the problem by phone.

Facebook came a close second, followed by financial services company Crédit Agricole, WhatsApp and Orange.

https://www.infosecurity-magazine.com/news/phishers-financial-services-h1-2022/

• HR Emails Dupe Employees the Most – KnowBe4 research reveals

In phishing tests conducted on business emails, more than half of the subject lines clicked imitated Human Resources communications.

New research has revealed the top email subjects clicked on in phishing tests were those related to or from Human Resources, according to the latest ‘most clicked phishing tests‘ conducted by KnowBe4. In fact, half of those that were clicked on had subject lines related to Human Resources, including vacation policy updates, dress code changes, and upcoming performance reviews. The second most clicked category were those send from IT, which include requests or actions of password verifications that were needed immediately.

KnowBe4’s CEO commented “More than 80% of company data breaches globally come from human error, so security awareness training for your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognise a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”

This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category.

https://www.itsecurityguru.org/2022/07/27/hr-emails-dupe-employees-the-most-knowbe4-research-reveals/

• 84% Of Organisations Experienced an Identity-Related Breach in the Past 18 Months

60% of IT security decision makers believe their overall security strategy does not keep pace with the threat landscape, and that they are either lagging behind (20%), treading water (13%), or merely running to keep up (27%), according to a survey by Sapio Research.

The report also highlights differences between the perceived and actual effectiveness of security strategies. While 40% of respondents believe they have the right strategy in place, 84% of organisations reported that they have experienced an identity-related breach or an attack using stolen credentials during the previous year and a half.

Promisingly, many organisations are hungry to make a change, particularly when it comes to protecting identities. In fact, 90% of respondents state that their organisations fully recognise the importance of identity security in enabling them to achieve their business goals, and 87% say that it is one of the most important security priorities for the next 12 months.

However, 75% of IT and security professionals also believe that they’ll fall short of protecting privileged identities because they won’t get the support they need. This is largely due to a lack of budget and executive alignment, with 63% of respondents saying that their company’s board still doesn’t fully understand identity security and the role it plays in enabling better business operations.

While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks. This means that the majority of organisations will continue to fall short of protecting privileges, leaving them vulnerable to cyber criminals looking to discover privileged accounts and abuse them.

https://www.helpnetsecurity.com/2022/07/28/identity-related-breach/

• Economic Downturn Raises Risk of Insiders Going Rogue

Declining economic conditions could make insiders more susceptible to recruitment offers from threat actors looking for allies to assist them in carrying out various attacks.

Enterprise security teams need to be aware of the heightened risk and strengthen measures for protecting against, detecting, and responding to insider threats, researchers from Palo Alto Network's Unit 42 threat intelligence team recommended in a report this week.

The security vendor's report highlighted several other important takeaways for security operations teams, including the fact that ransomware and business email compromise attacks continue to dominate incident response cases and vulnerability exploits — accounting for nearly one-third of all breaches.

Unit 42 researchers analysed data from a sampling of over 600 incident response engagements between April 2021 and May 2022 and determined that difficult economic times could lure more actors to cyber crime. This could include both people with technical skills looking to make a fast buck, as well as financially stressed insiders with legitimate access to valuable enterprise data and IT assets. The prevalence of remote and hybrid work models has created an environment where it's easier for workers to steal intellectual property or carry out other malicious activity, the researchers found.

https://www.darkreading.com/risk/economic-downturn-raises-the-risk-of-insiders-going-rogue

• 5 Trends Making Cyber Security Threats Riskier and More Expensive

Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organisations across the US and Europe experienced a cyber attack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cyber security spend.

Cyber security is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.

1. Everything becomes digital

2. Organisations become ecosystems

3. Physical and digital worlds collide

4. New technologies bring new risks

5. Regulations become more complex

Organisations can follow these best practices to elevate cyber security performance:

• Identify, prioritise, and implement controls around risks.

• Adopt a framework such as ISO 27001 or NIST Cyber Security Framework.

• Develop human-layered cyber security.

• Fortify your supply chain.

• Avoid using too many tools.

• Prioritise protection of critical assets.

• Automate where you can.

• Monitor security metrics regularly to help business leaders get insight into security effectiveness, regulatory compliance, and levels of security awareness in the organisation.

Cyber security will always be a work in progress. The key to effective risk management is having proactive visibility and context across the entire attack surface. This helps to understand which vulnerabilities, if exploited, can cause the greatest harm to the business. Not all risks can be mitigated; some risks will have to be accepted and trade-offs will have to be negotiated.

https://www.csoonline.com/article/3667442/5-trends-making-cybersecurity-threats-riskier-and-more-expensive.html#tk.rss_news

• Ransomware: Publicly Reported Incidents Are Only the Tip of the Iceberg

The threat landscape report on ransomware attacks published this week by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU.

As one of the most devastating types of cyber security attacks over the last decade, ransomware, has grown to impact organisations of all sizes across the globe.

This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.

Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data.

At least 47 unique ransomware threat actors were found.

For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88% of incidents.

We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.

The study also shows that companies of every size and from all sectors are affected.

The figures in the report can however only portray a part of the overall picture. In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.

https://www.enisa.europa.eu/news/ransomware-publicly-reported-incidents-are-only-the-tip-of-the-iceberg

Threats

Ransomware

• LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top (darkreading.com)

• Ransomware looms large over the cyber insurance industry - Help Net Security

• 800,000 businesses fall victim to ransomware each year (komando.com)

• Business services top target of ransomware attacks (securitybrief.co.nz)

• How Crypto is Driving the Ransomware Epidemic | Cryptoland Roundtable - YouTube

• On security researcher's newsletter, exposing cyber criminals behind ransomware - CyberScoop

• LockBit ransomware abuses Windows Defender to load Cobalt Strike (bleepingcomputer.com)

• Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack | SecurityWeek.Com

• No More Ransom helps millions of ransomware victims in 6 years (bleepingcomputer.com)

• Lockbit ransomware gang claims to have breached the Italian Revenue Agency - Security Affairs

• Lockbit Ramps Up Attacks on Public Sector - Infosecurity Magazine (infosecurity-magazine.com)

• A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware (informationsecuritybuzz.com)

• No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices (darkreading.com)

• Ransomware caused American Dental Association outage, led to stolen data (scmagazine.com)

• The road to ransomware recovery starts before an attack • The Register

• LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (trendmicro.com)

BEC – Business Email Compromise

• Crackdown on BEC Schemes: 100 Arrested in Europe, Man Charged in US | SecurityWeek.Com

• European Police Arrest 100 Suspects in BEC Crackdown - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands | Threatpost

• Three of the world's most expensive phishing attacks and how they could have been prevented (betanews.com)

• Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics (informationsecuritybuzz.com)

• Phishing scam targeting Bank of America, Citi and Wells Fargo customers (komando.com)

• APT-Like Phishing Threat Mirrors Landing Pages (darkreading.com)

• New Callback Malware Campaign Impersonates Legitimate Cyber Security Providers - MSSP Alert

• Microsoft Tops Brands Phishers Prefer (darkreading.com)

• Phishing Attacks: Microsoft Leads Top 25 of Impersonated Brands - MSSP Alert

• Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network (thehackernews.com)

• 1,000s of Phishing Attacks Blast Off From InterPlanetary File System (darkreading.com)

• New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo (bleepingcomputer.com)

Other Social Engineering; SMishing, Vishing, etc

• US govt warns Americans of escalating SMS phishing attacks (bleepingcomputer.com)

Malware

• Cisco Incident Response Report: Commodity Malware Top Threat in Q2 - MSSP Alert

• Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

• As Microsoft blocks Office macros, hackers find new attack vectors (bleepingcomputer.com)

• Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers (thehackernews.com)

• Microsoft links Raspberry Robin malware to Evil Corp attacks (bleepingcomputer.com)

• Malware-laced npm packages used to target Discord users - Security Affairs

• CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards (bleepingcomputer.com)

• Sophisticated UEFI rootkit of Chinese origin shows up again in the wild after 3 years | CSO Online

• Attackers are slowly abandoning malicious macros - Help Net Security

• One of the most beloved Windows tools could actually be a huge security risk | TechRadar

• QBot phishing uses Windows Calculator DLL hijacking to infect devices (bleepingcomputer.com)

• Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike (trendmicro.com)

• Microsoft: Austrian company DSIRF selling Subzero malware (techtarget.com)

• Threat actors leverages DLL-SideLoading to spread Qakbot - Security Affairs

• Rare 'CosmicStrand' UEFI Rootkit Swings into Cyber crime Orbit (darkreading.com)

Mobile

• Here are the top phone security threats in 2022 and how to avoid them | ZDNet

• New Android malware apps installed 10 million times from Google Play (bleepingcomputer.com)

• Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France (thehackernews.com)

• Facebook ads push Android adware with 7 million installs on Google Play (bleepingcomputer.com)

• Millions of Android devices infected with wallet-draining malware | TechRadar

• Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware (thehackernews.com)

• These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware (thehackernews.com)

Internet of Things – IoT

• IoT Botnets Fuels DDoS Attacks – Are You Prepared? | Threatpost

• Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices (thehackernews.com)

Data Breaches/Leaks

• US court system suffered ‘incredibly significant attack’ • The Register

• Congress Warns of US Court Records System Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Uber admits covering up massive 2016 data breach in settlement with US prosecutors - The Verge

• T-Mobile to pay $500M for one of the largest data breaches in US history [Updated] | Ars Technica

• Data Stolen in Breach at Security Company Entrust | SecurityWeek.Com

• Fallout from massive Shanghai Police data breach reverberates on dark web - CyberScoop

• Big Questions Remain Around Massive Shanghai Police Data Breach (darkreading.com)

Organised Crime & Criminal Actors

• Cyber-mercenaries represent shifting criminal business model • The Register

• Messaging Apps Tapped as Platform for Cyber Criminal Activity | Threatpost

• Teenager Jailed for Snapchat Blackmail Cyber Crimes- IT Security Guru

• DUCKTAIL operation targets Facebook’s Business and Ad accounts - Security Affairs

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto fraud on the rise as consumers fall for fake celebrity endorsements | Cybernews

• Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection (thehackernews.com)

• NFT Hacking Group Attacks On The Rise, Report Finds- IT Security Guru

• Hackers steal $6 million from blockchain music platform Audius (bleepingcomputer.com)

 Fraud, Scams & Financial Crime

• Major shifts and the growing risk of identity fraud - Help Net Security

• Uber's former head of security faces fraud charges after allegedly covering up data breach (bitdefender.com)

• JPMorgan, UBS accused of shoddy identity theft protection • The Register

• Euro Police Bust €3m Internet Fraud Gang - Infosecurity Magazine (infosecurity-magazine.com)

• Romance scammers jailed after tricking Irish OAP out of €250k (bitdefender.com)

• Get a family safeword to make sure you don’t fall for the Mum and Dad scam | Money | The Sunday Times (thetimes.co.uk)

• What the Titanic Can Teach Us About Fraud? | SecurityWeek.Com

AML/CFT/Sanctions

• Russia declares Guernsey an 'unfriendly state' - BBC News

• Crypto exchange Kraken reportedly probed over Iran sanctions • The Register

Insurance

• Ransomware looms large over the cyber insurance industry - Help Net Security

Dark Web

• Cyber crime goods and services are cheap and plentiful - Help Net Security

• Hackers Selling Malware on Dark Web Underground Market (cybersecuritynews.com)

Supply Chain and Third Parties

• Experts warn of hacker claiming access to 50 US companies through breached MSP - The Record by Recorded Future

• Crook calls for help extorting service provider's clients • The Register

• Getting Ahead of Supply Chain Attacks (darkreading.com)

Software Supply Chain

• 8 top SBOM tools to consider | CSO Online

Denial of Service DoS/DDoS

• Akamai blocked the largest DDoS attack ever on its European customers - Security Affairs

• DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks (bleepingcomputer.com)

Cloud/SaaS

• Kansas MSP shuts down cloud services to fend off cyber attack (bleepingcomputer.com)

• Organisations are struggling with SaaS security. Why? - Help Net Security

Attack Surface Management

• 4 Steps the Financial Industry Can Take to Cope With Their Growing Attack Surface (thehackernews.com)

Identity and Access Management

• Why firms need to harness identity management before it spirals into an identity crisis - Help Net Security

• Benefits of modern PAM: Efficiency, security, compliance - Help Net Security

Encryption

• Transport Layer Security (TLS): Issues & Protocol (trendmicro.com)

• SSH2 vs. SSH1 and why SSH versions still matter (techtarget.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Inadequate password and authentication requirements found in popular business web apps - Help Net Security

• Using Account Lockout policies to block Windows Brute Force Attacks (bleepingcomputer.com)

• Stop Putting Your Accounts At Risk, and Start Using a Password Manager (thehackernews.com)

Social Media

• Facebook security cracked by Malware made in Vietnam • The Register

• Cyber-Criminal Offers 5.4m Twitter Users’ Data - Infosecurity Magazine (infosecurity-magazine.com)

• Social Media Accounts Hijacked to Post Indecent Images - Infosecurity Magazine (infosecurity-magazine.com)

Training, Education and Awareness

• Poor Training and Communications Hindering Cyber security Efforts - Infosecurity Magazine (infosecurity-magazine.com)

Privacy

• US, UK law enforcement to implement data sharing law, troubling privacy advocates - CyberScoop

Law Enforcement Action and Take Downs

• UK Seizes Nearly $27m in Crypto-Assets - Infosecurity Magazine (infosecurity-magazine.com)

• European Cops Helped 1.5 Million People Decrypt Their Ransomwared Computers (vice.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• World entering 'dangerous new age' of threats, says UK's top national security adviser | World News | Sky News

• Cyberspies use Google Chrome extension to steal emails undetected (bleepingcomputer.com)

• Microsoft says it caught an Austrian spyware group using Windows 0-day exploits - The Verge

• Pegasus spyware: Just 'tip of the iceberg' seen so far • The Register

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

• Ukraine Cyber War Fall-out and Ransomware Trends Areas of Focus in New CyberCube Research | Business Wire

• US and Ukraine Sign Agreement to Deepen Cyber security Operational Collaboration - MSSP Alert

• CISA, Ukrainian cyber agency deepen partnership to combat Russian threat - CyberScoop

• How is Anonymous attacking Russia? The top six ways ranked (cnbc.com)

• European Lawmaker Targeted With Cytrox Predator Surveillance Spyware | SecurityWeek.Com

Nation State Actors

Nation State Actors – Russia

• Russia is quietly ramping up its Internet censorship machine | Ars Technica

• Apple network traffic takes mysterious detour through Russia • The Register

• 'Crippling' Western sanctions are hitting Russia much harder than Putin is letting on, say Yale economists (inews.co.uk)

Nation State Actors – China

• Chinese APTs: Interlinked networks and side hustles – Intrusion Truth (wordpress.com)

• OneWeb sale risks giving China a stake in ‘Five Eyes’ spying tech (telegraph.co.uk)

Nation State Actors – North Korea

• North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts (thehackernews.com)

• North Korean hackers attack EU targets with Konni RAT malware (bleepingcomputer.com)

• US puts $10 million bounty on North Korean threat groups • The Register

• Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Security Affairs

Nation State Actors – Iran

• Cyber attacks by Iran and Israel now target critical infrastructure. - The Washington Post

Vulnerability Management

• Hackers scan for vulnerabilities within 15 minutes of disclosure (bleepingcomputer.com)

• Attackers Have 'Favourite' Vulnerabilities to Exploit (darkreading.com)

• Taking the Risk-Based Approach to Vulnerability Patching (thehackernews.com)

• Organisations struggle to manage devices and stay ahead of vulnerabilities - Help Net Security

• 2022 Unit 42 Incident Response Report: How Attackers Exploit Zero-Days (paloaltonetworks.com)

• Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization (darkreading.com)

• Time between vuln disclosures, exploits is getting smaller • The Register

Vulnerabilities

• Critical Samba bug could let anyone become Domain Admin – patch now! – Naked Security (sophos.com)

• Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware (darkreading.com)

• How to Fix CVE-2022-30190 vulnerability using Microsoft Intune - CloudInfra

• CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG | CSO Online

• Critical FileWave MDM Flaws Open Organisation-Managed Devices to Remote Hackers (thehackernews.com)

• Hackers are abusing IIS extensions to establish covert backdoors - Security Affairs

• FileWave fixes bugs that left 1,000+ orgs open to ransomware • The Register

• Google Chrome Zero-day Vulnerability Discovered By Avast (informationsecuritybuzz.com)

• LibreOffice fixed 3 flaws, including a code execution issue - Security Affairs

• Critical security vulnerability in Grails could lead to remote code execution | The Daily Swig (portswigger.net)

• Drupal developers fixed a code execution flaw in the popular CMS - Security Affairs

• LibreOffice Releases Software Update to Patch 3 New Vulnerabilities (thehackernews.com)

• Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• Hiscox Cyber Readiness Report 2022

• ENISA Threat Landscape for Ransomware Attacks — ENISA (europa.eu)

Other News

• A Retrospective on the 2015 Ashley Madison Breach – Krebs on Security

• The Great BizApp Hack: Cyber-Risks in Your Everyday Business Applications (darkreading.com)

• Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office | Threatpost

• Strong Authentication - Robust Identity and Access Management Is a Strategic Choice - Security Affairs

• You Pay More When Companies Get Hacked | WIRED

• Microsoft again reverses course, will block macros by default (scmagazine.com)

• Is Your Home or Small Business Built on Secure Foundations? Think Again… (darkreading.com)

• Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits - Microsoft Security Blog

• Infosec pros want more industry cooperation and support for open standards - Help Net Security

• We pass cyber attack costs onto customers, businesses admit • The Register

• How to Combat the Biggest Security Risks Posed by Machine Identities (thehackernews.com)

• Discord, Telegram Services Hijacked to Launch Array of Cyber Attacks (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Insurer Refuses to Pay Out After Victim Misrepresented Their Cyber Controls

In what may be one of the first court filings of its kind, insurer Travelers is asking a district court for a ruling to rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA) – a condition to get cyber coverage.

According to a July filing, Travelers said it would not have issued a cyber insurance policy in April to electronics manufacturing services company International Control Services (ICS) if the insurer knew the company was not using MFA as it said. Additionally, Travelers wants no part of any losses, costs, or claims from ICS – including from a May ransomware attack ICS suffered.

Travelers alleged ICS submitted a cyber policy application signed by its CEO and “a person responsible for the applicant’s network and information security” that the company used MFA for administrative or privileged access. However, following the May ransomware event, Travelers first learned during an investigation that the insured was not using the security control to protect its server and “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

Therefore, statements ICS made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” – all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.

ICS also was the victim of a ransomware attack in December 2020 when hackers gained access using the username and password of an ICS administrator, Travelers said. ICS told the insurer of the attack during the application process and said it improved the company’s cyber security.

Travelers said it wants the court to declare the insurance contract null and void, rescind the policy, and declare it has no duty to indemnify or defend ICS for any claim.

https://www.insurancejournal.com/news/national/2022/07/12/675516.htm#

• 5 Cyber Security Questions CFOs Should Ask CISOs

Armed with the answers, chief financial officers can play an essential role in reducing cyber risk.

Even in a shrinking economy, organisations are likely to maintain their level of cyber security spend. But that doesn’t mean in the current economic climate of burgeoning costs and a possible recession they won’t take a magnifying glass to how they are spending the money budgeted to defend systems and data. Indeed, at many companies, cyber security spending isn’t targeting the most significant dangers, according to experts — as evidenced by the large number of successful ransomware attacks and data breaches.

Without a comprehensive understanding of the security landscape and what the organisation needs to do to protect itself, how can CFOs make the right decisions when it comes to investments in cyber security technology and other resources? They can’t.

So, CFOs need to ensure they have a timely grasp of the security issues their organisation faces. That requires turning to the most knowledgeable people in the organisation: chief information security officers (CISOs) and other security leaders on the IT front lines.

Here are five questions CFOs should be asking their CISOs about the security of their companies.

1. How secure are we as an organisation?

2. What are the main security threats or risks in our industry?

3. How do we ensure that the cyber security team and the CISO are involved in business development?

4. What are the risks and potential costs of not implementing a cyber control?

5. Do employees understand information security and are they implementing security protocols successfully?

https://www.cfo.com/technology/cyber-security-technology/2022/07/cybersecurity-spending-protocols-ciso-security-threats-business-development-cyber-control/

• The Biggest Cyber Attacks in 2022 So Far — and it’s Just the Tip of the Iceberg

For those in the cyber resilience realm, it’s no surprise that there’s a continued uptick in cyber attacks. Hackers are hacking, thieves are thieving and ransomers are — you guessed it — ransoming. In other words, cyber crime is absolutely a growth industry.

As we cross into the second half of this year, let’s look at some of the most significant attacks so far:

• Blockchain schmockchain. Cryptocurrency exchange Crypto.com’s two-factor-identification (2FA) system was compromised as thieves made off with approximately $30 million.

• Still the one they run to. Microsoft’s ubiquity makes it a constant target. Earlier this year, the hacking collective Lapsus$ compromised Cortana and Bing, among other Microsoft products, posting source code online.

• Not necessarily the news. News Corp. journalist emails and documents were accessed at properties including the Wall Street Journal, Dow Jones and the New York Post in a hack tied to China.

• Uncharitable ways. The Red Cross was the target of an attack earlier this year, with more than half a million “highly vulnerable” records of Red Cross assistance recipients compromised.

• Victim of success. North Korea’s Lazarus Group made off with $600 million in cryptocurrencies after blockchain gaming platform Ronin relaxed some of its security protocols so its servers could better handle its growing popularity.

• We can hear you now. State-sponsored hackers in China have breached global telecom powerhouses worldwide this year, according to the U.S. Cybersecurity & Infrastructure Security Agency.

• Politics, the art of the possible. Christian crowdfunding site GiveSendGo was breached twice this year as hacktivists exposed the records of donors to Canada’s Freedom Convoy.

• Disgruntled revenge. Businesspeople everywhere were reminded of the risks associated with departing personnel when fintech powerhouse Block announced that a former employee accessed sensitive customer information, impacting eight million customers.

• Unhealthy habits. Two million sensitive customer records were exposed when hackers breached Shields Health Care’s network.

• They even stole the rewards points. General Motors revealed that hackers used a credentials stuffing attack to access personal information on an undisclosed number of car owners. They even stole gift-card-redeemable customer reward points.

For every breach or attack that generates headlines, millions of others that we never hear about put businesses at risk regularly. The Anti-Phishing Working Group just released data for the first quarter of this year, and the trend isn’t good. Recorded phishing attacks are at an all-time high (more than a million in just the first quarter) and were accelerating as the quarter closed, with March 2022 setting a new record for single-month attacks.

https://www.msspalert.com/cybersecurity-guests/the-biggest-cyberattacks-in-2022-so-far-and-its-just-the-tip-of-the-iceberg/

• Malware-as-a-Service Creating New Cyber Crime Ecosystem

This week HP released their report The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back, exploring how cyber-criminals are increasingly operating in a quasi-professional manner, with malware and ransomware attacks being offered on a ‘software-as-a-service’ basis.

The report’s findings showed how cyber crime is being supercharged through “plug and play” malware kits that are easier than ever to launch attacks. Additionally, cyber syndicates are now collaborating with amateur attackers to target businesses, putting the online world and its users at risk.

The report’s methodology saw HP’s Wolf Security threat team work in tandem with dark-web investigation firm Forensic Pathways to scrape and analyse over 35 million cyber criminal marketplaces and forum posts between February and March 2022, with the investigation helping to gain a deeper understanding of how cyber criminals operate, gain trust, and build reputation. Its key findings include:

Malware is cheap and readily available: Over three-quarters (76%) of malware advertisements listed, and 91% of exploits (i.e. code that gives attackers control over systems by taking advantage of software bugs), retail for under $10.

Trust and reputation are ironically essential parts of cyber-criminal commerce: Over three-quarters (77%) of cyber criminal marketplaces analysed require a vendor bond – a license to sell – which can cost up to $3000.  Of these, 92% have a third-party dispute resolution service.

Popular software is giving cyber criminals a foot in the door: Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from $1,000-$4,000), while zero day vulnerabilities are retailing at 10s of thousands of pounds on dark web markets.

https://www.infosecurity-magazine.com/news/malware-service-cybercrime/

• The Rise and Continuing Popularity of LinkedIn-Themed Phishing

Phishing emails impersonating LinkedIn continue to make the bulk of all brand phishing attempts. According to Check Point, 45% of all email phishing attempts in Q2 2022 imitated the style of communication of the professional social media platform, with the goal of directing targets to a spoofed LinkedIn login page and collecting their account credentials.

The phishers are generally trying to pique the targets’ interest with fake messages claiming that they “have appeared in X searches this week”, that a new message is waiting for them, or that another user would like to do business with them, and are obviously taking advantage of the fact that a record number of individuals are switching or are considering quitting their job and are looking for a new one.

To compare: In Q4 2021, LinkedIn-themed phishing attempts were just 8 percent of the total brand phishing attacks flagged by Check Point. Also, according to Vade Secure, in 2021 the number of LinkedIn-themed phishing pages linked from unique phishing emails was considerably lower than those impersonating other social networks (Facebook, WhatsApp).

Other brands that phishers loved to impersonate during Q2 2022 are (unsurprisingly) Microsoft (13%), DHL (12%) and Amazon (9%).

https://www.helpnetsecurity.com/2022/07/21/linkedin-phishing/

• Microsoft Teams Default Settings Leave Organisations Open to Cyber Attacks

Relying on default settings on Microsoft Teams leaves organisations and users open to threats from external domains, and misconfigurations can prove perilous to high-value targets.

Microsoft Teams has over 270 million active monthly users, with government institutions using the software in the US, UK, Netherlands, Germany, Lithuania, and other countries at varying levels.

Cyber security researchers have discovered that relying on default MS Teams settings can leave firms and high-value users vulnerable to social engineering attacks. Attackers could create group chats, masquerade as seniors within the target organisation and observe whether users are online.

Attackers could, rather convincingly, impersonate high-ranking officials and possibly strike up conversations, fooling victims into believing they’re discussing sensitive topics with a superior. Skilled attackers could do a lot of harm with this capability.

https://cybernews.com/security/microsoft-teams-settings-leave-govt-officials-open-to-cyberattacks/

• Top 10 Cyber Security Attacks of Last Decade Show What is to Come

Past is prologue, wrote William Shakespeare in his play “The Tempest,” meaning that the present can often be determined by what has come before. So it is with cyber security, serving as the basis of which is Trustwave’s “Decade Retrospective: The State of Vulnerabilities” over the last 10 years.

Threat actors frequently revisit well-known and previously patched vulnerabilities to take advantage of continuing poor cyber security hygiene. “If one does not know what has recently taken place it leaves you vulnerable to another attack,” Trustwave said in its report that identifies and examines the “watershed moments” that shaped cyber security between 2011 and 2021.

With a backdrop of the number of security incidents and vulnerabilities increasing in volume and sophistication, here are Trustwave’s top 10 network vulnerabilities in no particular order that defined the decade and “won’t be forgotten.”

• SolarWinds hack and FireEye breach, Detected: December 8, 2020 (FireEye)

• EternalBlue Exploit, Detected: April 14, 2017

• Heartbleed, Detected: March 21, 2014

• Shellshock, Remote Code Execution in BASH, Detected: September 12, 2014

• Apache Struts Remote Command Injection & Equifax Breach, Detected: March 6, 2017

• Chipocalypse, Speculative Execution Vulnerabilities Meltdown & Spectre

• BlueKeep, Remote Desktop as an Access Vector, Detected: January, 2018

• Drupalgeddon Series, CMS Vulnerabilities, Detected: January, 2018

• Microsoft Windows OLE Vulnerability, Sandworm Exploit, Detected: September 3, 2014

• Ripple20 Vulnerabilities, Growing IoT landscape, Detected: June 16, 2020

https://www.msspalert.com/cybersecurity-news/top-10-cybersecurity-attacks-of-last-decade-show-what-is-to-come-report/

• Software Supply Chain Concerns Reach C-Suite

Major supply chain attacks have had a significant impact on software security awareness and decision-making, with more investment planned for monitoring attack surfaces.

Organisations are waking up to the need to establish better software supply chain risk management policies and are taking action to address the escalating threats and vulnerabilities targeting this expanding attack surface.

These were among the findings of a CyberRisk Alliance-conducted survey of 300 respondents from both software-buying and software-producing companies.

Most survey respondents (52%) said they are "very" or "extremely" concerned about software supply chain risks, and 84% of respondents said their organisation is likely to allocate at least 5% of their AppSec budgets to manage software supply chain risk.

Software buyers are planning to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the findings.

Meanwhile, software developers said they plan to invest in secure code review as well as SBOM design and implementation.

https://www.darkreading.com/application-security/software-supply-chain-concerns-reach-c-suite

• EU Warns of Russian Cyber Attack Spillover, Escalation Risks

The Council of the European Union (EU) said that Russian hackers and hacker groups increasingly attacking "essential" organisations worldwide could lead to spillover risks and potential escalation.

"This increase in malicious cyber activities, in the context of the war against Ukraine, creates unacceptable risks of spillover effects, misinterpretation and possible escalation," the High Representative on behalf of the EU said.

"The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed."

In this context, the EU reminded Russia that all United Nations member states must adhere to the UN's Framework of responsible state behaviour in cyberspace to ensure international security and peace.

The EU urged all states to take any actions required to stop malicious cyber activities conducted from their territory.

The EU's statement follows a February joint warning from CISA and the FBI that wiper malware attacks targeting Ukraine could spill over to targets from other countries.

Google's Threat Analysis Group (TAG) said in late March that it observed phishing attacks orchestrated by the Russian COLDRIVER hacking group against NATO and European military entities.

In May, the US, UK, and EU accused Russia of coordinating a massive cyber attack that hit the KA-SAT consumer-oriented satellite broadband service in Ukraine on February 24 with AcidRain data destroying malware, approximately one hour before Russia invaded Ukraine.

A Microsoft report from June also confirms the EU's observation of an increase in Russian malicious cyber activities. The company's president said that threat groups linked to Russian intelligence agencies (including the GRU, SVR, and FSB) stepped up cyber attacks against government entities in countries allied with Ukraine after Russia's invasion.

In related news, in July 2021, President Joe Biden warned that cyber attacks leading to severe security breaches could lead to a "real shooting war," a statement issued a month after NATO said that cyber attacks could be compared to "armed attacks" in some circumstances.

https://www.bleepingcomputer.com/news/security/eu-warns-of-russian-cyberattack-spillover-escalation-risks/

• Critical Flaws in GPS Tracker Enable “Disastrous” and “Life-Threatening” Hacks

A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimise exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.

An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

https://arstechnica.com/information-technology/2022/07/critical-flaws-in-gps-tracker-enable-disastrous-and-life-threatening-hacks/

• Russian Hackers Behind Solarwinds Breach Continue to Scour US And European Organisations for Intel, Researchers Say

The Russian hackers behind a sweeping 2020 breach of US government networks have in recent months continued to hack US organisations to collect intelligence while also targeting an unnamed European government that is a NATO member.

The new findings show how relentless the hacking group — which US officials have linked with Russia's foreign intelligence service — is in its pursuit of intelligence held by the US and its allies, and how adept the hackers are at targeting widely used cloud-computing technologies.

The hacking efforts come as Russia's invasion of Ukraine continues to fray US-Russia relations and drive intelligence collection efforts from both governments.

In recent months, the hacking group has compromised the networks of US-based organisations that have data of interest to the Russian government.

In separate activity revealed Tuesday, US cyber security firm Palo Alto Networks said that the Russian hacking group had been using popular services like Dropbox and Google Drive to try to deliver malicious software to the embassies of an unnamed European government in Portugal and Brazil in May and June.

https://edition.cnn.com/2022/07/19/politics/russia-solarwinds-hackers/index.html

• The Next Big Security Threat Is Staring Us in The Face. Tackling It Is Going to Be Tough

If the ongoing fight against ransomware wasn't keeping security teams busy, along with the challenges of securing the ever-expanding galaxy of Internet of Things devices, or cloud computing, then there's a new challenge on the horizon – protecting against the coming wave of digital imposters or deepfakes.

A deepfake video uses artificial intelligence and deep-learning techniques to produce fake images of people or events.

One recent example is when the mayor of Berlin thought he was having an online meeting with former boxing champion and current mayor of Kyiv, Vitali Klitschko. But the mayor of Berlin grew suspicious when 'Klitschko' started saying some very out of character things relating to the invasion of Ukraine, and when the call was interrupted the mayor's office contacted the Ukrainian ambassador to Berlin – to discover that, whoever they were talking to, it wasn't the real Klitschko.

It's a sign that deepfakes are getting more advanced and quickly. Previous instances of deepfake videos that have gone viral often have tell-tale signs that something isn't real, such as unconvincing edits or odd movements, but the developments in deepfake technology mean it isn't difficult to imagine it being exploited by cyber criminals, particularly when it comes to stealing money.

While ransomware might generate more headlines, business email compromise (BEC) is the costliest form of cyber crime today. The FBI estimates that it costs businesses billions of dollars every year. The most common form of BEC attack involves cyber criminals exploiting emails, hacking into accounts belonging to bosses – or cleverly spoofing their email accounts – and asking staff to authorise large financial transactions, which can often amount to hundreds of thousands of dollars.

The emails claim that the money needs to be sent urgently, maybe as part of a secret business deal that can't be disclosed to anyone. It's a classic social-engineering trick designed to force the victim into transferring money quickly and without asking for confirmation from anyone else who could reveal it's a fake request. By the time anyone might be suspicious, the cyber criminals have taken the money, likely closed the bank account they used for the transfer – and run.

BEC attacks are successful, but many people might remain suspicious of an email from their boss that comes out the blue and they could avoid falling victim by speaking to someone to confirm that it's not real. But if cyber criminals could use a deepfake to make the request, it could be much more difficult for victims to deny the request, because they believe they're actually speaking to their boss on camera.

Many companies publicly list their board of directors and senior management on their website. Often, these high-level business executives will have spoken at events or in the media, so it's possible to find footage of them speaking. By using AI-powered deep-learning techniques, cyber criminals could exploit this public information to create a deepfake of a senior-level executive, exploit email vulnerabilities to request a video call with an employee, and then ask them to make the transaction. If the victim believes they're speaking to their CEO or boss, they're unlikely to deny the request.

https://www.zdnet.com/article/the-next-big-security-threat-is-staring-us-in-the-face-tackling-it-is-going-to-be-tough/

Threats

Ransomware

• Post-Breakup, Conti Ransomware Members Remain Dangerous (darkreading.com)

• The Kronos Ransomware Attack: What You Need to Know So Your Business Isn't Next (darkreading.com)

• New Luna ransomware encrypts Windows, Linux, and ESXi systems (bleepingcomputer.com)

• Digital security giant Entrust breached by ransomware gang (bleepingcomputer.com)

• Protecting Against Kubernetes-Borne Ransomware (darkreading.com)

• Knauf cyber attack: Black Basta ransomware gang claims responsibility (techmonitor.ai)

• New Redeemer ransomware version promoted on hacker forums (bleepingcomputer.com)

• Kaspersky report on Luna and Black Basta ransomware | Securelist

• Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments (darkreading.com)

• New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates | SecurityWeek.Com

• Conti’s Reign of Chaos: Costa Rica in the Crosshairs | Threatpost

• Researchers uncover potential ransomware network with U.S. connections - CyberScoop

• How Conti ransomware hacked and encrypted the Costa Rican government (bleepingcomputer.com)

• A small Canadian town is being extorted by a global ransomware gang - The Verge

BEC – Business Email Compromise

• The biggest cyber-crime threat is also the one that nobody wants to talk about | ZDNet

Phishing & Email Based Attacks

• Phishing Bonanza: Social-Engineering Savvy Skyrockets as Malicious Actors Cash In (darkreading.com)

• Outlook users report suspicious activity from Microsoft IPs • The Register

• PayPal Used to Send Malicious “Double Spear” Invoices - Infosecurity Magazine

• LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)

• Google Calendar provides new way to block invitation phishing (bleepingcomputer.com)

Other Social Engineering

• Ongoing 'Roaming Mantis' Smishing Campaign Hits Over 70,000 Users in France | SecurityWeek.Com

Malware

• Hacking group '8220' grows cloud botnet to more than 30,000 hosts (bleepingcomputer.com)

• Buy ‘plug-n-play’ malware for the price of a pint of beer (computerweekly.com)

• The Market Is Teeming: Bargains on Dark Web Give Novice Cyber Criminals a Quick Start (darkreading.com)

• New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)

Mobile

• Google pulls malware-infected apps, 3 million users at risk • The Register

• Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware (thehackernews.com)

• Roaming Mantis hits Android and iOS users in malware, phishing attacks (bleepingcomputer.com)

BYOD

• The New Weak Link in SaaS Security: Devices (thehackernews.com)

Data Breaches/Leaks

• Neopets data breach exposes personal data of 69 million members (bleepingcomputer.com)

• Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts | RestorePrivacy

• Mixed Messages as Neopets Scrambles to Respond to Mega Breach - Infosecurity Magazine

Organised Crime & Criminal Actors

• Cyber crime escalates as barriers to entry crumble | CSO Online

• Understanding the Evolution of Cyber Crime to Predict its Future | SecurityWeek.Com

• The growth in targeted, sophisticated cyber attacks troubles top FBI cyber official - CyberScoop

• 'AIG' Threat Group Launches with Unique Business Model (darkreading.com)

• US DOJ report warns of escalating cyber crime, 'blended' threats (techtarget.com)

• Chaotic LAPSUS$ Group Goes Quiet, but Threat Likely Persists (darkreading.com)

• Last member of Gozi malware troika arrives in US for criminal trial – Naked Security (sophos.com)

• Romanian hacker faces US trial over virus-for-hire service - The Verge

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies (thehackernews.com)

• Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms (thehackernews.com)

• Singapore distances itself from local crypto companies • The Register

• FBI Warns Fake Crypto Apps are Bilking Investors of Millions | Threatpost

• Ex-Coinbase manager charged in crypto insider trading case • The Register

• FBI Warns of Fake Cryptocurrency Apps Stealing Millions from Investors (thehackernews.com)

• My Big Coin founder guilty of $6m crypto-fraud • The Register

Insider Risk and Insider Threats

• Three Charged in First Crypto Insider-Trading Case- IT Security Guru

Fraud, Scams & Financial Crime

• How to identify and combat online fraud - Help Net Security

AML/CFT/Sanctions

• UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine

• Broker Fined £2m for Financial Crime Control Failings - Infosecurity Magazine

Insurance

• Graff paid a $7.5M ransom and sued its insurance firm for refusing to cover this payment - Security Affairs

• 82% of global insurers expect the rise in cyber insurance premiums to continue - Help Net Security

• Will Your Cyber Insurance Premiums Protect You in Times of War? (darkreading.com)

Dark Web

• Stolen Credentials Selling on the Dark Web for Price of a Gallon of Gas – Security Review Magazine

• The Market Is Teeming: Bargains on Dark Web Give Novice Cyber criminals a Quick Start (darkreading.com)

Supply Chain and Third Parties

• Supply chain security breaches jumped in 2021 | CSO Online

Software Supply Chain

• Improving Software Supply Chain Cyber Security (trendmicro.com)

• Why SBOMs aren't the silver bullet they're portrayed as - Help Net Security

• Breaking down CIS's new software supply chain security guidance | CSO Online

Cloud/SaaS

• 60% of IT leaders are not confident about their secure cloud access - Help Net Security

• Public Cloud Customers Admit Security Challenges - Infosecurity Magazine

• The New Weak Link in SaaS Security: Devices (thehackernews.com)

Identity and Access Management

• Authentication weakness responsible for 80% of financial breaches (scmagazine.com)

Encryption

• British recycle old arguments for bypassing E2E encryption • The Register

Open Source

• Open source security needs automation as usage climbs amongst organisations | ZDNet

• New ‘Lightning Framework’ Linux malware installs rootkits, backdoors (bleepingcomputer.com)

• The US military wants to understand the most important software on earth | MIT Technology Review

Passwords, Credential Stuffing & Brute Force Attacks

• The importance of secure passwords can't be emphasized enough - Help Net Security

• 3rd Party Services Are Falling Short on Password Security (bleepingcomputer.com)

• Okta Exposes Passwords in Clear Text for Possible Theft (darkreading.com)

• Enforcing Password History in Your Windows AD to Curb Password Reuse (bleepingcomputer.com)

Social Media

• LinkedIn remains the most impersonated brand in phishing attacks (bleepingcomputer.com)

• Hacker selling Twitter account data of 5.4 million users for $30k (bleepingcomputer.com)

• TikTok Engaging in Excessive Data Collection - Infosecurity Magazine

Privacy

• New Deanonymization Attack Works on Major Browsers, Websites | SecurityWeek.Com

Parental Controls and Child Safety

• UK cyber security chiefs back plan to scan phones for child abuse images | GCHQ | The Guardian

Regulations, Fines and Legislation

• UK Regulator Issues Record Fines as Financial Crime Surges - Infosecurity Magazine

• Legal Experts Concerned Over New UK Digital Reform Bill - Infosecurity Magazine

• Understanding Proposed SEC Rules Through an ESG Lens (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• What NATO's virtual rapid response cyber capability means for the fight against cyber warfare - Help Net Security

• EU warns of risks of spillover effects associated with ongoing war - Security Affairs

• Continued cyber activity in Eastern Europe observed by Google’s Threat Analysis Group (TAG) (blog.google)

• US Cyber Command IDs new malware strains targeting Ukraine • The Register

• Russian hackers use fake DDoS app to infect pro-Ukrainian activists (bleepingcomputer.com)

• Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users (thehackernews.com)

• Hackers attempt to infiltrate Ukrainian tech company with backdoor malware, Talos says - CyberScoop

• Will Your Cyber-Insurance Premiums Protect You in Times of War? (darkreading.com)

• Hackers Target Ukrainian Software Company Using GoMet Backdoor (thehackernews.com)

• Copycat DoS App Created by Russian Hackers to Target Ukraine - IT Security Guru

• Inside Ukraine’s Decentralized Cyber Army (vice.com)

• Albanian government websites go dark after cyber attack • The Register

• China Accuses Indian APT Group of Cyber Warfare Against Pakistan; 2nd Major Accusation After 'Evil Flower' (eurasiantimes.com)

• Mysterious, Cloud-Enabled macOS Spyware Blows Onto the Scene (darkreading.com)

• Belgium claims China-linked APT groups hit its ministries - Security Affairs

• Hacked Ukrainian Radio Stations Broadcast Fake News About President Zelensky’s Health - Infosecurity Magazine

Nation State Actors

Nation State Actors – Russia

• Google, EU Warn of Malicious Russian Cyber Activity | SecurityWeek.Com

• Russian cyber spies targeting NATO countries in new hacking campaign | Science & Tech News | Sky News

• Google warns Kremlin-backed goons pose as pro-Ukraine app • The Register

• Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware (vice.com)

• Cloaked Ursa (APT29) Hackers Use Trusted Online Storage Services (paloaltonetworks.com)

• Russian SVR hackers use Google Drive, Dropbox to evade detection (bleepingcomputer.com)

• Russia, Iran discuss broad tech collaboration • The Register

• Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief | MI6 | The Guardian

Nation State Actors – China

• Belgium says Chinese APT gangs attacked its government • The Register

• A massive cyber attack hit Albania - Security Affairs

• Government blocks Chinese tech deal on national security grounds | Business News | Sky News

Nation State Actors – North Korea

• US seizes stolen funds from suspected North Korean hackers - BBC News

Nation State Actors – Iran

• Russia, Iran discuss broad tech collaboration • The Register

Nation State Actors – Misc APT

• Unit 42 Threat Group Naming Update (paloaltonetworks.com)

Vulnerability Management

• Mind the Gap – How to Ensure Your Vulnerability Detection Methods are up to Scratch (thehackernews.com)

• Zero-day attacks climb as hackers get more sophisticated (securitybrief.com.au)

Vulnerabilities

• Chrome 103 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open (darkreading.com)

• WordPress Page Builder Plug-in Under Attack, Can't Be Patched (darkreading.com)

• Apple Releases Security Patches for all Devices Fixing Dozens of New Vulnerabilities (thehackernews.com)

• SonicWall: Patch critical SQL injection bug immediately (bleepingcomputer.com)

• Cisco fixes bug that lets attackers execute commands as root (bleepingcomputer.com)

• Atlassian reveals critical flaws across its product line • The Register

• Netwrix Auditor Vulnerability Can Facilitate Attacks on Enterprises | SecurityWeek.Com

• Azure's Security Vulnerabilities Are Out of Control - Last Week in AWS Blog

• Oracle Releases 349 New Security Patches With July 2022 CPU | SecurityWeek.Com

• 0-day used to infect Chrome users could pose threat to Edge and Safari users, too | Ars Technica

• Juniper Networks Patches Over 200 Third-Party Component Vulnerabilities | SecurityWeek.Com

• Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability (thehackernews.com)

• Google Chrome Zero-Day Weaponized to Spy on Journalists (darkreading.com)

• Apple Ships Urgent Security Patches for macOS, iOS | SecurityWeek.Com

• Cisco Releases Patches for Critical Flaws Impacting Nexus Dashboard for Data Centers (thehackernews.com)

• Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking (thehackernews.com)

• Code Execution and Other Vulnerabilities Patched in Drupal | SecurityWeek.Com

• Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Reports Published in the Last Week

• The Evolution of Cyber Crime:  Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back - HP

• Decade Retrospective: The State of Vulnerabilities | Trustwave

Other News

• Hackers for Hire: Adversaries Employ 'Cyber Mercenaries' | Threatpost

• Companies around the globe still not implementing MFA - Help Net Security

• Global Firms Fear the Worst Over Risk Management Failures - Infosecurity Magazine

• Humans are becoming the primary security risk for organisations around the world - Help Net Security

• What threats and challenges are CISOs and CROs most focused on? - Help Net Security

• What InfoSec Pros Can Teach the Organisation About ESG (darkreading.com)

• SATAn Turns Hard Drive Cable Into Antenna To Defeat Air-Gapped Security | Hackaday

• Cyber security hiring remains red-hot—the industry to surpass $400 billion market size by 2027 | Fortune

• Lack of staff and resources drives smaller teams to outsource security - Help Net Security

• Office macro security: on-again-off-again feature now BACK ON AGAIN! – Naked Security (sophos.com)

• New Study Finds Most Enterprise Vendors Failing to Mitigate Speculative Execution Attacks (thehackernews.com)

• Analysing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data (trendmicro.com)

• Removing the blind spots that allow lateral movement - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Ransomware attacks are becoming more prevalent and the costs for insurers are increasing. Traditionally, ransomware groups have encrypted an organisation’s data and demanded a ransom for the decryption key. However, in the last year, there has been a growing shift by the ransomware community towards exfiltration and then a threat to release the stolen data to extort money from their victims.. These factors have increased the financial pressure that cyber insurance companies are currently experiencing, which in turn has caused them to reconsider their obligations for settling claims. There are currently two significant court cases relating to ransomware insurance claims involving the Travelers insurance company.

The first case relates to Graff, a UK-based jeweller who paid a ransom of $7.5M to prevent the Russian-based ransomware gang Conti from releasing 69,000 confidential documents it had stolen. Graff published the following public statement regarding the dispute with their insurer: “We are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk. They have left us with no option but to bring these recovery proceedings at the High Court.”

The second involves a filing with the US District court requesting  a declaration that Travellers insurance contract with International Control Services (ICS) is invalid due to misrepresentation of Multi-Factor Authentication (MFA) controls on the company’s  application for its cyber insurance policy. The application stated that MFA was used for administrative or privileged access. Subsequently, ICS were victim to a ransomware attack that resulted in a claim against their cyber insurance policy. As the insurer, Travelers conducted an investigation which revealed that ICS “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”

What’s the risk to me or my business?

With the evolving threat of ransomware being ever prominent, it is critical that an organisation considers appropriate cyber controls across people, operations and technology to manage and effectively reduce its risk. Organisations often rely on cyber insurance to provide cover when these controls  fail, however insurers are now demanding more evidence of robust cyber controls as they begin to better manage their own exposure to the increasing risks.

What can I do?

Ensure that leadership have an understanding of key cyber controls and what is covered within a cyber insurance policy. When considering ransomware payments, it should be clear what the policy will cover. Any declaration of cyber security controls should be informed by an appropriate cyber security expert with knowledge of what controls the organisation has in place, to ensure that the facts are correctly represented and are less likely to be used in a misrepresentation defence.

Further information on the above cases can be found here:

• Diamonds.net - Graff Paid $7.5M to Cyber Hackers: Lawsuit

• Travelers vs. ICS: What You Need to Know About Misrepresentation and Your Cyber Insurance (itsasap.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Microsoft has released information on a new phishing campaign involving “adversary-in-the-middle” AiTM techniques, which has affected more than 10,000 organisations since September 2021. What is unique about this particular attack method is that it has the potential to bypass Multi-Factor Authentication (MFA). It is important to note that this attack does not make use of a vulnerability within MFA, and that MFA is still a key control in preventing credential compromise.

What’s the risk to me or my business?

As more organisations implement security controls such as MFA, malicious actors will be looking into possibilities of targeting these controls. This particular attack technique involves a proxy server being deployed in between the recipient and a valid targeted website. In short, a targeted user would receive a phishing email, the link to the phishing email would resolve in a valid website, with the traffic being re-directed through the server of a malicious actor. This allows the malicious actor to steal “authenticated session cookies”, after the user has logged into the valid website. The malicious actor can then use the authenticated session cookies to access the valid website with the targeted users credentials, which can then lead to further attacks such as Business Email Compromise as shown in the diagram below.

Figure 1: Overview of AiTM phishing campaign and follow-on BEC (Microsoft 365 Defender Research Team, 2022)

What can I do?

Microsoft recommends implementing conditional access policies, which can limit user access in different scenarios, such as only allowing access to trusted locations, compliant devices or trusted IP addresses. This would prevent a stolen session cookie from granting access to an account outside of these conditions. Anti-Phishing solutions can also be used to block phishing emails from arriving in end-users inboxes, however it is worth noting that these solutions may not be able to block every threat. Where possible, security monitoring should be in place to detect suspicious sign-in attempts, and unusual mailbox activities including external forwarding, rule creation and access from untrusted IP addresses or devices.

It is also critically important that technical controls such as MFA are supplemented with end-user training, including Phishing simulations as it is the primary ingress point for this type of attack.

Technical Summary

Microsoft has published a full breakdown of sample attacks that they have monitored. So far they have followed the following process:

1.       An attacker sends emails containing an HTML file attachment, stating that a voicemail has been received on their Microsoft account. This email follows the same template which is received when a user receives a voicemail via Microsoft Teams.

2.       The user clicks on the HTML attachment, which takes them to a website displaying the mp3 file being downloaded. No actual download takes place, but a progress bar is updated.

3.       The user is then re-directed to a gatekeeper, which confirms that the user has clicked on the html attachment.

4.       The user arrives at a proxied version of the Microsoft Azure Active Directory login page. It is important to note that if an organisation has customised this landing page with their corporate logo then this will also be displayed, making the website seem even more legitimate.

5.       The user enters their credentials which are then authenticated by Microsoft. If MFA is enabled, the user would be prompted for MFA at this stage.

6.       The user is re-directed to the official Microsoft 365 website, while the authenticated session cookies are captured by the attacker, also allowing them into the official Microsoft 365 website.

7.       Microsoft’s research has then shown that the stolen session is used for Business Email Compromise (BEC) attacks, targeting finance related emails within the targeted users inbox to request fraud payments. At this stage however a malicious attacker also has potential to access any 365 service which the targeted user has access to.

Appropriate conditional access controls could prevent an attacker at step 6 from using the stolen cookies to access the targeted users Microsoft 365 account.

A full breakdown of this particular phishing campaign is available here: From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud - Microsoft Security Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

References

Microsoft 365 Defender Research Team. (2022, 07 19). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Retrieved from Microsoft 365 Defender Research Team Security Blog: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

Executive Summary

Netwrix Auditor is an application that allows an organisation to monitor their IT infrastructure. A newly discovered vulnerability could allow malicious actors to execute arbitrary code on affected servers which are running the application. This vulnerability can also allow for privilege escalation on the server as the malicious code can be executed with “System” level permissions. This software is currently in use by more than 11,000 organisations across the globe.

What’s the risk to me or my business?

Managed service providers and IT Teams use software to assist in monitoring various elements of IT Infrastructure, including Active Directory. If Netwrix Auditor is currently being used by your organisation, then this vulnerability could potentially be exploited to execute code remotely, allowing them to run malicious software to further compromise affected devices.

What can I do?

An update, version 10.5, has been released by Netwrix Auditor to address the issue, this should be applied to all current deployments of the software tool. This specific vulnerability is accessed using an exposed network port, appropriately configured external perimeter controls could be used to mitigate the risk, however the vulnerability could still be used if an attacker manages to gain access to the organisations network.

Technical Summary

This specific vulnerability relates to an unsecured .NET remoting service which can be accessed via TCP port 9004 on the server which Netwrix Auditor is installed. While this vulnerability is yet to be given an official CVE, Bishop Fox, the firm which published details on the vulnerability has rated this as Critical, since it can be executed remotely and can lead to escalation of privileges and code execution.

Further information on this particular vulnerability is available here: Netwrix Auditor Bug Threatens Active Directory Domain - Blumira

Need help understanding your gaps, or just want some advice? Get in touch with us.