Executive Summary

Unsecured Microsoft SQL servers have been identified as the target for FARGO Ransomware (aka Mallox, aka TargetCompany). This ransomware strain attempts to shut down various processes and services on affected machines before encrypting the data and supplying a ransom note, which contains a warning that data may be published on the public domain if payment is not received.

What’s the risk to me or my business?

At current the threat actors appear to be targeting vulnerable Microsoft SQL servers and gain initial access through either credential brute forcing or through known vulnerabilities that have not been patched. If the threat actor gains access to this server and successfully delivers the ransomware, then data could be encrypted and published on the public domain.

What can I do?

Ensure that leading practices are followed for securing Microsoft SQL servers, including both timely patching of security vulnerabilities when made available, and ensuring that server administrator accounts are protected with strong passwords and multi-factor authentication where available.

Technical Summary

The attack unfolds by first a threat actor having initial access to the MS-SQL process, allowing them to execute a .net file through either CMD or Powershell. This file downloads additional malware, which then generates a .BAT file that shuts down certain processes and services. The ransomware is then injected into AppLaunch.exe, which is a normal windows program. It attempts to delete a registry key, executes recovery deactivation and closes some additional processes including the MS-SQL server. This allows access to the database offline, which allows for the files to be encrypted with the .FARGO3 extension. A ransomware note named ‘RECOVERY FILES.TXT’ is then generated, detailing payment, with a warning that data will be published on the public domain if the payment is not received.

Further information on this ransomware strain is available here, including Indicators of Compromise: FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers - ASEC BLOG (ahnlab.com)

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls

After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cyber security measures.

A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.

The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. The case was filed in the US District Court for the Central District of Illinois on July 6 and at the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.

This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing. Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim.

Sean O'Brien of Yale Law School notes that security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack. The insurance industry is likely to become more and more pernickety as cyber security claims rise, defending their bottom line and avoiding reimbursement wherever possible. This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organisation's interests after the dust settles from a cyber attack.

That said, organisations should not expect a payout for poor cyber security policies and practices, he notes.

https://www.darkreading.com/edge/cyber-insurers-clamp-down-on-clients-self-attestation-of-security-controls

• Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks

Despite an 86% surge in budget resources to defend against ransomware, 90% of organisations were impacted by attacks last year, a survey reveals.

An annual survey of CISOs from Canada, the UK, and US reveals that security teams are starting to lose hope that they can defend against the next ransomware attack. The survey was conducted by SpyCloud, and it showed that although budgets to protect against cyber attacks have swelled by 86%, a full 90% of organisations surveyed said they had been impacted by a ransomware over the past year.

More organisations have implemented 'Plan B' measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance. These findings suggest that organisations realise threats are slipping through their defences and a ransomware attack is inevitable.

The survey did show some bright spots on the cyber security front — nearly three-quarters of those organisations surveyed are using multifactor authentication (MFA), with an increase from 44% to 73% year-over-year. The report added that respondents said they are focused on stopping credential-stealing malware, particularly on unmanaged network devices.

https://www.darkreading.com/application-security/survey-cisos-losing-confidence-stop-ransomware-attacks

• MFA Fatigue: Hackers’ New Favourite Tactic in High-Profile Breaches

Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue.

When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network. The reality is that obtaining corporate credentials is far from difficult for threat actors, who can use various methods, including phishing attacks, malware, leaked credentials from data breaches, or purchasing them on dark web marketplaces.

To counter this, enterprises have increasingly adopted multi-factor authentication to prevent users from logging into a network without first entering an additional form of verification. This additional information can be a one-time passcode, a prompt asking you to verify the login attempt, or the use of hardware security keys.

While threat actors can use numerous methods to bypass multi-factor authentication, most revolve around stealing cookies through malware or man-in-the-middle phishing attack frameworks. However, a social engineering technique called 'MFA Fatigue' is growing more popular with threat actors as it does not require malware or phishing infrastructure and has proven to be successful in attacks.

An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. The goal is to keep this up, day and night, to break down the target's cyber security posture and inflict a sense of "fatigue" regarding these MFA prompts.

https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/

• Credential Stuffing Accounts for One-third Of Global Login Attempts

Okta’s global State of Secure Identity Report has found that credential stuffing is the top threat against customer accounts, outpacing legitimate login traffic in some countries. The report presents trends, examples and observations unearthed from the billions of authentications on Okta’s Auth0 platform.

Credential stuffing is when attacks take advantage of the practice of password reuse. It begins with a stolen login or password pair, then threat actors use these credentials across other common sites, using automated tooling used to “stuff” credential pairs into login forms. When an account holder reuses the same (or similar) passwords on multiple sites, it creates a domino effect in which a single credential pair can be used to breach multiple applications.

Across all industries globally, Okta found there were almost 10 billion credential stuffing attempts in the first 90 days of 2022, which amounts to 34% of authentication traffic.

https://informationsecuritybuzz.com/study-research/credential-stuffing-accounts-for-one-third-of-global-login-attempts-okta-finds/

• Ransomware Operators Might Be Dropping File Encryption in Favour of Corrupting Files

Corrupting files is faster, cheaper, and less likely to be stopped by endpoint protection tools than encrypting them.

A recent attack that involved a threat actor believed to be an affiliate of the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation was found to use a data exfiltration tool dubbed Exmatter. Exmatter is a tool that allows attackers to scan the victim computer's drives for files with certain extensions and then upload them to an attacker-controlled server in a unique directory created for every victim. The tool supports several exfiltration methods including FTP, SFTP, and webDAV.

The way the Eraser function works is that it loads two random files from the list into memory and then copies a random chunk from the second file to the beginning of the first file overwriting its original contents. This doesn't technically erase the file but rather corrupts it. The researchers believe this feature is still being developed because the command that calls the Eraser function is not yet fully implemented and the function’s code still has some inefficiencies. Since the selected data chunk is random, it can sometimes be very small, which makes some files more recoverable than others.

Why destroy files by overwriting them with random data instead of deploying ransomware to encrypt them? At a first glance these seem like similar file manipulation operations. Encrypting a file involves overwriting it, one block at a time, with random-looking data (the ciphertext). However, there are ways to detect these encryption operations when done in great succession and many endpoint security programs can now detect when a process exhibits this behaviour and can stop it. Meanwhile, the kind of file overwriting that Exmatter does is much more subtle.

The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers, as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them.

Another reason is that encrypting files is a more intensive task that takes a longer time. It's also much harder and costly to implement file encryption programs, which ransomware essentially are, without bugs or flaws that researchers could exploit to reverse the encryption. There have been many cases over the years where researchers found weaknesses in ransomware encryption implementations and were able to release decryptors. This has happened to BlackMatter, the Ransomwware-as-a-Service (RaaS) operation with which the Exmatter tool has been originally associated.

With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavour compared to corrupting files and using the exfiltrated copies as the means of data recovery.

It remains to be seen if this is the start of a trend where ransomware affiliates switch to data destruction instead of encryption, ensuring the only copy is in their possession, or if it's just an isolated incident where BlackMatter/BlackCat affiliates want to avoid mistakes of the past. However, data theft and extortion attacks that involve destruction are not new and have been widespread in the cloud database space. Attackers have hit unprotected S3 buckets, MongoDB databases, Redis instances, and ElasticSearch indexes for years, deleting their contents and leaving behind ransom notes so it wouldn't be a surprise to see this move to on-premises systems as well.

https://www.csoonline.com/article/3674848/ransomware-operators-might-be-dropping-file-encryption-in-favor-of-corrupting-files.html#tk.rss_news

• Revolut Hack Exposes Data Of 50,000 Users, Fuels New Phishing Wave

Revolut has suffered a cyber attack that gave an unauthorised third party access to personal information of tens of thousands of clients. The incident occurred over a week ago, on Sunday night, and has been described as "highly targeted."

Founded in 2015, Revolut is a financial technology company that has seen a rapid growth, now offering banking, money management, and investment services to customers all over the world. In a statement a company spokesperson said that an unauthorised party had access "for a short period of time" to details of only a 0.16% of its customers.

"We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted" , Revolut said.

According to the breach disclosure to the State Data Protection Inspectorate in Lithuania, where Revolut has a banking license, 50,150 customers have been impacted. Based on the information from Revolut, the agency said that the number of affected customers in the European Economic Area is 20,687, and just 379 Lithuanian citizens are potentially impacted by this incident.

Details on how the threat actor gained access to the database have not been disclosed but it appears that the attacker relied on social engineering. The Lithuanian data protection agency notes that the likely exposed information includes:

• Email addresses

• Full names

• Postal addresses

• Phone numbers

• Limited payment card data

• Account data

However, in a message to an affected customer, Revolut says that the type of compromised personal data varies for different customers. Card details, PINs, or passwords were not accessed.

https://www.bleepingcomputer.com/news/security/revolut-hack-exposes-data-of-50-000-users-fuels-new-phishing-wave/

• Researchers Say Insider Threats Play a Larger Role In Security Incidents

Insider threats are becoming an increasingly common part of the attack chain, with malicious insiders and unwitting assets playing critical roles in incidents over the past year, according to Cisco Talos research.

In a blog post, Cisco Talos researchers said organisations can mitigate these types of risks via education, user-access control, and ensuring proper processes and procedures are in place when and if employees leave the organisation.

There are a variety of reasons a user may choose to become a malicious insider, and unfortunately many of them are occurring today. The most obvious being financial distress, where a user has a lot of debt and selling the ability to infect their employer can be a tempting avenue. There have been examples of users trying to sell access into employer networks for more than a decade, having spotted them on dark web forums. The current climate, with the economy tilting toward recession, is ripe for this type of abuse.

The cyber crime underground remains a hot spot for insider threat recruitment efforts because of the relative anonymity, accessibility, and low barrier of entry it affords. Malicious actors use forums and instant messaging platforms to advertise their insider services or, vice versa, to recruit accomplices for specific schemes that require insider access or knowledge.

By far, the most popular motivation for insider threats is financial gain. There are plenty of examples of financially-motivated threat actors seeking employees at companies to provide data and access to sell in the underground or leverage against the organisation or its customers. There have also been instances where individuals turn to underground forums and instant messaging platforms claiming to be employees at notable organisations to sell company information.

https://www.scmagazine.com/analysis/insider-threat/researchers-say-insider-threats-play-a-larger-role-in-security-incidents

• SMBs vs. Large Enterprises: Not All Compromises Are Created Equal

Attackers view smaller organisations as having fewer security protocols in place, therefore requiring less effort to compromise. Lumu has found that compromise is significantly different for small businesses than for medium-sized and large enterprises.

There is no silver bullet for organisations to protect themselves from compromise, but there are critical steps to take to understand your potential exposure and make sure that your cyber security protocols are aligned accordingly.

Compromise often stay undetected for long periods of time – 201 days on average with compromise detection and containment taking approximately 271 days. It’s critical for smaller businesses to know they are more susceptible and to get ahead of the curve with safeguards.

Results from the Lumu Ransomware Assessment show a few reasons why attacks continue to stay undetected for such long periods of time:

·       58% of organisations aren’t monitoring roaming devices, which is concerning with a workforce that has embraced remote working

·       72% of organisations either don’t or only partially monitor the use of network resources and traffic, which is problematic given that most compromises tend to originate from within the network

·       Crypto-mining doesn’t appear to be a concern for the majority of organisations as 76% either do not know or only partially know how to identify it; however, this is a commonly used technique for cyber criminals

Additionally, threat data unveils attack techniques used and how they vary based on the size of the organisation.

Small businesses are primarily targeted by malware attacks (60%) and are also at greater risk of Malware, Command and Control, and Crypto-Mining. Medium-sized businesses and large enterprises don’t see as much malware and are more susceptible to Domain Generated Algorithms (DGA). This type of attack allows adversaries to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains.

https://www.helpnetsecurity.com/2022/09/22/smaller-organizations-security-protocols/

• Cyber Attack Costs for Businesses up by 80%

In seven out of eight countries, cyber attacks are now seen as the biggest risk to business — outranking COVID-19, economic turmoil, skills shortages, and other issues. The "Hiscox Cyber Readiness Report 2022," which assesses how prepared businesses are to fight back against cyber incidents and breaches, polled more than 5,000 corporate cyber security professionals in the US, UK, Belgium, France, Germany, Ireland, Spain, and the Netherlands. These experts had some enlightening things to say.

According to the report, IT pros are more worried about cyber attacks (46%) than the pandemic (43%) or skills shortages (38%). And the data prove it. The survey indicates that in the past 12 months, US businesses weathered a 7% increase in cyber attacks. Approximately half of all US businesses (47%) suffered an attack in the past year.

Remote work has caused many smaller organisations to use cloud solutions instead of utilizing in-house IT services. However, with more cloud applications and APIs in use, the attack surface has broadened, too, making these organisations more vulnerable to cyber crime.

Although the proportion of staff working remotely almost halved in the past year — from 62% of the workforce in 2021 to 39% in 2022 — overall IT expenditures doubled, from $11.5 million in 2021 to $24.2 million this year. "Despite 61% of survey respondents now being back in the office, businesses are still experiencing a hangover from the pandemic," Hiscox said in a statement. "Remote working provided a year-long Christmas for cyber criminals, and we can see the results of their cyber-feast in the increased frequency and cost of attacks. As we move into a new era of hybrid working, we all have an increased responsibility to continue learning, and managing our own cyber security."

It may come as no surprise that as more organisations evolve and scale their digital business models, the median cost of an attack has surged — from $10,000 last year to $18,000 in 2022. The US is bearing the brunt of generally higher cyber attack costs, with 40% of attack victims incurring costs of $25,000 or higher. The most common vulnerability — i.e., the entry point for cyber criminals — was a cloud-based corporate server.

However, in terms of attack costs, the report reveals major regional disparities. While one organisation in the UK suffered total attack costs of $6.7 million, the hardest-hit firms in Germany, Ireland, and the Netherlands paid out more than $5 million. In turn, Belgium, France, Germany, and Spain all experienced stable or lower median costs.

https://www.darkreading.com/attacks-breaches/cyberattack-costs-for-us-businesses-up-by-80-

• Morgan Stanley Fined $35m By SEC For Data Security Lapse, Sold Devices Full of Customer PII

American financial services giant Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35m penalty on Tuesday over data security lapses.

According to the SEC's complaint, the firm would have allowed roughly 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centres to be resold on auction sites without first being wiped.

The improper disposal of the devices reportedly started in 2016 and per the SEC complaint, was part of an "extensive failure" that exposed 15 million customers' data.

In fact, instead of destroying the hard drives or employing an internal IT team to erase them, Morgan Stanley would have contracted an unnamed third–party moving company with allegedly no experience in decommissioning storage media to take care of the hardware.

The moving company initially subcontracted an IT firm to wipe the drives, but their business relationship went sour, so the mover started selling the storage devices to another firm that auctioned them online without erasing them.

"This is an astonishing security mistake by one of the world's most prestigious banks, who would be expected to have well–established procedures in system life cycle management," Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.

"Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organisation was not following an expected policy which explained the secure disposing of IT equipment."

https://www.infosecurity-magazine.com/news/morgan-stanley-pay-dollar35m-sec/

• Eyeglass Reflections Can Leak Information During Video Calls

A group of academic researchers have devised a method of reconstructing text exposed via participants’ eyeglasses and other reflective objects during video conferences.

Zoom and other video conferencing tools, which have been widely adopted over the past couple of years as a result of the Covid-19 pandemic, may be used by attackers to leak information unintentionally reflected in objects such as eyeglasses, the researchers say.

Using mathematical modelling and human subjects experiments, this research explores the extent to which emerging webcams might leak recognizable textual and graphical information gleaming from eyeglass reflections captured by webcams.

Dubbed ‘webcam peeking attack’, a threat model devised by academics shows that it is possible to obtain an accuracy of over 75% when reconstructing and recognizing text with heights as small as 10 mm, captured by a 720p webcam.

According to the academics, attackers can also rely on webcam peeking to identify the websites that the victims are using. Moreover, they believe that 4k webcams will allow attackers to easily reconstruct most header texts on popular websites.

To mitigate the risk posed by webcam peeking attacks, the researchers propose both near- and long-term mitigations, including the use of software that can blur the eyeglass areas of the video stream. Some video conferencing solutions already offer blurring capabilities, albeit not fine-tuned.

https://www.securityweek.com/eyeglass-reflections-can-leak-information-during-video-calls

• Uber Says It Was Likely Hacked by Teenage Hacker Gang LAPSUS$

Uber has published additional information about how it was hacked, claiming that it was targeted by LAPSUS$, a cyber criminal gang with a hefty track record that is thought to be composed largely of teenagers.

Last week, someone broke into Uber’s network and used the access to cause all sorts of chaos. The culprit, who claims to be 18 years old, managed to spam company staff with vulgar Slack messages, post a picture of a penis on the company’s internal websites, and leak images of Uber’s internal environment to the web. Now, the ride-share giant has released a statement providing details on its ordeal.

In its update, the company has clarified how it was hacked, largely confirming an account made by the hacker themself. Uber says that the hacker exploited the login credentials of a company contractor to initially gain access to the network. The hacker may have originally bought access to those credentials via the dark web, Uber says. The hacker then used them to make multiple login attempts to the contractor’s account. The login attempts prompted a slew of multi-factor authentication requests for the contractor, who ultimately authenticated one of them. The hacker has previously claimed that it conducted a social engineering scheme to convince the contractor to authenticate the login attempt.

Security experts have called this an “MFA fatigue” attack. This increasingly common intrusion tactic seeks to overwhelm a victim with authentication push requests until they validate the hacker’s illegitimate login attempt.

Most interestingly, Uber has also claimed that whoever was behind this hacking episode is affiliated with the cyber crime gang “LAPSUS$.” It’s not totally clear how Uber knows that.

https://gizmodo.com/uber-says-it-was-hacked-by-teenage-hacker-gang-lapsus-1849554679

Threats

Ransomware and Extortion

• Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks | SecurityWeek.Com

• Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com)

• BlackCat ransomware’s data exfiltration tool gets an upgrade (bleepingcomputer.com)

• SpyCloud Report: 90% of Companies Affected by Ransomware in 2022 - MSSP Alert

• Netflix-style Ransomware Makes Your Organisation’s Data The Prize In A (informationsecuritybuzz.com)

• Ransomware: The Latest Chapter (darkreading.com)

• How to Dodge New Ransomware Tactics (darkreading.com)

• Colonial Pipeline hackers add startling new capabilities to ransomware operation - The Record by Recorded Future

• LockBit ransomware builder leaked online by “angry developer” (bleepingcomputer.com)

• How to Prevent Ransomware as a Service (RaaS) Attacks (trendmicro.com)

• The Risk of Ransomware Supply Chain Attacks (trendmicro.com)

• Europol and Bitdefender Release Free Decryptor for LockerGoga Ransomware (thehackernews.com)

• Bosnia and Herzegovina investigating alleged ransomware attack on parliament - The Record by Recorded Future

• Vice Society Demands Ransom From LAUSD Two Weeks After Hack (gizmodo.com)

Phishing & Email Based Attacks

• Microsoft: Exchange servers hacked via OAuth apps for phishing (bleepingcomputer.com)

• LinkedIn Smart Links abused in evasive email phishing attacks (bleepingcomputer.com)

• BBC Warns Of Cost-of-living Phishing, Expert Weighs In (informationsecuritybuzz.com)

• Microsoft 365 phishing attacks impersonate US govt agencies (bleepingcomputer.com)

• How DKIM records reduce email spoofing, phishing and spam (techtarget.com)

• Security alert: new phishing campaign targets GitHub users | The GitHub Blog

• American Airlines learned it was breached from phishing targets (bleepingcomputer.com)

• Email-based threats: A pain point for organisations - Help Net Security

Other Social Engineering; Smishing, Vishing, etc

• Energy bill rebate scams spread via SMS and email • Graham Cluley

Malware

• IT giants warn of ongoing Chromeloader malware campaigns - Security Affairs

• SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware | CSO Online

• Fake sites fool Zoom users into downloading deadly code • The Register

• Malicious NPM package discovered in supply chain attack (techtarget.com)

• How botnet attacks work and how to defend against them (bleepingcomputer.com)

Mobile

• This dangerous Android spyware could affect millions of devices | TechRadar

• Banking Users Faced With Rewards Phishing Scam - IT Security Guru

• Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play (darkreading.com)

• Don't Wait for a Mobile WannaCry (darkreading.com)

Data Breaches/Leaks

• Cyber Attack Steals Passenger Data From Portuguese Airline | SecurityWeek.Com

• American Airlines discloses data breach after employee email compromise (bleepingcomputer.com)

• Significant cyber attack hits Australian telco Optus • The Register

Organised Crime & Criminal Actors

• London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (thehackernews.com)

• Cyber Mercenary Group Void Balaur Continues Hack-For-Hire Campaigns - Infosecurity Magazine (infosecurity-magazine.com)

• Ukraine dismantles hacker gang that stole 30 million accounts (bleepingcomputer.com)

• The Deep Roots of Nigeria’s Cyber Security Problem | WIRED

• Cambodian authorities crack down on cyber slavery • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Cryptocurrency world's Wintermute loses $160m in cyber-heist • The Register

• South Korean prosecutors ask Interpol to issue red notice for Do Kwon | Financial Times (ft.com)

• "Fake crypto millionaire" charged with alleged $1.7M cryptomining scam (bitdefender.com)

Insider Risk and Insider Threats

• Risk management focus shifts from external to internal exposure - Help Net Security

Fraud, Scams & Financial Crime

• Authorized Push Payment Surges to 75% of Banking Fraud - Infosecurity Magazine (infosecurity-magazine.com)

• Multi-million dollar credit card fraud operation uncovered (bleepingcomputer.com)

• Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers (thehackernews.com)

• The impact of location-based fraud - Help Net Security

• How does identity crime affect victims? - Help Net Security

• Two-Fifths of US Consumers Suffer Personal Data Theft - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber crime cost American seniors $3 billion last year, a 62% jump (usatoday.com)

Insurance

• Cyber Security Insurance Trends: Key Takeaways for MSPs - MSSP Alert

• D&O insurance not yet a priority despite criminal trial of Uber’s former CISO | CSO Online

Supply Chain and Third Parties

• The Risk of Ransomware Supply Chain Attacks (trendmicro.com)

Denial of Service DoS/DDoS

• DDoS and bot attacks in 2022: Business sectors at risk and how to defend (bleepingcomputer.com)

• Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing (thehackernews.com)

• Imperva mitigated long-lasting, 25.3 billion request DDoS attack (bleepingcomputer.com)

Cloud/SaaS

• Mitigating Risk and Communicating Value in Multicloud Environments (darkreading.com)

• How to keep public cloud data secure - Help Net Security

Encryption

• Quantum Computing Already Putting Data at Risk, Cyber Pros Agree - Infosecurity Magazine (infosecurity-magazine.com)

API

• What could be the cause of growing API security incidents? - Help Net Security

Open Source

• Open-source software usage slowing down for fear of vulnerabilities, exposures, or risks - Help Net Security

• Open Source Repository Attacks Soar 700% in Three Years - Infosecurity Magazine (infosecurity-magazine.com)

• Neglecting Open Source Developers Puts the Internet at Risk (darkreading.com)

• 350K Open-Source Projects At Risk of Supply Chain Vulnerability - Infosecurity Magazine (infosecurity-magazine.com)

Privacy, Surveillance and Mass Monitoring

• Pressure mounts against Europol over data privacy • The Register

• San Francisco cops can use private cameras for surveillance • The Register

• Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data (vice.com)

Parental Controls and Child Safety

• Child Predators Use Amazon’s Twitch to Systematically Track Kids Who Stream (bloomberg.com)

Regulations, Fines and Legislation

• 5 Data Privacy Laws That Could Affect Your Business (informationsecuritybuzz.com)

• France and Germany fall foul of EU data retention rules • The Register

• Morgan Stanley fined millions for selling off devices full of customer PII – Naked Security (sophos.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russia Makes Veiled Threat to Destroy SpaceX's Starlink (pcmag.com)

• Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)

• Russian Sandworm hackers pose as Ukrainian telcos to drop malware (bleepingcomputer.com)

• Anonymous claims hacked website of Russian Ministry of Defence - Security Affairs

• Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (vice.com)

• European Spyware Investigators Criticize Israel and Poland | SecurityWeek.Com

• Hackathon finds dozens of Ukrainian refugees trafficked online | Ars Technica

• Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group (darkreading.com)

• This dangerous Android spyware could affect millions of devices | TechRadar

Nation State Actors

Nation State Actors – Russia

• Inside Russia’s Vast Surveillance State: ‘They Are Watching’ - The New York Times (nytimes.com)

• Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers | SecurityWeek.Com

Nation State Actors – China

• USA labels two more Chinese carriers national security risks • The Register

Nation State Actors – Iran

• FBI: Iranian hackers lurked in Albania’s govt network for 14 months (bleepingcomputer.com)

• Whatsapp and Instagram restricted in Iran • The Register

• International Law Enforcement Warns of Iran-backed Hacking Crews Targeting Critical Infrastructure - MSSP Alert

• NATO's Team in Albania to Help on Iran-Alleged Cyber Attack | SecurityWeek.Com

Nation State Actors – Misc

• Feds Sound Alarm on Rising OT/ICS Threats From APT Groups (darkreading.com)

• Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities (thehackernews.com)

Vulnerability Management

• Vulnerability Management Fatigue Fuelled by Non-Exploitable Bugs | SecurityWeek.Com

Vulnerabilities

• Microsoft Issues Out-of-Band Patch for Flaw Allowing Lateral Movement, Ransomware Attacks | SecurityWeek.Com

• New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access | SecurityWeek.Com

• Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability (thehackernews.com)

• CISA adds Zoho ManageEngine flaw to its Known Exploited Vulnerabilities Catalogue - Security Affairs

• AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI) - Security Affairs

• Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining campaign - Security Affairs

• BIND Updates Patch High-Severity Vulnerabilities | SecurityWeek.Com

• 15-year-old Python flaw found in 'over 350,000' projects • The Register

• CISA warns of critical ManageEngine RCE bug used in attacks (bleepingcomputer.com)

• Critical Magento vulnerability targeted in new surge of attacks (bleepingcomputer.com)

Reports Published in the Last Week

• VMware Global Incident Response Report 2022

• 2022 Ransomware Defence Report | SpyCloud

• Hiscox Cyber Readiness Report 2022 | Hiscox Group

Other News

• How Organisational Structure, Personalities and Politics Can Get in the Way of Security | SecurityWeek.Com

• Why Even Big Tech Companies Keep Getting Hacked—and What They Plan to Do About It - WSJ

• 20/20 visibility is paramount to network security - Help Net Security

• Domain shadowing becoming more popular among cyber criminals (bleepingcomputer.com)

• Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online

• Uber Is Hiring For Over 80 Cyber Security Jobs After Being Hacked Last Week (informationsecuritybuzz.com)

• What's behind the different names for cyber hacker groups (axios.com)

• IT services group Wipro fires 300 employees moonlighting for competitors | TechCrunch

• Microsoft Teams' GIFShell Attack: What Is It and How You Can Protect Yourself from It (thehackernews.com)

• How can organisations benefit from full-stack observability? - Help Net Security

• Quantifying ROI in Cyber Security Spend | SecurityWeek.Com

• Firing Your Entire Cyber Security Team? Are You Sure? (thehackernews.com)

• Cyber criminals launching more MFA bypass attacks (techtarget.com)

• Microsoft (MSFT) Says Managers Shouldn’t Spy on Staff to Ensure They’re Working - Bloomberg

• A third of enterprises globally don’t prioritize digital trust: ISACA | CSO Online

• Slack’s and Teams’ Lax App Security Raises Alarms | WIRED

• How Malware Hides in Images and What You Can Do About It (gizmodo.com)

• International cooperation is key to fighting threat actors and cyber crime | CSO Online

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• CFOs’ Overconfidence in Cyber Security Can Cost Millions

Kroll announced its report entitled ‘Cyber Risk and CFOs: Over-Confidence is Costly’ which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident.

The report, conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

1. Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organisation’s cyber attack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.

2. Wide-ranging damages. 71% of the represented organisations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.

3. Increasing investment in cyber security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

According to Kroll: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery, including permitting access to emergency funds and procuring third-party suppliers, but also in the strategy and investment around cyber both pre- and post-incident.”

“Ultimately, cyber attacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

https://www.helpnetsecurity.com/2022/09/14/cfos-cybersecurity-confidence/

• Cyber Security Outflanks Inflation, Talent, Logistics in Business Worries

Nearly six in 10 IT leaders in a new study view cyber security as their top business concern, ranking it higher than inflation, retaining talent and supply chain/logistics management.

Less than half of respondents (43%) believe their critical data and assets are protected from cyber threats despite increased cyber security investments by their organisations, greater board visibility and increased collaboration between the security team and the C-suite, Rackspace said in its new survey of 1,420 IT professionals worldwide.

The multi-cloud technology services specialist said that a “large majority” of the survey respondents report being either unprepared or only “somewhat prepared” to respond to major threats, such as identifying and mitigating threats and areas of concern (62%), recovering from cyber attacks (61%) or preventing lapses and breaches (63%).

Cloud native security is where organisations are most likely to rely on an outside partner, such as a managed security service provider, for expertise.

Here are more of the survey’s findings:

• The top three cyber security challenges their organisation is facing: migrating and operating apps (45%); shortage of workers with cyber security skills (39%); lack of visibility of vulnerabilities across all infrastructure (38%).

• 70% of survey respondents report that their cyber security budgets have increased over the past three years.

• The leading recipients of new investment are cloud native security (59%); data security (50%), consultative security services (44%); and application security (41%).

• Investments align closely with the areas where organisations perceive their greatest concentration of threats, led by network security (58%), closely followed by web application attacks (53%) and cloud architecture attacks (50%).

• 70% of respondents said there has been an increase in board visibility for cyber security over the past five years, while 69% cite better collaboration between the security team and members of the C-suite.

• Only 13% of respondents said there were significant communications gaps between the security team and C-suite, while 69% of IT executives view their counterparts in the C-suite as advocates for their concerns.

The authors stated “We are seeing a major shift in how organisations are allocating resources to address cyber threats, even as budgets increase. The cloud brings with it a new array of security challenges that require new expertise, and often reliance on external partners who can help implement cloud native security tools, automate security, provide cloud native application protection, offer container security solutions and other capabilities”.

https://www.msspalert.com/cybersecurity-research/cybersecurity-outflanks-inflation-talent-logistics-in-business-worries-rackspace-research/

• Attackers Can Compromise Most Cloud Data in Just 3 Steps

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services, attackers only need on average three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities.

The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take. Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels.

The report analysed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

https://www.darkreading.com/cloud/cyberattackers-compromise-most-cloud-data-3-steps

• Cyber Insurance Premiums Soar 80% As Claims Surge

Cyber insurance premiums have soared in the past year as claims surged in response to a rise in damaging attacks by hackers.

The cost of taking out cyber cover had doubled on average every year for the past three years, said global insurance broker Marsh. Honan Group, another broker, pointed to an 80 per cent rise in premiums in the past 12 months, following a 20 per cent increase in the cost of cover in each of the previous two years.

Brokers are calling cyber “the new D&O”, referring to sharp rises in directors and officers insurance premiums since 2018. Brokers were hopeful premiums would ease, but have warned insurers would continue to demand companies prove they had strong security systems and policies in place before agreeing to sell them insurance.

There’ll be a number of insurance companies that won’t even look at a business that doesn’t have a bunch of security measures in place. They’ll just turn around and say, ‘we’re not going to insure you’. The chief reason for the price rises is the increase in the number and size of claims relating to ransomware, where criminals use malicious software to block access to an organisation’s computer system until a sum of money is paid. In addition, some insurers left the market, while remaining players attempted to recoup the cost of under-priced contracts written in previous years.

The rise in the premiums is mainly due to ransomware and cyber attacks across the board have risen sharply over the past few years.

https://www.afr.com/work-and-careers/management/cyber-insurance-premiums-soar-80pc-as-claims-surge-20220908-p5bglo

• One In 10 Employees Leaks Sensitive Company Data Every 6 Months

Departing employees are most likely to leak sensitive information to competitors, criminals or the media in exchange for cash.

Insider threats are an ongoing menace that enterprise security teams need to handle. It's a global problem but especially acute in the US, with 47 million Americans quitting their jobs in 2021. The threat of ex-employees taking sensitive information to competitors, selling it to criminals in exchange for cash, and leaking files to media is making data exfiltration a growing concern. 

About 1.4 million people who handle sensitive information in their organisation globally were tracked over the period from January to June 30 this year by cyber security firm Cyberhaven to find out when, how and who is involved in data exfiltration.

On average, 2.5% of employees exfiltrate sensitive information in a month, but over a six-month period, nearly one in 10, or 9.4% of employees, do so, Cyberhaven noted in its report. Data exfiltration incidents occur when data is transferred outside the organisation in unapproved ways.

Among employees that exfiltrated data, the top 1% most prolific “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9% of incidents.

North America accounted for the highest number of incidents at 44%, followed by the Asia Pacific region at 27%. Europe, the Middle East, and Africa accounted for 24% of incidents while 5% of incidents were recorded in South America.

https://www.csoonline.com/article/3673260/one-in-10-employees-leaks-sensitive-company-data-every-6-months-report.html#tk.rss_news

• Business Application Compromise and the Evolving Art of Social Engineering

Social engineering is hardly a new concept, even in the world of cyber security. Phishing scams alone have been around for nearly 30 years, with attackers consistently finding new ways to entice victims into clicking a link, downloading a file, or providing sensitive information.

Business email compromise (BEC) attacks iterated on this concept by having the attacker gain access to a legitimate email account and impersonate its owner. Attackers reason that victims won't question an email that comes from a trusted source — and all too often, they're right.

But email isn't the only effective means cyber criminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communications tools and financial services. What's more, these applications are interconnected, so an attacker who can compromise one can compromise others, too. Organisations can't afford to focus exclusively on phishing and BEC attacks — not when business application compromise (BAC) is on the rise.

https://www.darkreading.com/vulnerabilities-threats/business-application-compromise-the-evolving-art-of-social-engineering

• SMBs Are Hardest-Hit By Ransomware

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealing that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organisations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Coalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022.

“Organisations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

https://www.helpnetsecurity.com/2022/09/15/small-businesses-ransomware-targets/

• 65% Say Legacy Backup Solutions Aren’t Up To Ransomware Challenges

HYCU researchers are reporting 65% of respondents lack full confidence in their legacy backup solutions (HYCU is a multi-cloud backup-as-a-service provider).

According to the report, 65% of surveyed enterprise organisations are increasing spending on detection, prevention and recovery, and respondents are beginning to understand that air-gapped or immutable backups are the only ways to ensure that the backups themselves don’t fall prey to encryption worms when ransomware hits.

Key findings include:

• 52% of ransomware victims suffered data loss

• 63% of victims suffered an operational disruption

• Just 41% air gap their backups

• Just 47% routinely test their backups

• Only 35% of respondents believe their current backup and recovery tools are sufficient.

https://informationsecuritybuzz.com/expert-comments/65-say-legacy-backup-solutions-arent-up-to-ransomware-challenges/

• Four-Fifths of Firms Hit by Critical Cloud Security Incident

Some 80% of organisations suffered a “severe” cloud security incident over the past year, while a quarter worry they’ve suffered a cloud data breach and aren’t aware of it, according to new research from Snyk.

The developer security specialist polled 400 cloud engineering and security practitioners from organisations of various sizes and sectors, to compile its State of Cloud Security Report.

Among the incidents flagged by respondents over the past 12 months were breaches, leaks, intrusions, crypto-mining, compliance violations, failed audits and system downtime in the cloud.

Startups (89%) and public sector organisations (88%) were the most likely to have suffered such an incident over the period.

The bad news is that 58% of respondents predict they will suffer another severe incident in the cloud over the coming year. Over three-quarters (77%) of those questioned cited poor training and collaboration as a major challenge in this regard.

“Many cloud security failures result from a lack of effective cross-team collaboration and team training. When different teams use different tools or policy frameworks, reconciling work across those teams and ensuring consistent enforcement can be challenging,” the report argued.

https://www.infosecurity-magazine.com/news/fourfifths-firms-critical-cloud/

• Homeworkers Putting Home and Business Cyber Safety at Risk

BlackBerry published a European research report exposing the cyber security risk created by cost-conscious homeworkers who prioritise security behind price, usability and ease of set up in their purchase of domestic smart devices.

32% of European home workers who own a smart device surveyed said security was a top three factor when choosing a smart device, compared to 50% who prioritised price. 28% of businesses aren’t putting adequate security provisions in place to extend cyber protection as far as homes. This heightens the risk of cyber attacks for businesses and their employees, as hybrid and home working become the norm.

The survey of 4,000 home workers in the UK, France, Germany, and the Netherlands revealed that 28% of people say that their employer has not done or communicated anything about protecting their home network or smart devices, or they don’t know if they are protected.

Furthermore, 75% of Europeans say their employers have taken no steps to secure the home internet connection or provide software protection for home devices. This failure to extend network security to home devices increases risk of the vulnerabilities created by hybrid and home working being successfully exploited. These are particularly sobering findings for small and mid-sized businesses who face upwards of eleven cyber attacks per device, per day, according to the research.

Through even the most innocent of devices, bad actors can access home networks with connections to company devices – or company data on consumer devices – and seize the opportunity to steal data and intellectual property worth millions. It’s likely businesses will bear the brunt of cyber attacks caused by unsecured home devices, with knock-on effects to employees themselves.

https://www.helpnetsecurity.com/2022/09/12/homeworkers-smart-devices-security/

• Uber Hacked, Internal Systems Breached and Vulnerability Reports Stolen

Uber suffered a cyber attack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

Other systems accessed by the hacker include the company's Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts.

The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber's slack indicate that these announcements were first met with memes and jokes as employees had not realised an actual cyber attack was taking place.

Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available. "We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available," tweeted the Uber Communications account.

The New York Times, which first reported on the breach, said they spoke to the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password. The threat actor then gained access to the company's internal systems using the stolen credentials.

https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/

• IHG Hack: 'Vindictive' Couple Deleted Hotel Chain Data for Fun

Hackers have told the BBC they carried out a destructive cyber-attack against Holiday Inn owner Intercontinental Hotels Group (IHG) "for fun".

Describing themselves as a couple from Vietnam, they say they first tried a ransomware attack, then deleted large amounts of data when they were foiled. They accessed the FTSE 100 firm's databases thanks to an easily found and weak password, Qwerty1234. An expert says the case highlights the vindictive side of criminal hackers.

UK-based IHG operates 6,000 hotels around the world, including the Holiday Inn, Crowne Plaza and Regent brands. On Monday last week, customers reported widespread problems with booking and check-in. For 24 hours IHG responded to complaints on social media by saying that the company was "undergoing system maintenance".

Then on the Tuesday afternoon it told investors that it had been hacked.

https://www.bbc.co.uk/news/technology-62937678

Threats

Ransomware and Extortion

• How prepared are organisations to tackle ransomware attacks? - Help Net Security

• Lorenz ransomware breaches corporate network via phone systems (bleepingcomputer.com)

• 3 Iranian nationals are accused of ransomware attacks on US victims (cnbc.com)

• Emotet botnet now pushes Quantum and BlackCat ransomware (bleepingcomputer.com)

• Cisco confirms Yanluowang ransomware leaked stolen company data (bleepingcomputer.com)

• DEV-0270 Hacker Group Uses Windows BitLocker Feature to Encrypt Systems (gbhackers.com)

• New York ambulance service discloses data breach after ransomware attack (bleepingcomputer.com)

• The ransomware problem won't get better until we change one thing | ZDNET

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

• Transparency, disclosure key to fighting ransomware (techtarget.com)

• Researchers Warn of 674% Surge in Deadbolt Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Over Three-Quarters of Retailers Hit by Ransomware in 2021 - Infosecurity Magazine (infosecurity-magazine.com)

• Cisco Data Breach Attributed to Lapsus$ Ransomware Group (darkreading.com)

• Ransomware Group Leaks Files Stolen From Cisco | SecurityWeek.Com

• The LA School District Cyber Attack Keeps Unravelling – Expert Comments (informationsecuritybuzz.com)

Phishing & Email Based Attacks

• Revolut hit by ‘phishing’ cyber attack | Business | The Times

• Crooks are using lures related to Her Majesty Queen Elizabeth II in phishing attacks - Security Affairs

• Phishing page embeds keylogger to steal passwords as you type (bleepingcomputer.com)

• Hackers now use ‘sock puppets’ for more realistic phishing attacks (bleepingcomputer.com)

• Phishers take aim at Facebook page owners - Help Net Security

• New Spear Phish Methodology Relies on PuTTY SSH Client to Infect Systems - Infosecurity Magazine (infosecurity-magazine.com)

• Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (darkreading.com)

• Death of Queen Elizabeth II exploited to steal Microsoft credentials (bleepingcomputer.com)

• Potential phishing activity update - NCSC.GOV.UK

Other Social Engineering; Smishing, Vishing, etc

• Serious Breach at Uber Spotlights Hacker Social Deception | SecurityWeek.Com

Malware

• Hackers Are Using WeTransfer Links To Spread Malware (informationsecuritybuzz.com)

• New malware bundle self-spreads through YouTube gaming videos (bleepingcomputer.com)

• Linux variant of the SideWalk backdoor discovered - Help Net Security

• Malware on Pirated Content Sites a Major WFH Risk for Enterprises (darkreading.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Gay hookup site typosquatted to push dodgy Chrome extensions, scams (bleepingcomputer.com)

Mobile

• Google Patches Critical Vulnerabilities in Pixel Phones | SecurityWeek.Com

• Apple patches iPhone and macOS flaws under active attack • The Register

Internet of Things – IoT

• Securing your IoT devices against cyber attacks in 5 steps (bleepingcomputer.com)

• EU Wants to Toughen Cyber Security Rules for Smart Devices | SecurityWeek.Com

Data Breaches/Leaks

• Uber hacked, internal systems breached and vulnerability reports stolen (bleepingcomputer.com)

• LastPass says hackers had internal access for four days (bleepingcomputer.com)

• Hacker sells stolen Starbucks data of 219,000 Singapore customers (bleepingcomputer.com)

• U-Haul discloses data breach exposing customer driver licenses (bleepingcomputer.com)

• Hackers Compromise Employee Data at PVC-Maker Eurocell - Infosecurity Magazine (infosecurity-magazine.com)

Organised Crime & Criminal Actors

• Chinese-linked cyber crims nab $529 million from India • The Register

• Cyber Crime Forum Admins Steal from Site Users - Infosecurity Magazine (infosecurity-magazine.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Police arrest man for laundering tens of millions in stolen crypto (bleepingcomputer.com)

• US regulators say multi-billion-dollar crypto lender Celsius was operating like a ponzi scheme | PC Gamer

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• Fake cryptocurrency giveaway sites have tripled this year (bleepingcomputer.com)

• Crypto Scams Skyrocket - IT Security Guru

• A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities (trendmicro.com)

• DOJ drops report on cryptocurrency crime efforts (techtarget.com)

• 76% Of Financial Institutions Plan On Using Crypto In The Next 3 Years (informationsecuritybuzz.com)

• How Can You Tell if a Cryptocurrency is Legitimate? Read Our Guide To Find Out - IT Security Guru

Insider Risk and Insider Threats

• 5 Ways to Mitigate Your New Insider Threats in the Great Resignation (thehackernews.com)

• Ex-Broadcom engineer asks for no prison in trade secret case • The Register

Fraud, Scams & Financial Crime

• Microsoft Edge’s News Feed ads abused for tech support scams (bleepingcomputer.com)

• Cops Raid Suspected Fraudster Penthouses - Infosecurity Magazine (infosecurity-magazine.com)

• How to spot and avoid scams and malware in search results - The Washington Post

• Tax fraud ring leader jailed for selling children’s stolen identities (bleepingcomputer.com)

AML/CFT/Sanctions

• Spanish police arrest ‘one of Europe’s biggest money launderers’ | Financial Times (ft.com)

Insurance

• Coalition Cyber Insurance - Small Businesses Prime Targets (informationsecuritybuzz.com)

Dark Web

• Documents For Sale on the Dark Web - IT Security Guru

Supply Chain and Third Parties

• Hackers breach software vendor for Magento supply-chain attacks (bleepingcomputer.com)

• WordPress sites backdoored after FishPig supply chain attack • The Register

Denial of Service DoS/DDoS

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• Akamai stopped new record-breaking DDoS attack in Europe (bleepingcomputer.com)

Cloud/SaaS

• 5 ways to improve your cloud security posture (techtarget.com)

• Excess privilege in the cloud is a universal security problem, IBM says | CSO Online

• Organisations lack visibility into unauthorised public cloud data access - Help Net Security

• One-third of enterprises don’t encrypt sensitive data in the cloud | CSO Online

Attack Surface Management

• Cyber attack trends vs. growing IT complexity - Help Net Security

• Outdated infrastructure remains a problem against sophisticated cyber attacks - Help Net Security

Shadow IT

• Use shadow IT discovery to find unauthorized devices and apps (techtarget.com)

Encryption

• Keep Today's Encrypted Data From Becoming Tomorrow's Treasure (darkreading.com)

API

• Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies (thehackernews.com)

• API security—and even visibility—isn’t getting handled by enterprises | CSO Online

• Bad bots are coming at APIs! How to beat the API bot attacks? - Help Net Security

Open Source

• When It Comes to Security, Don’t Overlook Your Linux Systems | SecurityWeek.Com

• 40% of pros scaled back back open source use over security • The Register

• You never walk alone: The SideWalk backdoor gets a Linux variant | WeLiveSecurity

Passwords, Credential Stuffing & Brute Force Attacks

• IHG Was Hacked Using Password “Qwerty1234” - LoyaltyLobby

Social Media

• Thwarting attackers in their favourite new playground: Social media - Help Net Security

• Twitter whistleblower tells Senate of ‘egregious’ security failings by company | Twitter | The Guardian

• Cyber attackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign (darkreading.com)

Training, Education and Awareness

• Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats (darkreading.com)

Parental Controls and Child Safety

• Cyber Crime Fears for Children as Cost-of-Living Bites - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• 10 Steps to Successfully Navigate Cyber Security Compliance - MSSP Alert

Models, Frameworks and Standards

• Don’t Put Preparation on Pause: CMMC 2.0 is Coming Quicker Than You Think - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Montenegro Under Cyber Attack, Russia Blamed, All NATO States Would Be (informationsecuritybuzz.com)

• DDoS Attacks on UK Firms Surge During Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• New Cyberespionage Group 'Worok' Targeting Entities in Asia | SecurityWeek.Com

• ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools (darkreading.com)

Nation State Actors

Nation State Actors – Russia

• Montenegro Wrestles With Massive Cyber Attack, Russia Blamed | SecurityWeek.Com

• Russia’s cyber future connected at the waist to Soviet military industrial complex | CSO Online

Nation State Actors – North Korea

• North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp - Security Affairs

Nation State Actors – Iran

• Iranian cyber spies use multi-persona impersonation in phishing threads | CSO Online

• Albania says Iranian hackers hit the country with another cyber attack - CyberScoop

• US, UK, Canada and Australia Link Iranian Government Agency to Ransomware Attacks | SecurityWeek.Com

• Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research (thehackernews.com)

• Iranian Hackers Used Victims’ Printers to Issue Ransom Demands, DOJ Says (vice.com)

Vulnerability Management

• Backlogs larger than 100K+ vulnerabilities but too time-consuming to address - Help Net Security

Vulnerabilities

• Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws (bleepingcomputer.com)

• Adobe Patches 63 Security Flaws in Patch Tuesday Bundle | SecurityWeek.Com

• CISA orders agencies to patch vulnerability used in Stuxnet attacks (bleepingcomputer.com)

• Chrome 105 Update Patches High-Severity Vulnerabilities | SecurityWeek.Com

• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (bleepingcomputer.com)

• Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs (darkreading.com)

• Apple fixed the eighth actively exploited zero-day this year - Security Affairs

• Cisco Patches High-Severity Vulnerability in SD-WAN vManage | SecurityWeek.Com

• Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability (thehackernews.com)

• Over 280,000 WordPress sites may have been hijacked by zero-day hiding in popular plugin | TechRadar

• High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices (thehackernews.com)

• CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog - Security Affairs

• ManageEngine Password Management Vulnerability and Patch: Details for MSPs, MSSPs - MSSP Alert

Reports Published in the Last Week

• Falcon OverWatch Threat Hunting Report 2022 | CrowdStrike

• Cyber Security: Benchmarking Security Gaps & Privileged Access (delinea.com)

Other News

• MSPs and cyber security: The time for turning a blind eye is over - Help Net Security

• Red Teaming to Reduce Cyber Risk (trendmicro.com)

• Organisations should fear misconfigurations more than vulnerabilities - Help Net Security

• Companies need data privacy plan before joining metaverse (techtarget.com)

• Lens reflections may betray your secrets in Zoom video calls • The Register

• US Government Wants Security Guarantees From Software Vendors | SecurityWeek.Com

• Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t! – Naked Security (sophos.com)

• The Cyber Security Head Game | Psychology Today South Africa

• Cyber Security Report: Average Data Breach in US Costs $9.4 Million - MSSP Alert

• 5 Best Practices for Building Your Data Loss Prevention Strategy (darkreading.com)

• Hands-on cyber attacks jump 50%, CrowdStrike reports | CSO Online

• Penetration Testing Report: Security Misconfiguration Is "Top Vulnerability" - MSSP Alert

• Twitter whistleblower: Lack of access, data controls invite exploitation | SC Media (scmagazine.com)

• Cost of Living Crisis Impact on Online Activity - IT Security Guru

• Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber (darkreading.com)

• Zoom outage left users unable to sign in or join meetings (bleepingcomputer.com)

• Five ways your data may be at risk — and what to do about it (bleepingcomputer.com)

• Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence - Infosecurity Magazine (infosecurity-magazine.com)

• Twitter's ex-security boss Zatko disses biz as dysfunctional • The Register

• Don't Let Your Home Wi-Fi Get Hacked. Here's What to Do - CNET

• How serious are organisations about their data sovereignty strategies? - Help Net Security

• Undermining Microsoft Teams Security By Mining Tokens (informationsecuritybuzz.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

The death last week of Queen Elizabeth II has drawn global attention and may result in cyber criminals exploiting the historically significant event to spread phishing emails and other scams, according to the National Cyber Security Centre (NCSC).

The NCSC, part of GCHQ, has issued public cyber guidance for the current period of national mourning, saying that during the coming weeks there may be an increase in incidents linked in some way to the Queen.

What’s the risk to me or my business?

Cyber criminals will often play on people’s emotions to get their targets to click on a scam email and with many people affected by the death of the Queen, attackers may take this opportunity to do just that.

“As with all major events, criminals may seek to exploit the death of Her Majesty the Queen for their own gain,” the agency said.

What can I do?

Whilst the NCSC has not yet seen extensive evidence of this, your staff should be reminded to be vigilant and be made aware that phishing attacks of this nature are a real possibility. Staff should be remined to be attentive to emails, text messages, and other communications concerning the death of Her Majesty the Queen and arrangements for her funeral.

NCSC warns public of potential Queen-related phishing attacks (computerweekly.com)

Potential phishing activity update - NCSC.GOV.UK

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Why It’s Mission-Critical That All-Sized Businesses Stay Cyber Secure

A study analysing millions of emails across thousands of companies found that on average, employees of small businesses with less than 100 employees experience 350% more social engineering attacks than employees of larger enterprises. 57% of these are phishing attacks – the most prevalent social engineering attack of 2021.

Add to the mix that the global average cost of a data breach for businesses has skyrocketed. According to IBM Security’s annual Cost of a Data Breach Report, the average global cost is now a phenomenal $4.35 million.

Generally, larger corporations tend to have bigger security budgets, making them less of a target than smaller businesses with lesser budgets, and as such, more attractive to cyber criminals. This means that for small and medium-sized enterprises (SMEs) – with fewer resources and money – protection from cyber-attacks is now a matter of survival.

Ease of attack is not the only reason why criminals attack SMEs either. SMEs are often an entry point to target bigger organisations within the same supply chain. These larger corporations can either be crucial partners, suppliers, or customers, making SMEs prime targets.

But with efficient cyber security measures, every business regardless of size can keep themselves and their network safe.

https://informationsecuritybuzz.com/articles/why-its-mission-critical-that-all-sized-businesses-stay-cyber-secure/

• Half of Firms Report Supply Chain Ransomware Compromise

Over half (52%) of global organisations know a partner that has been compromised by ransomware, yet few are doing anything to improve the security of their supply chain, according to Trend Micro.

The security vendor polled nearly 3,000 IT decision makers across 26 countries to produce its latest report, ‘Everything is connected: Uncovering the ransomware threat from global supply chains’.

It revealed that 90% of global IT leaders believe their partners and customers are making their own organisation a more attractive ransomware target.

That might be down in part to the fact that SMBs comprise a significant chunk of the supply chain for 52% of respondents. The security of SMBs is generally thought to be less effective than protection in larger, better resourced companies.

However, despite their concerns, less than half (47%) of respondents said they share knowledge about ransomware attacks with their suppliers, while a quarter (25%) claimed they don’t share potentially useful threat information with partners.

https://www.infosecurity-magazine.com/news/half-firms-supply-chain-ransomware/

• Vulnerability Exploits, Not Phishing, Are the Top Cyber Attack Vector for Initial Compromise

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organisations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts combined. And data that the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

https://www.darkreading.com/vulnerabilities-threats/vulnerability-exploits-phishing-top-attack-vector-initial-compromise

• Uber’s Ex-Security Chief Faces Landmark Trial Over Data Breach That Hit 57m Users

Uber’s former security officer, Joe Sullivan, is standing trial this week in what is believed to be the first case of an executive facing criminal charges in relation to a data breach.

The US district court in San Francisco will start hearing arguments on whether Sullivan, the former head of security at the ride-share giant, failed to properly disclose a 2016 data breach affecting 57 million Uber riders and drivers around the world.

At a time when reports of ransomware attacks have surged and cyber security insurance premiums have risen, the case could set an important precedent regarding the culpability of US security staffers and executives for the way the companies they work for handle cyber security incidents.

The breach first came to light in November 2017, when Uber’s chief executive, Dara Khosrowshahi, revealed that hackers had gained access to the driver’s licence numbers of 600,000 US Uber drivers as well as the names, email addresses and phone numbers of as many as 57 million Uber riders and drivers.

Public disclosures like Khosrowshahi’s are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.

But Khosrowshahi’s announcement came with an admission: a whole year had passed since the information had been breached.

https://www.theguardian.com/technology/2022/sep/06/uber-joe-sullivan-trial-security-data-breach

• Over 10% of Enterprise IT Assets Found With Missing Endpoint Protection

More than 10% of enterprise IT assets are missing endpoint protection and roughly 5% are not covered by enterprise patch management solutions.

The figures come from new research by Sevco Security, which the company has compiled in the State of the Cybersecurity Attack Surface report.

"Attackers are very adept at exploiting enterprise vulnerabilities. Security and IT teams already have their hands full mitigating the vulnerabilities that they know about, and our data confirms that this is just the tip of the iceberg," Sevco told Infosecurity Magazine.

The document analyses data aggregated from visibility into more than 500,000 IT assets, and underlines existential and underreported cyber security issues in relation to securing enterprises’ assets.

“The uncertainty of enterprise inventory – the elements that make up an organisation’s cyber security attack surface – upends the foundation of every major security framework and presents a challenge to security teams: it’s impossible to protect what you can’t see,” they said.

For instance, the data found that roughly 3% of all IT assets are “stale” in endpoint protection, while 1% are stale from the perspective of patch management coverage.

https://www.infosecurity-magazine.com/news/enterprise-assets-miss-endpoint/

• Some Employees Aren't Just Leaving Companies — They're Defrauding Them

Since the Great Resignation in 2021, millions of employees have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

According to the Cressey Fraud Triangle, fraudulent behaviour often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organisation to commit a fraud (poor oversight or internal controls), and rationalisation (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organisations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn't have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

• Ransomware Gangs Switching to New Intermittent Encryption Tactic

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryption key.

For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.

Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-switching-to-new-intermittent-encryption-tactic/

• How Posting Personal and Business Photos Can Be a Security Risk

Image geotags, metadata, and location information can allow competitors, cyber criminals, and even nation-state threat actors to gain knowledge they can use against organisations.

Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.

The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyse such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.

It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic. 

https://www.csoonline.com/article/3672869/how-posting-personal-and-business-photos-can-be-a-security-risk.html#tk.rss_news

• Your Vendors Are Likely Your Biggest Cyber Security Risk

As speed of business increases, more and more organisations are looking to either buy companies or outsource more services to gain market advantage. With organisations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cyber security measures to assess how much risk vendors pose.

While organisations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cyber security controls. Breaches and service interruptions tied to these risk areas have brought down critical systems of major organisations. In 2021, 53% of CISOs surveyed by Black Kite reported being hit by at least one ransomware attack.

It bears repeating: Cyber security and third-party risk are the two biggest problems facing your long-term viability. Businesses need to be able to tackle these risk vectors individually to gain a complete view of their risk profile. A cross-functional process is essential to managing the overlap between these risk areas to better protect your organisation and increase workflow efficiency.

Ensuring that the cyber security practices of your vendors align with your organisation’s standards is critical to safeguarding your systems and data. In fact, it is just as important as how stable the business is or how well it delivers products and services.

https://www.helpnetsecurity.com/2022/09/05/vendors-cybersecurity-risk/

• A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain

It’s perhaps only a coincidence that there’s a famous Chinese saying ‘No one knows, not even the ghosts’ that neatly summarises a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.

Observers could be forgiven for thinking that this is just another hack. Chinese hacking groups, and those of Western countries too, have developed a reputation over the past two decades for spying, surveillance, and sabotage. But this attack is different than typical hacking fare because the attackers rode in on the back of a trusted piece of software. This is a software supply chain attack, where the attackers tamper with either source code, the software build system, or the software publishing pipeline, all of which have become essential to the functioning of the world’s digital economy.

Software supply chain attacks have been rapidly growing in frequency. Twenty years ago, there might have been one or two a year. These days, depending on the methodology, there are either hundreds or thousands a year, and that’s only counting the reported attacks. And increasingly anybody who depends upon software (read: everybody) is or shortly will be a victim: the U.S. government, Microsoft, thousands of other companies and, apparently in this MiMi attack, individuals.

https://thediplomat.com/2022/09/a-recent-chinese-hack-is-a-wake-up-call-for-the-security-of-the-worlds-software-supply-chain/

• Massive Hotels Group IHG Struck by Cyber Attack Which Disrupts Booking Systems

InterContinental Hotels Group (IHG), which owns brands such as InterContinental, Crowne Plaza, Holiday Inn, and many others, has had its IT systems breached by malicious hackers.

In a filing with the London Stock Exchange, the multinational hospitality company reported that "parts of the company's technology systems have been subject to unauthorised activity."

As a result, the company said, "IHG's booking channels and other applications have been significantly disrupted since [Monday], and this is ongoing."

The first indication that the company was experiencing problems appeared early on Monday morning UK time, when anyone who tried to book a hotel room via the company's website or app, or access their IHG One Rewards account was greeted by a maintenance message.

Although it has made no declaration regarding the nature of the security breach, in its filing with the London Stock Exchange, IHG mentioned they were "working to fully restore all systems". This would fit into the scenario of IHG having hit been hit with ransomware, which may not only have encrypted data - locking the company out of its systems and demanding a ransom be paid - but could have also caused even more problems.

https://www.bitdefender.com/blog/hotforsecurity/massive-hotels-group-ihg-struck-by-cyberattack-which-disrupts-booking-systems/

• London's Biggest Bus Operator Hit by Cyber "Incident"

Travellers in London were braced for more delays last week after the city’s largest bus operator revealed it has been hit by a “cyber security incident,” according to reports.

Newcastle-based transportation group Go-Ahead shared a statement with the London Stock Exchange indicating “unauthorised activity” had been discovered on its network yesterday.

“Upon becoming aware of the incident, Go-Ahead immediately engaged external forensic specialists and has taken precautionary measures with its IT infrastructure whilst it continues to investigate the nature and extent of the incident and implement its incident response plans,” it stated. “Go-Ahead will continue to assess the potential impact of the incident but confirms that there is no impact on UK or International rail services which are operating normally.”

However, the same may not be true of its bus services. Sky News reported that bus and driver rosters may have been impacted by the attack, which could disrupt operations.

Go-Ahead operates multiple services in the South, South West, London, North West, East Anglia, East Yorkshire and its native North East. It is London’s largest bus company, operating over 2400 buses in the capital and employing more than 7000 staff.

https://www.infosecurity-magazine.com/news/londons-biggest-bus-operator-hit/

Threats

Ransomware and Extortion

• Ransomware remains the number one threat to businesses and government organisations - Help Net Security

• Interpol dismantles sextortion ring, warns of increased attacks (bleepingcomputer.com)

• Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)

• Ransomware attacks on Linux to surge - Help Net Security

• LockBit gang leads the way for ransomware (techtarget.com)

• Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks (thehackernews.com)

• How to Improve Mean Time to Detect for Ransomware | SecurityWeek.Com

• Google: Former Conti ransomware members attacking Ukraine (techtarget.com)

• Hackers Are Using NASA Telescope Images To Push Ransomware (informationsecuritybuzz.com)

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

• Everything You Need To Know About BlackCat (AlphaV) (darkreading.com)

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

• Clarion Housing: Anger over landlord silence since cyber attack - BBC News

• New Ransomware Hits Windows, Linux Servers Of Chile Govt Agency (informationsecuritybuzz.com)

• QNAP warns new Deadbolt ransomware attacks exploiting 0day - Security Affairs

• Second largest U.S. school district LAUSD hit by ransomware (bleepingcomputer.com)

• Windows Defender identified Chromium, Electron apps as Hive Ransomware - Security Affairs

• BlackCat Ransomware Linked to Italy's Energy Services Firm Hack - Infosecurity Magazine (infosecurity-magazine.com)

Phishing & Email Based Attacks

• EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA (darkreading.com)

• Criminals harvest users' PI by impersonating popular brands - Help Net Security

• Lampion malware returns in phishing attacks abusing WeTransfer (bleepingcomputer.com)

• A new phishing scam targets American Express cardholders - Security Affairs

• EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web - Help Net Security

• GIFShell attack creates reverse shell using Microsoft Teams GIFs (bleepingcomputer.com)

Other Social Engineering; Smishing, Vishing, etc

• Defeat social engineering attacks by growing your cyber resilience - Help Net Security

Malware

• Cyber criminals targeting Minecraft fans with malware • The Register

• Next-Gen Linux Malware Takes Over Devices With Unique Tool Set (darkreading.com)

• TeslaGun Primed to Blast a New Wave of Backdoor Cyber attacks (darkreading.com)

• New Linux malware evades detection using multi-stage deployment (bleepingcomputer.com)

• Bumblebee malware adds post-exploitation tool for stealthy infections (bleepingcomputer.com)

• Botnets in the Age of Remote Work (darkreading.com)

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

Mobile

• In-app browser security risks, and what to do about them | CSO Online

• Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (thehackernews.com)

• SharkBot Malware Resurfaces on Google Play to Steal Users' Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices (thehackernews.com)

Data Breaches/Leaks

• NATO docs sold on darkweb after they were stolen from Portugal - Security Affairs

• Criminals claim they've stolen NATO missile plans • The Register

• TikTok denies data breach following leak of user data - Security Affairs

• IRS mistakenly published confidential info for roughly 120K taxpayers - Security Affairs

• Samsung US Says Customer Data Compromised in July Data Breach | SecurityWeek.Com

• Digital Identity Provider SDK Leaves Hundreds Of Thousands Of Biometric (informationsecuritybuzz.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Scammers live-streamed on YouTube a fake Apple crypto event - Security Affairs

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Feds freeze $30m in cryptocurrency stolen from Axie Infinity • The Register

• New Rules for Crypto Exchanges to Stop Sanctions Evaders - Infosecurity Magazine (infosecurity-magazine.com)

Fraud, Scams & Financial Crime

• 62% of consumers see fraud as an inevitable risk of online shopping - Help Net Security

• Islanders in Jersey lose nearly £400,000 to romance fraud | ITV News Channel

• The Advantages of Threat Intelligence for Combating Fraud | SecurityWeek.Com

AML/CFT/Sanctions

• UK forces crypto exchanges to report suspected sanction breaches | Cryptocurrencies | The Guardian

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

Insurance

• Lloyd’s of London defends cyber insurance exclusion for state-backed attacks | Financial Times (ft.com)

• Global Cyber security Insurance Market Size Expected to Top $32.6 Billion by 2028 - MSSP Alert

• With cyber insurance costs increasing, can smaller firms avoid getting priced out? - Help Net Security

Supply Chain and Third Parties

• Supply chain risk is a top security priority as confidence in partners wanes - Help Net Security

• KeyBank: Hackers of third-party provider stole customer data | The Seattle Times

• Government guide for supply chain security: The good, the bad and the ugly - Help Net Security

Software Supply Chain

• Report Highlights Prevalence of Software Supply Chain Risks (darkreading.com)

Denial of Service DoS/DDoS

• Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (bleepingcomputer.com)

Cloud/SaaS

• Defenders Be Prepared: Cyber attacks Surge Against Linux Amid Cloud Migration (darkreading.com)

• Hybrid Cloud Security Challenges & Solutions (trendmicro.com)

• 3 Critical Steps for Reducing Cloud Risk (darkreading.com)

Identity and Access Management

• There is no secure critical infrastructure without identity-based access - Help Net Security

Encryption

• A Pragmatic Response to the Quantum Threat (darkreading.com)

API

• 6 Top API Security Risks! Favoured Targets for Attackers If Left Unmanaged (thehackernews.com)

• API Security for the Modern Enterprise - IT Security Guru

Open Source

• New Linux malware combines unusual stealth with a full suite of capabilities | Ars Technica

Passwords, Credential Stuffing & Brute Force Attacks

• Are Default Passwords Hiding in Your Active Directory? Here's how to check (bleepingcomputer.com)

• 200,000 North Face accounts hacked in credential stuffing attack (bleepingcomputer.com)

Social Media

• TikTok denies security breach after hackers leak user data, source code (bleepingcomputer.com)

• Facebook Engineers Admit They Don’t Know What They Do With Your Data (vice.com)

• Meta axes Responsible Innovation team charged with addressing ethical problems with Facebook, Instagram, WhatsApp | Fortune

Privacy

• You should know that most websites share your in-site search queries with third parties - Help Net Security

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Parental Controls and Child Safety

• Google’s image-scanning illustrates how tech firms can penalise the innocent | John Naughton | The Guardian

Cyber Bullying and Cyber Stalking

• ‘I didn’t want it anywhere near me’: how the Apple AirTag became a gift to stalkers | Apple | The Guardian

Regulations, Fines and Legislation

• Tear up decades-old law to save Britain from hackers, say cyber experts (telegraph.co.uk)

• UK Privacy Regulator Fines Halfords for Spam Deluge - Infosecurity Magazine (infosecurity-magazine.com)

• Meta Fined $400m in Ireland For Children's Privacy Breach - Infosecurity Magazine (infosecurity-magazine.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Google Details Recent Ukraine Cyber attacks | SecurityWeek.Com

• Ukraine dismantles more bot farms spreading Russian disinformation (bleepingcomputer.com)

• Ukraine is under attack by hacking tools repurposed from Conti cyber crime group | Ars Technica

• Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report - CyberScoop

• Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (thehackernews.com)

• Newly discovered cyber spy group targets Asia • The Register

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Israeli Defence Minister's Cleaner Sentenced for Spying Attempt | SecurityWeek.Com

• An interview with Ukrainian hacker 'Herm1t' on countering pro-Kremlin attacks - The Record by Recorded Future

• Researchers Find New Android Spyware Campaign Targeting Uyghur Community (thehackernews.com)

• Anonymous hacked Yandex taxi causing a traffic jam in Moscow - Security Affairs

Nation State Actors

Nation State Actors – Russia

• Raspberry Robin Malware Connected to Russian Evil Corp Gang (darkreading.com)

Nation State Actors – China

• US bans ‘advanced tech’ firms from building facilities in China for a decade | Technology sector | The Guardian

Nation State Actors – North Korea

• North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (thehackernews.com)

• North Korea's Lazarus Targets Energy Firms With Three RATs | SecurityWeek.Com

Nation State Actors – Iran

• Microsoft: Iranian hackers encrypt Windows systems using BitLocker (bleepingcomputer.com)

• UK condemns Iran for reckless cyber attack against Albania - GOV.UK (www.gov.uk)

• US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyber attack - Security Affairs

• NATO Condemns Alleged Iranian Cyber attack on Albania | SecurityWeek.Com

• New Iranian hacking group APT42 deploys custom Android spyware (bleepingcomputer.com)

• Microsoft investigates Iranian attacks against the Albanian government - Microsoft Security Blog

• Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (thehackernews.com)

Nation State Actors – Misc

• Nation-state attacks are a growing threat to video conferencing - Help Net Security

• Use of machine identities is growing in state-sponsored cyber attacks - Help Net Security

Vulnerability Management

• High-profile vulnerabilities encourage organisations to improve security posture - Help Net Security

Vulnerabilities

• CISA adds 12 new flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• September 2022 Patch Tuesday forecast: No sign of cooling off - Help Net Security

• High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP - Help Net Security

• Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts (thehackernews.com)

• Cisco Releases Security Patches for New Vulnerabilities Impacting Multiple Products (thehackernews.com)

• Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities (thehackernews.com)

• Cisco won’t fix authentication bypass zero-day in EoL routers (bleepingcomputer.com)

• Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released (thehackernews.com)

• Chrome and Edge fix zero-day security hole – update now! – Naked Security (sophos.com)

• Google Patches Sixth Chrome Zero-Day of 2022 | SecurityWeek.Com

• QNAP patches zero-day used in new Deadbolt ransomware attacks (bleepingcomputer.com)

• HP fixes severe bug in pre-installed Support Assistant tool (bleepingcomputer.com)

Other News

• Top 5 Cyber crime Cases in 2022 (techgenix.com)

• The Heartbleed bug: How a flaw in OpenSSL caused a security crisis | CSO Online

• Cyber Security - the More Things Change, the More They Are The Same | SecurityWeek.Com

• CISOs say stress and burnout are their top personal risks (cnbc.com)

• How to deal with unprecedented levels of regulatory change - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Cisco has released patches to address two high-severity and one medium severity security flaws within their product range. One vulnerability, which affects Cisco Catalyst 8000V software can allow a remote malicious actor to trigger a denial of service condition. The other high vulnerability could allow for an unauthenticated attacker who has access to a VPN network to change configuration settings, or cause the system to reload. Cisco also disclosed knowledge of an IPSec VPN Server Authentication Bypass vulnerability which could allow a malicious attacker to bypass authentication onto the VPN escalate to administrator privileges on an affected device. As affected devices are now out of support, with an end-of-life notice issued, Cisco will not be providing a patch for these devices.

What’s the risk to me or my business?

The first high vulnerability relates the Cisco cloud virtual routing software, 8000V Edge and Nvidia MLX5 network cards. The vulnerability itself was disclosed by Nvidia, and affects underlying software which is utilised by Cisco, and can be used by a malicious attacker to cause an error condition on the device, which would then cause denial of service. If hybrid business systems are being routed using this product, then there is a possibility of down-time until the issue is patched.

The second vulnerability relates to the CSD-WAN vManage software containers, that could allow an attacker who already has access to the organisations VPN0 network to further compromise critical network infrastructure resulting in a potential loss of confidentiality, integrity, and availability.

The third medium severity vulnerability relates to the Cisco Webex Meetings app, which could allow an unauthenticated remote attacker to change the content of links and messages within the application interface, which could lead to a phishing or spoofing attack.

Vulnerability that won’t be fixed in End of Life Devices

Separate to this, Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).

This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPSec VPN Server feature is enabled.

As this vulnerability could allow an unauthenticated malicious attacker to bypass authentication and gain access to the IPSec VPN network and can gain administrative access, compromising the confidentiality, integrity and availability of the network, any unsupported devices should be replaced.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisation’s vulnerability management process to limit availability impact to the business. It is also critical to ensure that all devices in use by an organisation are currently being supported by the vendor, as otherwise like in this case, critical security vulnerabilities could be disclosed without any option but to purchase new equipment. The affected equipment stopped receiving software support from Cisco in December 2020.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-28199: A remote denial of service vulnerability relating to the DPDK Nvidia Library feature, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to cause an error condition on the device, resulting in the device reloading or failing to receive traffic, resulting in a DoS condition. Affected Software:

 ·      Cisco Catalyst 8000V Edge Software

·       Adaptive Security Virtual Appliance (ASAv)

·       Secure Firewall Threat Defense Virtual (formerly FTDv)

 Further information on this specific vulnerability can be found here: Vulnerability in NVIDIA Data Plane Development Kit Affecting Cisco Products: August 2022

 CVE-2022-20696: A remote vulnerability with a CVSS 3.0 rating of 7.5, which allows a malicious attacker who has the ability to send network traffic to interfaces within the VPN0 logical network to exploit the lack of sufficient protection mechanisms on the messaging server container ports, allowing the attacker to view and inject messages into the messaging service, which could allow for configuration changes or cause the system to reload. Affected software:

·       Cisco SD-WAN vManage Software

Further information on this specific vulnerability can be found here: Cisco SD-WAN vManage Software Unauthenticated Access to Messaging Services Vulnerability

CVE-2022-20863: A vulnerability with a CVSS 3.0 rating of 4.3, which allows an unauthenticated malicious attacker to exploit a vulnerability within the character rendering of the Cisco Webex Meetings interface to modify the display of links or other content within the interface, allowing an attacker to potentially conduct phishing or spoofing attackers.

 Further information on this specific vulnerability can be found here: Cisco Webex Meetings App Character Interface Manipulation Vulnerability

 CVE-2022-20923: A vulnerability with a CVSS 3.0 rating of 4.0, which allows an unauthenticated, remote attacker to exploit a vulnerability within the password validation algorithm to bypass authentication controls and gain access to the IPSec VPN Network. The attacker may even be able to obtain privileges at administrator level depending on the credentials used. No patch will be released for this vulnerability. Affected products:

 ·      RV110W Wireless-N VPN Firewall

·       RV130 VPN Router

·       RV130W Wireless-N Multifunction VPN Router

·       RV215W Wireless-N VPN Router

 Further information on this specific vulnerability can be found here: Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers IPSec VPN Server Authentication Bypass Vulnerability

 Need help understanding your gaps, or just want some advice? Get in touch with us.

The emails are being received from the domain “@mail-gfsc.com” and may contain malicious links or attachments. The commission are directing users to forward these emails to phishing@gfsc.gg, and to follow the guidance put in place with the Commission’s Cyber Rules and Guidance 2021. Further information from the commission can be found here: Spoof emails | GFSC

If you suspect you may have been targeted by one of these campaigns and would like to assist us in raising awareness of the risk to others, please contact us via phishing@blackarrowcyber.com

Update: 25/11/2022: There has been a number of sources that have noted a steady increase in these attacks.

Executive Summary

EvilProxy, a Phishing-as-a-Service (PaaS) platform allows low-skill malicious actors to bypass Multi-Factor Authentication from multiple different service providers, using techniques similar to those outlined in the previous cyber advisory on 19/07/2022, where Microsoft detected a new phishing campaign that had the potential to bypass MFA if additional controls were not in place. Malicious actors can pay for the service via a subscription model that allows them to setup and manage phishing campaigns in a similar fashion to phishing simulation training.

What’s the risk to me or my business?

As advanced phishing techniques become available to low-skill threat actors, it is expected that there will be an increase in phishing campaigns going forward. These particular campaigns are more dangerous as they have the potential to bypass security controls such as Multi-Factor Authentication.

What can I do?

Continue to follow the advice issued with the previous threat alert: Black Arrow Cyber Advisory 19/07/2022 – Microsoft identifies Phishing campaign which can bypass MFA. As this platform can be used against different services including Apple and Google, it is important to have these controls in place across the business estate where possible.

A full breakdown of this particular phishing platform is available here: New EvilProxy service lets all hackers use advanced phishing tactics (bleepingcomputer.com)

Update: Microsoft Detection and Response Team (DART) has provided an updated blog post on how these attacks have increased and evolved over time, with the focus being on stealing cookies in comparison to stealing credentials. Recommended protections include management and oversight on end user devices to ensure that they are kept up to date with patches and anti-virus definitions, reducing the lifetime of authenticated sessions and the implementation of Conditional Access application control. Further information can be found here: Token tactics: How to prevent, detect, and respond to cloud token theft - Microsoft Security Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 79% Of Companies Only Invest in Cyber Security After Hacking Incidents

The British cyber security company Tanium published a survey on investments in digital protection in UK companies with alarming results: 79% of them only approve investments in cyber security after suffering a data breach; 92% experienced a data attack or breach, of which 74% occurred in 2021. Leadership reticence is also high, with 63% of leaders convinced cyber security is only a concern after an attack.

The complexity of the situation has grown with the digital transformation of work. If it streamlines many processes, it can also open up serious security gaps. A sensitive point is the “home office”: companies need effective solutions to eliminate gaps that may appear between employees’ computers (often shared devices) and the company’s internal network.

Putting in solutions is just the beginning of a necessary strategy and investment effort in virtual protection. Complex scams based on phishing, reverse engineering, and backdoor-type malicious programs (“planted” discreetly on a device and sometimes inactive for months) often combine real-world and virtual-world fraud.

The escalation of corporate data hijacking appears in this scenario. The most notorious case at a global level of such an incident, with a million-dollar ransom demand, was launched in 2021 on Colonial Pipeline. This US company paid $40 million to regain control over strategic data after fuel supplies through its pipelines to several states were threatened for days.

https://informationsecuritybuzz.com/infosec-news/79-of-the-companies-only-invest-in-cybersecurity-after-hacking-incidents/

• Nearly Half of Breaches During First Half of 2022 Involved Stolen Credentials

According to a new report by Acronis, a Switzerland-based cyber security company, nearly half of breaches during the first six months of 2022 involved stolen credentials.

The goal of stealing credentials is to launch ransomware attacks. According to the report, these “continue to be the number one threat to large and medium-sized businesses, including government organisations.”

Attackers usually use phishing techniques to extract these credentials. In the first half of the year, over 600 malicious email campaigns made their way across the internet, of which 58% were phishing attempts and 28% featured malware.

Acronis also added that “as reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks.”

Additionally, cyber criminals now also target unpatched or software vulnerabilities to extract data, with a recent increase on Linux operating systems and managed service providers (MSPs) and their network of SMB customers.

The third vector spotted by Acronis was “non-traditional entry avenues” such as cryptocurrencies and decentralised finance (DeFi) systems.

https://www.itsecurityguru.org/2022/08/30/nearly-half-of-breaches-during-first-half-of-2022-involved-stolen-credentials/

• Outdated Infrastructure Not Up to Today’s Ransomware Challenges

A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyber attacks plaguing enterprises globally.

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilise if and when a cyber attack occurs. Nearly 60% of respondents expressed some level of concern that their IT and security teams would be able to mobilise efficiently to respond to the attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia and New Zealand. All respondents play a role in the decision-making process for IT or security within their organisations.

IT and security teams should raise the alarm bell if their organisation continues to use antiquated technology to manage and secure their most critical digital asset – their data.

Cyber criminals are actively preying on this outdated infrastructure as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyber attacks.

https://www.helpnetsecurity.com/2022/08/30/outdated-infrastructure-manage-data/

• Ghost Data Increases Enterprise Business Risk

IT has to get its hands around cloud data sprawl. Another area of focus should be on ghost data, as it expands the organisation's cloud attack surface.

Cloud sprawl is a big issue for organisations, with business teams spinning up cloud systems and services on their own, often without IT oversight. That leads to cloud data sprawl as data is scattered across different environments. If IT doesn’t know about the cloud systems and services, then IT is also not managing the data being collected, processed, and stored there.

We all know about shadow IT, the systems and network devices in the organisation’s environment that IT is not managing. Similarly, shadow data refers to unmanaged data store copies and snapshots or log data that are not part of IT’s backup and recovery strategy. Researchers at Cyera estimate that 60% of the data security posture issues that are present in cloud accounts stem from unsecured sensitive data.

Then there is the problem of ghost data. When data gets deleted from cloud systems, it isn’t fully gone. Copies linger in backups or snapshots of data stores. Ghost data refers to those copies left behind after the original has been deleted, and Cyera’s recent analysis show that enterprises have quite a lot of it.

After scanning the three major cloud providers (Amazon Web Services, Azure, and Google Cloud), Cyera researchers found that over 30% of scanned customer cloud data stores are ghost data and more than 58% contain sensitive, or very sensitive, data. For example, researchers found unsecured database snapshots in non-production environments that contained sensitive customer data where the original database had been destroyed. Researchers also uncovered sensitive personal and authentication data in plain text where the production data and application were no longer in use.

Ghost data usually has no business value - the data was deleted for a reason - and having it around unnecessarily increases business risk. Attackers don’t care if they get their hands on the original sensitive information or the copy because to them, all data has value, regardless of the form it takes.

https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk

• Detected Cyber Threats Surge 52% in 1H 2022

A leading cyber security vendor blocked 63 billion threats in the first half of 2022 alone, over 50% more than the same period a year ago.

The findings come from the Trend Micro 2022 Midyear Cybersecurity Report and illustrate the scale of the challenge facing network defenders.

Trend Micro highlighted the persistent threat posed by ransomware-as-a-service (RaaS) groups as one that will continue to cause major challenges for organisations in the years to come.

It said detections of prolific groups such as LockBit and Conti increased by 500% year-on-year in 1H 2022. Such groups will continue to adapt their tactics, techniques and procedures (TTPs) in the race for profits.

The report warned of a surge in threats targeting Linux systems, for example. It said detections of attacks on Linux servers and embedded systems grew 75% year-on-year in the first half of 2022. Both SMBs and larger organisations are now a target, it claimed.

Many RaaS groups exploit vulnerabilities as a primary attack vector. Their job is getting easier as the number of published common vulnerabilities and exposures (CVEs) continues to grow strongly.

Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the first half of 2021, a 23% year-on-year increase. The number of critical bug advisories it published soared by 400% over the same period.

https://www.infosecurity-magazine.com/news/detected-cyberthreats-surge-52-in/

• An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There is in Ransomware’

Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.

Earlier this year, cyber security journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.

Matveev talked to Recorded Future about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk.

Click the link below for the full interview but the long and short is ransomware has created a criminal ecosystem the likes of which the world has never seen.

https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/

• Cyber Crime Underground More Dangerous Than Organisations Realise

Kela, a cyber threat intelligence specialist, found in a new study of some 400 security pros in the US that organisations are more at risk from the “cyber crime underground” than they realise.

The Israel-based company surveyed security team members responsible for gathering cyber crime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cyber crime sources, what tools they’re using and the gaps they see in their cyber crime threat intelligence approach. Nearly 60% of the respondents do not believe their current cyber crime prevention is effective, the results showed.

Here are the study’s key findings:

• 69% are concerned about threats from the cyber crime underground.

• 54% wouldn’t be surprised to find their organisation’s data on the cyber crime underground.

• Only 38% believe that they’re very likely to detect it if it was released.

• 48% have no documented cyber crime threat intelligence policy in place.

• Only 41% believe their current security program is very effective.

• 49% are not satisfied with the visibility they have of the cyber crime underground.

• Of the 51% who were satisfied with their visibility into the cyber crime underground, 39% were still unable to prevent an attack.

• Additional training and proficiency in cyber crime intelligence investigations is the most needed capability.

https://www.msspalert.com/cybersecurity-research/cybercrime-underground-more-dangerous-than-organizations-realize-threat-intelligence-firm-warns/

• New Ransomware Group BianLian Activity Exploding

A new ransomware group operating under the name BianLian emerged in late 2021 and has become increasingly active since.

The threat actor already has twenty alleged victims across several industries (insurance, medicine, law and engineering), according to a research paper from US cyber security firm Redacted, published on September 1, 2022. The majority of the victim organisations have been based in Australia, North America and the UK.

The research team has given no attribution yet but believes the threat actor “represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business.”

BianLian uses a custom toolkit, including homemade encryptors and encryption backdoors. Both, as well as the command-and-control (C&C) software the hackers use, are written in Go, an increasingly popular programming language among ransomware threat actors.

Troublingly, the Redacted team of researchers has found evidence that BianLian is likely now trying to up their game.

https://www.infosecurity-magazine.com/news/new-ransomware-group-bianlian/

• Can Your Passwords Withstand Threat Actors’ Dirty Tricks?

Password security hinges on the answer to that seemingly simple question. Unfortunately, you can’t know the answer until you’ve engaged a ruthless penetration tester to find out if your environment can stand up to the frighteningly good password cracking skills of today’s most nefarious hackers.

The whole purpose of hiring skilled penetration testers (“pentesters”) is to find out if your environment is truly impenetrable — and if it’s not, exactly how you should shore up your defences. Good pentesters and red teamers spend their time trying to simulate and emulate the real bad actors. After all, what’s the point of pressure-testing your IT infrastructure if you don’t use the same pressure that you’ll face in the real world?

You should “train like you fight.” Without sparring, how can you expect to jump into a boxing ring and go a few rounds with a skilled boxer? That’s the entire point of goal-based penetration testing and red/purple team engagements that simulate real-world threat actors.

Password cracking will continue to evolve – and so should your penetration testing tactics and plans. By the time you get to your fourth or fifth round with a quality pentesting consultancy, your risk mitigation will have dramatically improved — which means you’ll be able to move on to the next stage of security maturity.

https://www.helpnetsecurity.com/2022/08/30/stand-up-to-password-cracking/

• Ransomware Gangs’ Favourite Targets

Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022.

For the 106 highly publicised attacks our researchers analysed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%). The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries more than doubled compared to last year’s report.

While attacks on municipalities increased only slightly, the analysis over the past 12 months showed that ransomware attacks on educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Many choose not to disclose when they get hit.

This year, researchers dug in deeper on these highly publicised attacks to see which other industries are starting to be targeted. Service providers were hit the most, and ransomware attacks on automobile, hospitality, media, retail, software, and technology organisations all increased as well.

Most ransomware attacks don’t make headlines, though. Many victims choose not to disclose when they get hit, and the attacks are often sophisticated and extremely hard to handle for small businesses.

As ransomware and other cyber threats continue to evolve, the need for adequate security solutions has never been greater. Many cyber criminals target small businesses in an attempt to gain access to larger organisations. As a result, it is essential for security providers to create products that are easy to use and implement, regardless of a company’s size.

Additionally, sophisticated security technologies should be available as services, so that businesses of all sizes can protect themselves against these ever-changing threats. By making security solutions more accessible and user-friendly, the entire industry can help to better defend against ransomware and other cyber attacks.

https://www.helpnetsecurity.com/2022/08/31/ransomware-attack-patterns/

• Tentacles of ‘0ktapus’ Threat Group Victimise 130 Firms

Over 130 companies were tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organisations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.

114 US-based firms were impacted, with additional victims of sprinkled across 68 additional countries. The full scope of the attack is still unknown but the 0ktapus campaign has been incredibly effective, and the full scale of it may not be known for some time.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

https://threatpost.com/0ktapus-victimize-130-firms/180487/

• Organisations Are Spending Billions on Malware Defence That’s Easy to Bypass

Last year, organisations spent $2 billion on products that provide Endpoint Detection and Response, a relatively new type of security protection for detecting and blocking malware targeting network-connected devices. EDRs, as they're commonly called, represent a newer approach to malware detection. Static analysis, one of two more traditional methods, searches for suspicious signs in the DNA of a file itself. Dynamic analysis, the other more established method, runs untrusted code inside a secured "sandbox" to analyse what it does to confirm it's safe before allowing it to have full system access.

EDRs—which are forecasted to generate revenue of $18 billion by 2031 and are sold by dozens of security companies—take an entirely different approach. Rather than analyse the structure or execution of the code ahead of time, EDRs monitor the code's behaviour as it runs inside a machine or network. In theory, it can shut down a ransomware attack in progress by detecting that a process executed on hundreds of machines in the past 15 minutes is encrypting files en masse. Unlike static and dynamic analyses, EDR is akin to a security guard that uses machine learning to keep tabs in real time on the activities inside a machine or network.

Despite the buzz surrounding EDRs, new research suggests that the protection they provide isn't all that hard for skilled malware developers to circumvent. In fact, the researchers behind the study estimate EDR evasion adds only one additional week of development time to the typical infection of a large organisational network. That's because two fairly basic bypass techniques, particularly when combined, appear to work on most EDRs available in the industry.

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/

Threats

Ransomware

• Global Ransomware Damages to Exceed $30bn by 2023 - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware Research: 10 Key Findings, Five Ways to Defend Against Hijackers - MSSP Alert

• Cyber Attack: Spike in Ransomware Threat to More Than 1.2 Million Per Month Between January-June, Says Report | LatestLY

• LockBit ransomware gang gets aggressive with triple-extortion tactic (bleepingcomputer.com)

• New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim (thehackernews.com)

• Chile and Montenegro Floored by Ransomware - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks (thehackernews.com)

• Ragnar Locker Brags About TAP Air Portugal Breach (darkreading.com)

• Police ‘negotiating with hackers’ who hit Paris hospital computer system | World | The Times

• Advanced cyber-attack: NHS doctors' paperwork piles up - BBC News

• Another Ransomware For Linux Likely In Development - Security Affairs

• Montenegro hit by ransomware attack, hackers demand $10 million (bleepingcomputer.com)

• Should ransomware payments be banned? A few considerations - Help Net Security

• Researchers Spot Snowballing BianLian Ransomware Gang Activity (darkreading.com)

• Ragnar Locker continues trend of ransomware targeting energy sector | CSO Online

• BlackCat ransomware claims attack on Italian energy agency (bleepingcomputer.com)

• Italian Oil Major Becomes Victim Of Ransomware Attack | OilPrice.com

• Damart clothing store hit by Hive ransomware, $2 million demanded (bleepingcomputer.com)

• Baker & Taylor's Systems Remain Offline a Week After Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• Gloucester Council planning site still disrupted from cyber attack - BBC News

BEC – Business Email Compromise

• How BEC attacks on human capital management systems are increasing - Help Net Security

Malware

• Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog

• A study on malicious plugins in WordPress Marketplaces - Security Affairs

• Prynt Stealer Contains a Backdoor to Steal Victims' Data Stolen by Other Cyber criminals (thehackernews.com)

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• BumbleBee a New Modular Backdoor Evolved From BookWorm (trendmicro.com)

• Malicious Chrome Extensions Plague 1.4M Users (darkreading.com)

Mobile

• Mobile banking apps put 300,000 digital fingerprints at risk • The Register

• Researcher unveils smart lock hack for fingerprint theft (techtarget.com)

• Source Code of Over 1800 Android and iOS Apps Gives Access to AWS Credentials - Infosecurity Magazine (infosecurity-magazine.com)

Internet of Things – IoT

• Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams (darkreading.com)

• Singapore clocks higher ransomware attacks, warns of IoT risks | ZDNET

• Standards Body Publishes Guidelines for IoT Security Testing - Infosecurity Magazine (infosecurity-magazine.com)

• ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20 (realinfosec.net)

Data Breaches/Leaks

• Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests - Infosecurity Magazine (infosecurity-magazine.com)

• Okta Says Customer Data Compromised in Twilio Hack | SecurityWeek.Com

• Password Manager With 25 Million Users Confirms Breach, Expert Weighs In (informationsecuritybuzz.com)

• Neopets says hackers had access to its systems for 18 months (bleepingcomputer.com)

• Akasa Air Suffers Data Leak on First Day of Operation- IT Security Guru

• Samsung says hackers obtained some customer data in newly disclosed breach | Engadget

• Millions of student loan accounts exposed in data breach | TechRadar

• Russian streaming platform confirms data breach affecting 7.5M users (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• FBI: Crooks stole $1b+ in cryptocurrency already this year • The Register

• Ukraine takes down cyber crime group hitting crypto fraud victims (bleepingcomputer.com)

• FBI: Crooks are using these DeFi flaws to steal your money | ZDNET

• Windows malware delays coinminer install by a month to evade detection (bleepingcomputer.com)

• Cryptominer Disguised as Google Translate Targeted 11 Countries - Infosecurity Magazine (infosecurity-magazine.com)

• Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack (darkreading.com)

• Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers (thehackernews.com)

Insider Risk and Insider Threats

• West Yorkshire PC due in court over police computer searches - BBC News

Fraud, Scams & Financial Crime

• Big Banks vs. Big Tech: Who Is Liable For Online Fraud? (informationsecuritybuzz.com)

Insurance

• Cyber insurance has been around for 25 years. It’s still a bit of a mess. (slate.com)

• Who Pays for an Act of Cyber War? | WIRED

• Travelers, Policyholder Agree to Void Current Cyber Policy (insurancejournal.com)

• Cyber Frauds Skyrocket: Can Cyber Insurance Protect You in Real World? Experts Explain (news18.com)

• Google Cloud, Microsoft and AWS dive into cyber insurance - Protocol

• Cyber Insurance Price Hike Hits Local Governments Hard (insurancejournal.com)

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

• Cyber insurance on rise as attacks surge | Mint (livemint.com)

Dark Web

• German man charged for trying to hire fake contract killer on darkweb | Euronews

• COVID-19 data put for sale on Dark Web - Security Affairs

• NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor (darkreading.com)

Supply Chain and Third Parties

• PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks - SentinelOne

Software Supply Chain

• NSA and CISA share tips to secure the software supply chain (bleepingcomputer.com)

Denial of Service DoS/DDoS

• DDoS activity launched by patriotic hacktivists is on the rise - Help Net Security

Cloud/SaaS

• 1 in 3 organisations don't know if their public cloud data was exfiltrated - Help Net Security

• Real-World Cloud Attacks: The True Tasks of Cloud Ransomware Mitigation (darkreading.com)

Encryption

• CISA: Prepare now for quantum computers, not when hackers use them (bleepingcomputer.com)

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

API

• The 4 Most Common OWASP API Security - IT Security Guru

Open Source

• Linux devices 'increasingly' under attack from hackers, warn security researchers | ZDNET

Passwords, Credential Stuffing & Brute Force Attacks

• LastPass source code breach – do we still recommend password managers? – Naked Security (sophos.com)

Social Media

• Social media is ruining our lives and the public are finally waking up (telegraph.co.uk)

• LinkedIn New Hacking Scam (informationsecuritybuzz.com)

• Thousands lured with blue badges in Instagram phishing attack (bleepingcomputer.com)

Training, Education and Awareness

• (ISC)² Launches 'Certified in Cybersecurity' Entry-Level Certification to Address Global Workforce Gap (darkreading.com)

Privacy

• Trident Royal Navy staff reveal sensitive data on fitness app | News | The Times

• Cops wanted to keep mass surveillance app secret; privacy advocates refused | Ars Technica

• US telcos admit to storing, handing over location data • The Register

• Facebook moves to settle Cambridge Analytica lawsuit | TechCrunch

• Homomorphic encryption: a holy grail for privacy, explained (fastcompany.com)

• Nobody’s special to the WFH software spies | Comment | The Times

Travel

• Cyber Safety for Summer Vacation | SecurityWeek.Com

Parental Controls and Child Safety

• Scammers Targeting Thousands Of Children As Young As Six, Figures Show (informationsecuritybuzz.com)

• Over a Third of Parents Do Not Know What Online Accounts Their Children Use - IT Security Guru

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Why Russia's cyber war in Ukraine hasn't played out as predicted (newatlas.com)

• Ukraine's army of hackers failed to thwart Russia and quickly gave up | New Scientist

• Cyber criminals Apparently Involved in Russia-Linked Attack on Montenegro Government | SecurityWeek.Com

• Who Pays for an Act of Cyber War? | WIRED

• Moscow gridlock as hackers send dozens of taxis to Hotel Ukraine (telegraph.co.uk)

• Finland To Offer Businesses Cybersec Vouchers In Wake Of Nato-related (informationsecuritybuzz.com)

• China-linked APT40 used ScanBox Framework in a long-running espionage campaign - Security Affairs

• Montenegro says Russian cyber attacks threaten key state functions (bleepingcomputer.com)

• Google says it cut off Russian disinformation sites from its vast ad display network - CyberScoop

• Ex-spies banned from arms exports for UAE hack-for-hire work • The Register

Nation State Actors

Nation State Actors – Russia

• Third-party hacking groups lose interest in Russia-Ukraine conflict, study claims | SC Media (scmagazine.com)

• FBI deploys cyber team to Montenegro following massive cyber attack | The Hill

• New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers (thehackernews.com)

• Montenegro Sent Back to Analog by Unprecedented Cyber Attacks | Balkan Insight

Nation State Actors – China

• Chinese Hackers Target Energy Firms in South China Sea | SecurityWeek.Com

• China-linked APT40 targets wind turbines, Aust. government • The Register

Nation State Actors – Misc

• Insurers must rethink handling of cyber attacks on states | Financial Times (ft.com)

Vulnerabilities

• Apple Quietly Releases Another Patch for Zero-Day RCE Bug (darkreading.com)

• Google Chrome emergency update fixes new zero-day used in attacks (bleepingcomputer.com)

• URGENT! Apple slips out zero-day update for older iPhones and iPads – Naked Security (sophos.com)

• WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites | SecurityWeek.Com

• Critical hole in Atlassian Bitbucket needs patching now • The Register

Reports Published in the Last Week

• Tackling the Growing and Evolving Digital Attack Surface 2022 Midyear Cybersecurity Report (trendmicro.com)

Other News

• Former Cyber criminal: These Are the Biggest Threats on the Internet (businessinsider.com)

• Stuxnet explained: The first known cyber weapon | CSO Online

• Infra Used in Cisco Hack Also Targeted Workforce Management Solution (thehackernews.com)

• Flicking the kill switch: governments embrace internet shutdowns as a form of control | Internet | The Guardian

• Okta Impersonation Technique Could be Utilized by Attackers | SecurityWeek.Com

• Remote Work Cyber Security: 12 Risks and How to Prevent Them (techtarget.com)

• Does your cyber crime prevention program work? - Help Net Security

• Does Blockchain really offer Better Digital Security? - IT Security Guru

• IT and Employees Don’t Always See Eye to Eye on Cyber Security - IT Security Guru

• New Cyber Security Regulations Are Coming. Here’s How to Prepare. (hbr.org)

• 3 Cyber Security Trends for 2022 - IT Security Guru

• Cyber security budget breakdown and best practices (techtarget.com)

• How Just-in-Time privilege elevation prevents data breaches and lateral movement - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Lloyd's to Exclude Certain Nation-State Attacks from Cyber Insurance Policies

Lloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.

In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added, noting that nation-state-sponsored attacks are particularly costly to cover.

Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyber attack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.

At a minimum (key word: minimum) these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state."

Policies must also "set out a robust basis" on which to attribute state-sponsored cyber attacks, according to Chaudhry – and therein lies the rub.

Attributing a cyber attack to a particular crime group or nation-state with 100 percent confidence "is absolutely hard," NSA director of cybersecurity Rob Joyce said at this year's RSA Conference.

Threat analysts typically attribute an attack to a nation-state from its level of sophistication, but as advanced persistent crime groups become more sophisticated – and have more resources at their disposal to buy zero-day exploits and employ specialists for each stage of an attack – differentiating between nation-states and cyber crime gangs becomes increasingly difficult, he explained.

There are times when nation-states will act like criminals, using their tools and infrastructure, and sometimes vice versa. The clear line of sophistication and stealth that many have used as a common sense delineation has blurred. Yet, If you are going to pay out money you are likely going to look for something that is more ironclad and likely related to forensic evidence.

https://www.theregister.com/2022/08/24/lloyds_cybersecurity_insurance/

• Cyber Security Top Risk for Enterprise C-Suite Leaders, PwC Study Says

Cyber security is now firmly on the agenda of the entire C-suite, consultancy PricewaterhouseCoopers (PwC) reports in a new survey of more than 700 business leaders across a variety of industries.

Of key enterprise issues, cyber security ranks at the top of business risks, with nearly 80% of the respondents considering it a moderate to serious risk. The warning isn’t confined to just chief information security officers, but ranges from chief executives to chief financial officers, chief operating officers, chief technology officers, chief marketing officers and includes corporate board members. Virtually all roles ranked cyber attacks high on their list of risks, PwC said.

Overall, 40% of business leaders ranked cyber security as the top serious risk facing their companies, and 38% ranked it a moderate risk.

Here are six steps businesses can take to address cyber security concerns:

1. View cyber security as a broad business concern and not just an IT issue.

2. Build cyber security and data privacy into agendas across the C-suite and board.

3. Increase investment to improve security.

4. Educate employees on effective cyber security practices.

5. For each new business initiative or transformation, make sure there’s a cyber plan in place.

6. Use data and intelligence to regularly measure cyber risks. Proactively look for blind spots in third-party relationships and supply chains.

https://www.msspalert.com/cybersecurity-research/cybersecurity-top-risk-for-enterprise-c-suite-leaders-pwc-study-says/

• Apathy Is Your Company's Biggest Cyber Security Vulnerability — Here's How to Combat It

Human error continues to be the leading cause of a cyber security breach. Nearly 60% of organisations experienced a data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cyber security issue, can leave an organisation vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organisations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cyber security posture. The report found that a significant number of employees aren't engaged in their organisation's cyber security efforts and don't understand the role they play. One in three employees say they don't understand the importance of cyber security at work. What's more, only 39% say they're very likely to report a cyber security incident. Why? A quarter of employees say they don't care enough about cyber security to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cyber security culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

https://www.darkreading.com/attacks-breaches/apathy-is-your-company-s-biggest-cybersecurity-vulnerability-here-s-how-to-combat-it

• The World’s Largest Sovereign Wealth Fund Warns Cyber Security Is Top Concern, as Attacks on Banks and Financial Service Double

Cyber security has eclipsed tumultuous financial markets as the biggest concern for the world’s largest sovereign wealth fund, as it faces an average of three “serious” cyber attacks each day.

The number of significant hacking attempts against Norway’s $1.2tn oil fund, Norges Bank Investment Management, has doubled in the past two to three years.

The fund, which reported its biggest half-year dollar loss last week after inflation and recession fears shook markets, suffers about 100,000 cyber attacks a year, of which it classifies more than 1,000 as serious, according to its top executives.

“I’m worried about cyber more than I am about markets,” their CEO told the Financial Times. “We’re seeing many more attempts, more attacks [that are] increasingly sophisticated.”

The fund’s top executives are even concerned that concerted cyber attacks are becoming a systemic financial risk as markets become increasingly digitised.

Their deputy CEO pointed to the 2020 attack on SolarWinds, a software provider, by Russian state-backed hackers that allowed them to breach several US government agencies, including the Treasury and Pentagon, and a number of Fortune 500 companies including Microsoft, Intel and Deloitte.

“They estimate there were 1,000 Russians [involved] in that one attack, working in a co-ordinated fashion. I mean, Jesus, that’s our whole building on one attack, so you’re up against some formidable forces there,” he said.

Cyber attacks targeting the financial industry have risen sharply in recent months. Malware attacks globally rose 11 per cent in the first half of 2022, but they doubled at banks and financial institutions, according to cyber security specialist SonicWall. Ransomware attacks dropped 23 per cent worldwide, but increased 243 per cent against financial targets in the same period.

https://www.ft.com/content/1aa6f92a-078b-4e1a-81ca-65298b8310b2

Configuration Errors to Blame for 80% of Ransomware

The vast majority (80%) of ransomware attacks can be traced back to common configuration errors in software and devices, according to Microsoft.

The tech giant’s latest Cyber Signals report focuses on the ransomware as a service (RaaS) model, which it claims has democratised the ability to launch attacks to groups “without sophistication or advanced skills.” Some RaaS programs now have over 50 affiliate groups on their books.

For defenders, a key challenge is ensuring they don’t leave systems misconfigured, it added.

“Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same,” the report argued. “Ransomware culminates an attack that can include data exfiltration and other impacts. Because of the interconnected nature of the cyber-criminal economy, seemingly unrelated intrusions can build upon each other.”

Although each attack is different, Microsoft pointed to missing or misconfigured security products and legacy configurations in enterprise apps as two key areas of risk exposure.

“Like smoke alarms, security products must be installed in the correct spaces and tested frequently. Verify that security tools are operating in their most secure configuration, and that no part of a network is unprotected,” it urged. “Consider deleting duplicative or unused apps to eliminate risky, unused services. Be mindful of where you permit remote helpdesk apps like TeamViewer. These are notoriously targeted by threat actors to gain express access to laptops.”

Although not named in the report, another system regularly misconfigured and hijacked by ransomware actors is the remote desktop protocol (RDP), which often is not protected by a strong password or two-factor authentication. It’s widely believed to be one of the top three vectors for attack.

The bad news for network defenders is they don’t have much time after initial compromise to contain an attack. Microsoft claimed the median time for an attacker to begin moving laterally inside the network after device compromise is one hour, 42 minutes. The median time for an attacker to access private data following a phishing email is one hour, 12 minutes, the firm added.

https://www.infosecurity-magazine.com/news/configuration-errors-blame-80/

• Ransomware Surges to 1.2 Million Attacks Per Month

Ransomware threat detections have risen to over one million per month this year, with a French hospital the latest to suffer a major outage.

The 1000-bed Center Hospitalier Sud Francilien (CHSF) near Paris revealed it was hit on Sunday morning, in an attack which has knocked out all the hospital's business software, storage systems including medical imaging, and patient admissions. This has led to all but the most urgent emergency patients being diverted to other facilities in the region.

France24 cited figures claiming cyber-attacks against French hospitals surged 70% year-on-year in 2021. "Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," Valerie Caudwell, president of the medical commission at CHSF hospital, reportedly said. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Reports suggest Lockbit 3.0 may be to blame for the $10m ransom demand, which the hospital is refusing to pay.

Barracuda Networks claimed in a new report out today that education, municipalities, healthcare, infrastructure and finance have remained the top five targets for ransomware over the past 12 months. However, while attacks on local government increased only slightly, those targeting educational institutions more than doubled, and attacks on the healthcare and financial verticals tripled. Overall, Barracuda claimed that ransomware detections between January and June of this year climbed to more than 1.2 million per month.

https://www.infosecurity-magazine.com/news/ransomware-surges-to-12-million/

• A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organisations

A phishing campaign targeted Okta users at multiple companies, successfully swiping passwords from staffers and then using them to steal company secrets.

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organisations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cyber security firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” researchers wrote in their blog. “Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

https://gizmodo.com/oktapus-okta-hack-twilio-10000-logins-130-companies-1849457420

• This Company Paid a Ransom Demand. Hackers Leaked Its Data Anyway

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal.

The real-life incident, as detailed by cyber security researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received. 

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.

Cyber security agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

https://www.zdnet.com/article/this-company-paid-a-ransom-demand-hackers-leaked-its-data-anyway/

• Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication

A Business Email Compromise (BEC) attack recently analysed by cloud incident response company Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive's account, and then managed to add a second authenticator device to the account for persistent access. According to the researchers, the campaign they analysed is widespread and targets large transactions of up to several million dollars each.

The attack started with a well-crafted phishing email masquerading as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted to the targeted business executive, suggesting that attackers have done reconnaissance work. The link in the phishing email led to an attacker-controlled website which then redirects to a Microsoft 365 single sign-on login page.

This fake login page uses an AitM technique, where the attackers run a reverse proxy to authentication requests back and forth between the victim and the real Microsoft 365 website. The victim has the same experience as they would have on the real Microsoft login page, complete with the legitimate MFA request that they must complete using their authenticator app. Once the authentication process is completed successfully, the Microsoft service creates a session token which gets flagged in its systems that it fulfilled MFA. The difference is that since the attackers acted as a proxy, they now have this session token too and can use it to access the account.

This reverse proxy technique is not new and has been used to bypass MFA for several years. In fact, easy-to-use open-source attack frameworks have been created for this purpose.

https://www.csoonline.com/article/3670575/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html

• 77% Of Security Leaders Fear We’re in Perpetual Cyber War from Now On

A survey of cyber security decision makers found 77 percent think the world is now in a perpetual state of cyber warfare.

In addition, 82 percent believe geopolitics and cyber security are "intrinsically linked," and two-thirds of polled organisations reported changing their security posture in response to the Russian invasion of Ukraine.

Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyber attack. Unfortunately, 63 percent of surveyed security leaders also believe that they'd never even know if a nation-state level actor pwned them.

The survey, organised by security shop Venafi, questioned 1,100 security leaders. They said the results show cyber warfare is here, and that it's completely different to many would have imagined. "Any business can be damaged by nation-states," they stated.

It's been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, everyone is a target and there's no military or government method for protecting everyone.

Nor is there going to be much financial redress available. Earlier this week Lloyd's of London announced it would no longer recompense policy holders for certain nation-state attacks.

https://www.theregister.com/2022/08/27/in-brief-security/

• Cyber Security Governance: A Path to Cyber Maturity

Organisations need cyber security governance programs that make every employee aware of the cyber security mitigation efforts required to reduce cyber-risks.

In an increasingly challenging threat landscape, many organisations struggle with developing and implementing effective cyber security governance. The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognise that mature cyber security is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organisations are efficiently and effectively managing cyber risk."

Indeed, damages from cyber crime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cyber security now than ever before," the report stated, adding that the time is ripe for turning awareness into action.

How, then, can board leaders have confidence that their organisations are prepared against cyber attacks? The first order of business for most organisations is to enable a strong cyber security governance program.

Cyber security governance refers to the component of governance that addresses an organisation's dependence on cyber space in the presence of adversaries. The ISO/IEC 27001 standard defines cyber security governance as the following: “The system by which an organisation directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks”.

Traditionally, cyber security is viewed through the lens of a technical or operational issue to be handled in the technology space. Cyber security planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cyber security as an enterprise-wide risk management issue, along with the legal implications of cyber-risks, and not solely a technology issue.

https://www.techtarget.com/searchsecurity/post/Cybersecurity-governance-A-path-to-cyber-maturity

• The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware

Ransomware is the de facto threat organisations have faced over the past few years. Threat actors were making easy money by exploiting the high valuation of cryptocurrencies and their victims' lack of adequate preparation.

Think about bad security policies, untested backups, patch management practices not up-to-par, and so forth. It resulted in easy growth for ransomware extortion, a crime that multiple threat actors around the world perpetrate.

Something's changed, though. Crypto valuations have dropped, reducing the monetary appeal of ransomware attacks due to organisations mounting better defence against ransomware.

Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organisations worldwide.

Information exfiltration is rapidly becoming more prevalent. Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it's become – and how, for some organisations, it may be a threat that's even bigger than ransomware.

Nvidia, for example, became entangled in a complex tit-for-tat exchange with hacker group Lapsus$. One of the biggest chipmakers in the world was faced with the public exposure of the source code for invaluable technology, as Lapsus$ leaked the source code for the company's Deep Learning Super Sampling (DLSS) research.

When it comes to exfil extortion, attackers do not enter with the primary aim of encrypting a system and causing disruption the way that a ransomware attacker does. Though, yes, attackers may still use encryption to cover their tracks.

Instead, attackers on an information exfiltration mission will move vast amounts of proprietary data to systems that they control. And here's the game: attackers will proceed to extort the victim, threatening to release that confidential information into the wild or to sell it to unscrupulous third parties.

https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html

Threats

Ransomware

• Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds - MSSP Alert

• [Whoa] Ransomware Strains Almost Double in Six Months from 5,400 to 10,666 (knowbe4.com)

• Ransomware: Most attacks exploit these common cyber security mistakes - so fix them now, warns Microsoft | ZDNET

• Ransomware dominates the threat landscape - Help Net Security

• We need to think about ransomware differently - Help Net Security

• Disk wiping malware knows no borders - Help Net Security

• NATO investigates hacker sale of missile firm data - BBC News           

• Cyber attackers disrupt services at French hospital, demand $10 million ransom (france24.com)

• New 'Agenda' Ransomware Customized for Each Victim | SecurityWeek.Com

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• New ransomware HavanaCrypt poses as Google software update | CSO Online

• WannaCry explained: A perfect ransomware storm | CSO Online

• LockBit Ransomware Site Hit by DDoS Attack as Hackers Start Leaking Entrust Data | SecurityWeek.Com

• New Golang Ransomware Agenda Customizes Attacks (trendmicro.com)

• New 'BianLian' Ransomware Variant on the Rise (darkreading.com)

• New 'Donut Leaks' extortion gang linked to recent ransomware attacks (bleepingcomputer.com)

• Ransomware Attacks are on the Rise | Threatpost

• Quantum ransomware attack disrupts govt agency in Dominican Republic (bleepingcomputer.com)

• Car Dealership Hit by Major Ransomware Attack - Infosecurity Magazine

• Ransomware Gang Leaks Data Allegedly Stolen from Greek Gas Supplier | SecurityWeek.Com

• Major airline technology provider Accelya attacked by ransomware group - The Record by Recorded Future

• Businesses expect the government to increase its financial assistance for all ransomware incidents - Help Net Security

BEC – Business Email Compromise

• Before Portland lost $1.4 million in cyber breach, city treasurer raised red flag - OPB

Phishing & Email Based Attacks

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• Researchers Warn of AiTM Attack Targeting Google G-Suite Enterprise Users (thehackernews.com)

• Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account (darkreading.com)

• Hiding a phishing attack behind the AWS cloud • The Register

• 10 key facts about callback phishing attacks - CyberTalk 2022

Other Social Engineering; Smishing, Vishing, etc

• New social engineering tactics discovered in the wild - Help Net Security

Malware

• Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus - Security Affairs

• Fake DDoS Protection Alerts Distribute Dangerous RAT (darkreading.com)

• Meet Borat RAT, a New Unique Triple Threat (thehackernews.com)

• Donot Team group updates its Windows malware framework - Security Affairs

• How 'Kimsuky' hackers ensure their malware only reach valid targets (bleepingcomputer.com)

• Grandoreiro banking malware targets Mexico and Spain - Security Affairs

• Fake Chrome extension 'Internet Download Manager' has 200,000 installs (bleepingcomputer.com)

• Threat actors are using the Tox P2P messenger as C2 server - Security Affairs

Mobile

• Google Play Store Serving Up Chameleon-like Apps (informationsecuritybuzz.com)

• We can make our phones harder to hack but complete security is a pipe dream | John Naughton | The Guardian

Internet of Things – IoT

• Cyber criminals Are Selling Access to Chinese Surveillance Cameras | Threatpost

• IoT Vulnerability Disclosures Up 57% in Six Months, Claroty Reveals - Infosecurity Magazine

• Thousands of Organisations Remain at Risk from Critical Zero-Click IP Camera Bug (darkreading.com)

Data Breaches/Leaks

• LastPass data breach: threat actors stole portion of source code - Security Affairs

• Plex discloses data breach and urges password reset - Security Affairs

• Why the Twilio Breach Cuts So Deep | WIRED

• Plex was compromised, exposing usernames, emails, and passwords - The Verge

• DoorDash discloses new data breach tied to Twilio hackers (bleepingcomputer.com)

• Data on California Prisons' Visitors, Staff, Inmates Exposed | SecurityWeek.Com

• Expert Commentary On The Plex Data Breach (informationsecuritybuzz.com)

• Textile Company Sferra Discloses Data Breach | SecurityWeek.Com

• Novant Health: Oops, we leaked 1.3m patients' info to Meta • The Register

Organised Crime & Criminal Actors

• RaaS Kits Are Hiding Who The Attackers Really Are – Expert Comments (informationsecuritybuzz.com)

• Researchers warn of darkverse emerging from the metaverse | CSO Online

 Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• An anatomy of crypto-enabled cyber crime | Financial Times (ft.com)

• Cryptojackers Spread Across Computers Globally- IT Security Guru

• Hackers Are Breaking Into and Emptying Cash App Accounts (vice.com)

• Threat actors are stealing funds from General Bytes Bitcoin ATMSecurity Affairs

• How Economic Changes and Crypto's Rise Are Fuelling the use of "Cyber Mules" | SecurityWeek.Com

Fraud, Scams & Financial Crime

• Scammers Create “AI Hologram” of C-Suite Crypto Exec - Infosecurity Magazine

• Employee fraud: Beware of deepfake job applicants - Protocol

• A closer look at identity crimes committed against individuals - Help Net Security

• What type of fraud enables attackers to make a living? - Help Net Security

Insurance

• Lloyds Of London Ends Insurance Coverage For State Cyber Attacks, Expert (informationsecuritybuzz.com)

Software Supply Chain

• Why SBOMs alone aren’t enough for software supply chain security | CSO Online

Denial of Service DoS/DDoS

• DDoS attacks jump 203%, patriotic hacktivism surges - Help Net Security

• Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks - Infosecurity Magazine

• LockBit gang hit by DDoS attack after Entrust leaks • The Register

• Gambling sites are losing significant amounts of revenue due to raising DDoS attacks - Help Net Security

Cloud/SaaS

• Mitiga: Attackers evade Microsoft MFA to lurk inside M365 (techtarget.com)

• Phishing attacks abusing SaaS platforms see a massive 1,100% growth (bleepingcomputer.com)

• How complicated access management protocols have impacted cloud security - Help Net Security

Identity and Access Management

• IT leaders struggling to address identity sprawl - Help Net Security

• Identity Security Pain Points and What Can Be Done (darkreading.com)

• Thoma Bravo: Securing digital identities has become a major priority - Help Net Security

Encryption

• CISA: Action required now to prepare for quantum computing cyber threats | ZDNET

• Encrypted Traffic Analysis: Mitigating Against The Risk Of Encryption (informationsecuritybuzz.com)

• US Government: Stop Dickering and Prepare for Post-Quantum Encryption Now - CNET

API

• API security incidents occur at least once a month - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential phishing attacks rise and represent a huge threat to businesses - Help Net Security

• Twilio hackers breached over 130 organisations during months-long hacking spree | TechCrunch

• FBI: Beware Residential IPs Hiding Credential Stuffing - Infosecurity Magazine

Social Media

• Experts Reaction to Poor Security At Twitter (informationsecuritybuzz.com)

Privacy

• Oracle sued over ‘worldwide surveillance machine’ by privacy rights activists | CSO Online

• Most top mobile carriers retain geolocation data for two years on average, FCC findings show - CyberScoop

Travel

• Hackers target hotel and travel companies with fake reservations (bleepingcomputer.com)

• Fake Reservation Links Prey on Weary Travelers | Threatpost

• British Airways passengers targeted in baggage scam using Twitter | The Independent

Models, Frameworks and Standards

• PCI DSS v4.0 is coming, here's how to prepare to comply (techtarget.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Lloyd's of London Introduces New War Exclusion Insurance Clauses | SecurityWeek.Com

• The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks (darkreading.com)

• EU Outlines Critical Cyber Response to Ukraine War - Infosecurity Magazine

• Unprecedented cyber attack hit State Infrastructure of Montenegro - Security Affairs

• Suspected Iranian Hackers Targeted Several Israeli Organisations for Espionage (thehackernews.com)

Nation State Actors

Nation State Actors – Russia

• Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass | ZDNET

• Microsoft Attributes New Post-Compromise Capability to Nobelium - Infosecurity Magazine

Nation State Actors – Iran

• Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (thehackernews.com)

• Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organisations (thehackernews.com)

Nation State Actors – Misc APT

• Donot Team group updates its Windows malware framework - Security Affairs

• Cyber crime Groups Increasingly Adopting Sliver Command-and-Control Framework (thehackernews.com)

Vulnerability Management

• Up to 35% more CVEs published so far this year compared to 2021 | CSO Online

• Why patching quality, vendor info on vulnerabilities are declining | CSO Online

• How fast is the financial industry fixing its software security flaws? - Help Net Security

• Highlighting What should be Patched First at the Endpoint (bleepingcomputer.com)

Vulnerabilities

• Cisco Patches High-Severity Vulnerabilities in Business Switches | SecurityWeek.Com

• CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability (thehackernews.com)

• Critical flaw impacts Atlassian Bitbucket Server and Data Center - Security Affairs

• VMware fixes privilege escalation vulnerabilities in VMware Tools - Infosecurity Magazine

• VMware LPE Bug Allows Cyber attackers to Feast on Virtual Machine Data (darkreading.com)

• Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) - Help Net Security

• Mac users urged to update Zoom, after security patch released for previously-flawed security patch (bitdefender.com)

• Zoom patches root exploit, patches patch due to root exploit • The Register

• US government really hopes you've patched your Zimbra server • The Register

• Apple security flaw ‘actively exploited’ by hackers to fully control devices | Apple | The Guardian

• Microsoft publicly discloses details on critical ChromeOS flaw - Security Affairs

• Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird | SecurityWeek.Com

• 'DirtyCred' Vulnerability Haunting Linux Kernel for 8 Years | SecurityWeek.Com

• Privilege Escalation Flaw Haunts VMware Tools | SecurityWeek.Com

Reports Published in the Last Week

• Cyber Signals: Defend against the new ransomware landscape - Microsoft

• Threat Spotlight: The untold stories of ransomware - Journey Notes (barracuda.com)

Other News

• How attackers use and abuse Microsoft MFA - Help Net Security

• There is an urgent need to reduce systemic cyber risks | Financial Times (ft.com)

• Critical infrastructure is under attack from hackers. Securing it needs to be a priority - before it's too late | ZDNET

• We Need to Talk About How Good A.I. Is Getting - The New York Times (nytimes.com)

• A lack of endpoint security strategy is leaving enterprises open to attack - Help Net Security

• NIST Weighs in on AI Risk (darkreading.com)

• Twitter whistleblower report holds security lessons (techtarget.com)

• Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack (darkreading.com)

• Data governance: 5 tips for holistic data protection - Microsoft Security Blog

• US Government Spending Billions on Cyber security (thehackernews.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

The password manager provider LastPass, has suffered a security incident from which technical information within the development environment was stolen. At this stage LastPass has stated that no customer data was affected by this breach.

What’s the risk to me or my business?

LastPass has stated that they have not seen any further evidence of unauthorised activity outside of the development environment, and that customer data will not have been affected by this security incident. Black Arrow will continue to monitor this situation and will provide updates if this changes.

What can I do?

While LastPass themselves do not recommend any action on the part of customers, as a precaution we would recommend that users change their master password and ensure that multi-factor authentication is enabled on their accounts.

Further information on this security incident be found here: Notice of Recent Security Incident - The LastPass Blog

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Plex, the streaming platform aggregate, has suffered a data breach on 22/08/2022 where customer information including emails, usernames and encrypted passwords were stolen. The organisation has advised that users reset their passwords immediately.

What’s the risk to me or my business?

While it has been specified that the passwords were encrypted, it still may be possible for a malicious attacker to brute force the password, which would allow them access to the account, and potentially any other account which also uses the same email and password combination. It is also likely that users will start receiving more phishing emails and spam, which is a frequent occurrence after a data breach.

What can I do?

It is recommended that the password for the account is changed. If that password is in use for any other account associated with the email address, then this should also be changed. As a reminder it is best practice and often organisational policy for users to have different passwords for different accounts for this very reason.

Further information on this specific data breach can be found here: Important notice of a potential data breach 24th of August 2022 - Announcements - Plex Forum

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Cisco has supplied patches which address two high severity vulnerabilities within the Cisco NX-OS software, which runs on their Nexus line of switches. One vulnerability could allow an unauthenticated attacker to remotely cause denial of service to the device. A second vulnerability which also affects the Cisco FXOS, could cause an unauthenticated attacker to laterally execute code on the device, or cause denial of service to the device. Cisco also released a patch for a third high severity vulnerability within the Multi-Site Orchestrator product which could allow a remote, authenticated attacker to escalate privileges to administrator levels on affected devices.

What’s the risk to me or my business?

The first high vulnerability relates to the OSPFv3 feature, which is a routing protocol used in IPv6. As affected devices may be situated on the network perimeter and can be executed remotely, a denial of service could lead to downtime affecting availability of key network infrastructure across an organisation. It should be noted that this feature is disabled by default. The second high vulnerability could allow an attacker who already has access to the organisations network, to further compromise critical network infrastructure, resulting in a potential loss of confidentiality, integrity, and availability.  The third high vulnerability relating to the Multi-Site Orchestrator, which is used to interconnect and manage multiple locations under a single network, could allow an attacker who already has access to a non-privileged account, to escalate their privileges on affected devices, resulting in a potential loss of confidentiality, integrity and availability within the network.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied in line with the organisations vulnerability management process to limit availability impact to the business. Regarding the OSPFv3 vulnerability, if that feature is not in use as it is disabled by default, then this vulnerability cannot be exploited.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-20823: A remote denial of service vulnerability relating to the OSPFv3 feature of NX-OS, with a CVSS 3.0 rating of 8.6, which allows a malicious attacker to exploit incomplete input validation by sending a malicious OSPFv3 link-state advertisement (LSA) to an affected device, causing it to crash and restart multiple times which would cause the device to reload, resulting in a DoS condition. Affected devices:

·         Nexus 3000 Series Switches

·         Nexus 5500 Platform Switches

·         Nexus 5600 Platform Switches

·         Nexus 6000 Series Switches

·         Nexus 7000 Series Switches

·         Nexus 9000 Series Fabric Switches in ACI mode

·         Nexus 9000 Series Switches in standalone NX-OS mode

Further information on this specific vulnerability can be found here: Cisco NX-OS Software OSPFv3 Denial of Service Vulnerability

CVE-2022-20824: A remote arbitrary code execution vulnerability with a CVSS 3.0 rating of 8.8, which allows a malicious attacker who is on the same Layer 2 broadcast domain as the affected device (Layer 2 adjacent) to exploit an input validation vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in a DoS Condition. Affected devices:

·         Firepower 4100 Series

·         Firepower 9300 Security Appliances

·         MDS 9000 Series Multilayer Switches

·         Nexus 1000 Virtual Edge for VMware vSphere

·         Nexus 1000V Switch for Microsoft Hyper-V

·         Nexus 1000V Switch for VMware vSphere

·         Nexus 3000 Series Switches

·         Nexus 5500 Platform Switches

·         Nexus 5600 Platform Switches

·         Nexus 6000 Series Switches

·         Nexus 7000 Series Switches

·         Nexus 9000 Series Fabric Switches in ACI mode

·         Nexus 9000 Series Switches in standalone NX-OS mode

·         UCS 6200 Series Fabric Interconnects

·         UCS 6300 Series Fabric Interconnects

·         UCS 6400 Series Fabric Interconnects

Further information on this specific vulnerability can be found here: Cisco FXOS and NX-OS Software Cisco Discovery Protocol Denial of Service and Arbitrary Code Execution Vulnerability

CVE-2022-20921: A privilege escalation vulnerability with a CVSS 3.0 rating of 8.8, which allows an authenticated malicious attacker to exploit a vulnerability within the API implementation of Cisco ACI Multi-Site Orchestrator via a crafted HTTP request to elevate to administrator privileges on the affected product. It should be noted that after release 3.4, Cisco ACI MSO was renamed Cisco Nexus Dashboard Orchestrator (NDO), and Cisco NDO is not affected by this vulnerability.

Further information on this specific vulnerability can be found here: Cisco ACI Multi-Site Orchestrator Privilege Escalation Vulnerability

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Businesses Found to Neglect Cyber Security Until it is Too Late

Businesses only take cyber security seriously after falling victim to an attack, according to a report published by the UK's Department for Culture, Media and Sport (DCMS) this week.

For the research, the UK government surveyed IT professionals and end users in 10 UK organisations of varying sizes that have experienced cyber security breaches in the past three years. This analysed their existing level of security prior to a breach, the business impacts of the attack and how cyber security arrangements changed in the wake of the incident.

Nearly all respondents said their organisation took cyber security much more seriously after experiencing a breach, including reviewing existing practices and significantly increased investment in technology solutions.

While there was a consensus among participants that there is a greater need for vigilance and investment in cyber security, there was significant variation between organisations’ practices in this area. Medium and large organisations tended to have formal plans in place and budget allocated for further cyber security investment, but smaller businesses mostly did not due to resource constraints.

https://www.infosecurity-magazine.com/news/cybersecurity-seriously-breach/

• Cyber Tops Staff Retention as Biggest Business Risk

Cyber security concerns represent the most serious risk facing organisations, beating inflation, talent acquisition/retention and rising production costs, according to a new PwC study.

The PwC Pulse: Managing business risks in 2022 report was compiled from interviews with 722 US C-suite executives.

Two-fifths (40%) ranked cyber-attacks as a serious risk, rising to 51% of board members. PwC said boardrooms may be getting more attuned to cyber risk after new SEC proposals were published in March that would require directors to oversee cyber security risk and be more transparent about their cyber expertise.

In fact, executives appear to be getting more proactive with cyber security on a number of fronts.

Some 84% said they are taking action or monitoring closely policy areas related to cyber security, privacy and data protection. A further 79% said they’re revising or enhancing their cyber risk management approaches, and half (49%) pointed to increased investments in cyber security and privacy.

By way of comparison, 53% said they’re increasing investment in digital transformation and 52% in IT.

Cyber security is a strategic business enabler – technology is the central nervous system of many companies – and confirming its data is secure and protected can be brand defining.

There’s now heightened attention from a wider range of business leaders and corporate directors as they recognise that cyber security and data privacy should be part of not only a risk management strategy, but also a broader corporate strategy. C-suite and boards are actively taking steps to better understand the global threat landscape, confirm a foundational cyber security program is in place, and manage these risks to create opportunities.

https://www.infosecurity-magazine.com/news/cyber-tops-staff-retention-biggest/

• Cyber Criminals Weaponising Ransomware Data for BEC Attacks

Cyber criminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.

The ACTI team analysed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organisations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.

Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicise the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.

The data is a “rich source for information for criminals who can easily weaponise it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of [corporate and communication data].”

https://www.darkreading.com/edge-threat-monitor/cybercriminals-weaponizing-ransomware-data-for-bec-attacks

• Callback Phishing Attacks See Massive 625% Growth Since Q1 2021

Hackers are increasingly moving towards hybrid forms of phishing attacks that combine email and voice social engineering calls as a way to breach corporate networks for ransomware and data extortion attacks.

According to Agari's Q2 2022 cyber-intelligence report, phishing volumes have only increased by 6% compared to Q1 2022. However, the use of 'hybrid vishing' is seeing a massive 625% growth.

Vishing, "voice phishing," involves some form of a phone call to perform social engineering on the victim. Its hybrid form, called "callback phishing," also includes an email before the call, typically presenting the victim with a fake subscription/invoice notice.

The recipient is advised to call on the provided phone number to resolve any issues with the charge, but instead of a real customer support agent, the call is answered by phishing actors.

The scammers then offer to resolve the presented problem by tricking the victim into disclosing sensitive information or installing remote desktop tools on their system. The threat actors then connect to the victim's device remotely to install further backdoors or spread to other machines.

These callback phishing attacks were first introduced by the 'BazarCall/BazaCall' campaigns that appeared in March 2021 to gain initial access to corporate networks for ransomware attacks.

The attacks work so well that multiple ransomware and extortion gangs, such as Quantum, Zeon, and Silent Ransom Group, have adopted the same technique today to gain initial network access through an unsuspecting employee.

"Hybrid Vishing attacks reached a six-quarter high in Q2, increasing 625% from Q1 2021. This threat type also contributed to 24.6% of the overall share of Response-Based threats," details the Agari report.

"While this is the second quarter hybrid vishing attacks have declined in share due to the overall increase of response-based threats, vishing volume has steadily increased in count over the course of the year."

https://www.bleepingcomputer.com/news/security/callback-phishing-attacks-see-massive-625-percent-growth-since-q1-2021/

• Credential Phishing Attacks Skyrocketing, 265 Brands Impersonated in H1 2022

Abnormal Security released a report which explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise, and the rise of brand impersonation in credential phishing attacks.

The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal employees and executives, cyber criminals impersonated well-known brands in 15% of phishing emails, relying on the brands’ familiarity and reputation to convince employees to provide their login credentials. Most common among the 265 brands impersonated in these attacks were social networks and Microsoft products.

“The vast majority of cyber crime today is successful because it exploits the people behind the keyboard,” said Crane Hassold, director of threat intelligence at Abnormal Security.

“By compromising people rather than networks, it’s easier for attackers to circumvent conventional security measures. This is especially true with brand impersonation, where attackers use urgency and fear to encourage their targets to provide usernames and passwords.”

LinkedIn took the top spot for brand impersonation, but Outlook, OneDrive and Microsoft 365 appeared in 20% of all attacks. What makes these attacks particularly dangerous is that phishing emails are often the first step to compromising employee email accounts. Acquiring Microsoft credentials enables cyber criminals to access the full suite of connected products, allowing them to view sensitive data and use the account to send business email compromise attacks.

https://www.helpnetsecurity.com/2022/08/15/landscape-email-threat/

• Are Cloud Environments Secure Enough for Today’s Threats?

Cyber security is a major problem right now. Not only is it the highest priority of any given business to keep their own data and their customers’ and clients’ data secure, but changes in the workplace have had a knock-on effect on cyber security. The concept of working from home has forced businesses all around the world to address old and new cyber security threats. People taking their laptops, and therefore their data, home to public networks that can be hacked or leaving access details like passwords scribbled on notebooks has meant that access to a business and therefore their customers’ data is a lot more accessible.

The saving grace was said to be the cloud. Beyond retraining cyber security in staff workforces, the practical solution was to move data into the cloud. But we’re now a few years from the point when the cloud really gained popularity. Is it still the answer to all our cyber security problems? Is there a chance of risk to using the cloud?

Cloud data breaches do happen and misconfiguration is a leading cause of them, mainly due to businesses inadequate cyber security strategies. This is due to several factors, such as the fundamental nature of the cloud designed to be easy for anyone to access, and businesses unable to completely see or control the cloud’s infrastructure and therefore relying on the cyber security controls that are provided by the cloud service provider (or CSP).

Unauthorised access is also a risk. The internet, which is a readily available public resource to most of the world, makes it easy for hackers to access data if they have the credentials to get past the cyber security set up by the individual business. This is where the ugliness of internal cloud breaches happens. If security is not configured well or credentials like passwords and secret questions are compromised, an attacker can easily access the cloud.

However, it’s not only through an employee that hackers access credentials. Phishing is a very common means of gaining information that would allow access to a customer or business data.

Plus, the simple nature of sharing data can easily backfire on a company. A lot of data access is granted with a link to someone external, which can then be forwarded, either sold or stolen, to an attacker to access the cloud’s data.

https://www.itsecurityguru.org/2022/08/16/are-cloud-environments-secure-enough-for-todays-threats/

• Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organisations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis. Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw, which was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago that was attacked some 345,827 times last quarter.

https://www.darkreading.com/attacks-breaches/most-attacks-in-q2-targeted-old-microsoft-vulnerabilities

• Cyber Resiliency Isn't Just About Technology, It's About People

Cyber attacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organisations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cyber security world. But although cyber resiliency refers broadly to the ability of an organisation to anticipate, withstand, and recover from cyber security incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organisations that focus exclusively on technology risk are overlooking an equally important element: people.

People are often thought of as the weak link in cyber security. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cyber security technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organisation, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organisations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritise the resiliency of their people just as highly as the resiliency of their technology.

Training the organisation to recognise the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organisations will discover that their overall cyber-resiliency will improve significantly.

https://www.darkreading.com/vulnerabilities-threats/cyber-resiliency-isn-t-just-about-technology-it-s-about-people

• The “Cyber Insurance Gap” Is Threatening Most Companies

A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses either uninsured or under insured against a rising tide of ransomware attacks and other cyber threats.

• Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)

• Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000

• 37% of respondents with cyber insurance do not have any coverage for ransomware payment demands

• 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime

• 60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organisation did not have comprehensive cyber insurance

• Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy

• 34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements

https://informationsecuritybuzz.com/expert-comments/the-cyber-insurance-gap-is-threatening-most-companies/

• Easing the Cyber-Skills Crisis with Staff Augmentation

Filling cyber security roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.

There are many possible solutions to the cyber security skills shortage, but most of them take time. Cyber security education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organisational needs in years to come.

But sometimes the need to fill a gap in capability is more immediate.

An organisation in the entertainment industry recently found itself in such a position. Its primary cyber security staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organisation's environment was left vulnerable. In a scarce talent market, the organisation faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.

According to a 2021 ESG report, 57% of organisations have been impacted by the global cyber security skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cyber security staff burnout and attrition.

In this climate, more companies are turning to third parties for cyber security staff reinforcement. According to a NewtonX study, 56% of organisations are now subcontracting up to a quarter of their cyber security staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, a Converge Company.

One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cyber security staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organisation's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.

https://www.darkreading.com/operations/easing-the-cyber-skills-crisis-with-staff-augmentation

• Mailchimp Suffers Second Breach In 4 Months

Mailchimp suffered another data breach earlier this month, and this one cost it a client.

In a statement Friday, Mailchimp disclosed that a security incident involving phishing and social engineering tactics had targeted cryptocurrency and blockchain companies using the email marketing platform. It was the second Mailchimp breach to target cryptocurrency customers in a four-month span.

Though Mailchimp said it has suspended accounts where suspicious activity was detected while an investigation is ongoing, it did not reveal the source of the breach or scope of the attack.

More details were provided Sunday by one of the affected customers, DigitalOcean, which cut ties with Mailchimp on Aug. 9.

The cloud hosting provider observed suspicious activity beginning Aug. 8, when threat actors used its Mailchimp account for "a small number of attempted compromises" of DigitalOcean customer accounts -- specifically cryptocurrency platforms.

While it is not clear whether any DigitalOcean accounts were compromised, the company did confirm that some email addresses were exposed. More importantly, the statement attributed a potential source of the most recent Mailchimp breach.

https://www.techtarget.com/searchsecurity/news/252523911/Mailchimp-suffers-second-breach-in-4-months

• Firm Told It Can't Claim Full Cyber Crime Insurance After Social Engineering Attack

A Minnesota computer store suing its cyber insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.

SJ Computers alleged in a November lawsuit that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.

According to its website, SJ Computers is a Microsoft Authorised Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.

Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted with prejudice last Friday.

In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.

When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realising the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.

https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/

Threats

Ransomware

• Ransomware Group Threatens to Leak Data Stolen From Security Firm Entrust | SecurityWeek.Com

• Cisco Confirms Hack: Yanluowang Ransom Gang Claims 2.8GB Of Data (informationsecuritybuzz.com)

• Ransomware is still on the rise. Here's what you need to do to stay safe from hackers | ZDNET

• Russian Man Extradited to US for Laundering Ryuk Ransomware Money | SecurityWeek.Com

• ‘Coopetition’ a growing trend among ransomware gangs (computerweekly.com)

• Hackers Attack UK Water Supplier, Sends Ransom Demand to the Wrong Company (gizmodo.com)

• SOVA malware adds ransomware feature to encrypt Android devices (bleepingcomputer.com)

• BlackByte ransomware v2 is out with new extortion novelties - Security Affairs

• Ransomware is back, healthcare sector most targeted - Help Net Security

• Why Hackers Are Now Targeting Electric Car Charging Stations (nocamels.com)

• BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing (darkreading.com)

• Ski-Doo maker BRP resumes operations following cyber attack; shares fluctuate - MarketWatch

• Argentina's Judiciary of Córdoba hit by PLAY ransomware attack (bleepingcomputer.com)

BEC – Business Email Compromise

• Three Extradited from UK to US on $5m BEC Charges - Infosecurity Magazine

Phishing & Email Based Attacks

• Response-based attacks make up 41% of all email-based scams - Help Net Security

• PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security

• Microsoft admits it can't stop scammers fooling you with their latest tricks | ZDNET

Other Social Engineering; SMishing, Vishing, etc

• This is the lamest Microsoft Office security threat we've ever seen - but people will still fall for it | TechRadar

Malware

• Hackers Deploy Bumblebee Loader to Breach Target Networks - Infosecurity Magazine

• 'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections (darkreading.com)

• Malicious browser extensions targeted almost 7 million people (bleepingcomputer.com)

• DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities (thehackernews.com)

• Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox (darkreading.com)

• This String of Emojis Is Actually Malware (vice.com)

Mobile

• SOVA Android malware now also encrypts victims' files - Security Affairs

• Malware devs already bypassed Android 13's new security feature (bleepingcomputer.com)

• Google releases Android 13 with improved privacy and security features - Help Net Security

• Android malware apps with 2 million installs found on Google Play (bleepingcomputer.com)

• Researchers Find 35 Adware Apps on Google Play - Infosecurity Magazine

• Nearly 1,900 Signal Messenger Accounts Potentially Compromised in Twilio Hack (thehackernews.com)

Internet of Things – IoT

• How attackers are exploiting corporate IoT - Help Net Security

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Amazon fixes Ring Android app flaw exposing camera recordings (bleepingcomputer.com)

Data Breaches/Leaks

• Digital Ocean dumps Mailchimp after security breach • The Register

Organised Crime & Criminal Actors

• How Do Hackers Steal Credit Card Information? | TechTarget

• IT security worker who hacked businesses caught out by neighbour's Wi-Fi - Manchester Evening News

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• With Plunge in Value, Cryptocurrency Crimes Decline in 2022 (darkreading.com)

• Microsoft: Cryptojackers Continue to Evolve to Be Stealthier and Spread Faster - Infosecurity Magazine

• Hardware-based threat defence against increasingly complex cryptojackers - Microsoft Security Blog

Insider Risk and Insider Threats

• Ex-HP manager jailed for $5m company card shopping spree • The Register

• Microsoft Employees Exposed Own Company’s Internal Logins (vice.com)

Fraud, Scams & Financial Crime

• SEC claims $1.3m pump-and-dump scam used hacked accounts • The Register

AML/CFT/Sanctions

• Alleged Russian Money Launderer Extradited from the Netherlands to U.S. | OPA | Department of Justice

Insurance

• Organisations are losing cyber insurance as an important risk management tool - Help Net Security

• For cyber insurance, some technology leads to higher premiums (techtarget.com)

• New Study Reveals Serious Cyber-Insurance Shortfalls - Infosecurity Magazine

Supply Chain and Third Parties

• Expert On Report Showing 297% Increase in US Breaches Tied To Supply Chain (informationsecuritybuzz.com)

• Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management (darkreading.com)

• How a Third-Party SMS Service Was Used to Take Over Signal Accounts

Denial of Service DoS/DDoS

• Google blocked the largest Layer 7 DDoS reported to date - Security Affairs

Cloud/SaaS

• Organisations Struggle to Fend Off Cloud and Web Attacks - Infosecurity Magazine

• Incident response in the cloud can be simple if you are prepared - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Credential Theft Is (Still) A Top Attack Method (thehackernews.com)

• FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks | SecurityWeek.Com

• Over 9,000 VNC servers exposed online without a password (bleepingcomputer.com)

Privacy

• Google fined $60 million over Android location data collection (bleepingcomputer.com)

• New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings (thehackernews.com)

• ‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you | Smart homes | The Guardian

• Period and pregnancy tracking apps have bad privacy protections, report finds - The Verge

Regulations, Fines and Legislation

• Financial Services & Cyber Security Regulations: New York Making Changes? - MSSP Alert

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• 5 Russia-Linked Groups Target Ukraine in Cyberwar (darkreading.com)

• Russia-linked Gamaredon APT continues to target Ukraine - Security Affairs

• Microsoft shuts down accounts linked to Russian spies • The Register

• State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims (darkreading.com)

• Estonia Repels Biggest Cyber-Attack Since 2007 - Infosecurity Magazine

• Spyware Scandals Are Ripping Through Europe | WIRED

• US Cyber Command deploys defensive operators to Croatia to hunt for malicious cyber activity - Help Net Security

• NHS cyber attacks hit record levels in four in five trusts after Russian invasion (telegraph.co.uk)

• Spyware Hunters Are Expanding Their Tool Set | WIRED

Nation State Actors

Nation State Actors – Russia

• Microsoft disrupts Russian hackers' operation on NATO targets (bleepingcomputer.com)

• Russian APT29 hackers abuse Azure services to hack Microsoft 365 users (bleepingcomputer.com)

• Microsoft Disrupts Russian Group's Multiyear Cyber-Espionage Campaign (darkreading.com)

• Russian hackers target Ukraine with default Word template hijacker (bleepingcomputer.com)

• Estonia says it repelled major cyber attack after removing Soviet monuments | Reuters

Nation State Actors – China

• Western companies wake up to China risk | Financial Times (ft.com)

• China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (thehackernews.com)

• China-linked RedAlpha behind multi-year credential theft campaign - Security Affairs

• Chinese Cyberspy Group 'RedAlpha' Targeting Governments, Humanitarian Entities | SecurityWeek.Com

• China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (darkreading.com)

• Chinese takeover of tech company blocked over security fears (telegraph.co.uk)

• 3 ways China's access to TikTok data is a security risk | CSO Online

• Montana flagged bugs in cow app exploited in alleged China hack | Business and Economy | Al Jazeera

• APT41 group: 4 malicious campaigns, 13 victims, new tools and techniques - Help Net Security

Nation State Actors – North Korea

• North Korean hackers use signed macOS malware to target IT job seekers (bleepingcomputer.com)

• Mac Attack: North Korea's Lazarus APT Targets Apple's M1 Chip (darkreading.com)

Vulnerability Management

• Zero Day Initiative seeing an increase in failed patches (techtarget.com)

• Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches | SecurityWeek.Com

• Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out (darkreading.com)

Vulnerabilities

• CISA adds 7 vulnerabilities to list of bugs exploited by hackers (bleepingcomputer.com)

• Google patches yet another Chrome zero-day vulnerability (techtarget.com)

• Chrome browser gets 11 security fixes with 1 zero-day – update now! – Naked Security (sophos.com)

• Cisco fixes High-Severity bug in Secure Web Appliance - Security Affairs

• Exploit out for critical Realtek flaw affecting many networking devices (bleepingcomputer.com)

• Software Patches Flaw on macOS Could Let Hackers Bypass All Security Levels - Infosecurity Magazine (infosecurity-magazine.com)

• Safari 15.6.1 fixes a zero-day flaw actively exploited in the wild - Security Affairs

• Rapid7: Cisco ASA and ASDM flaws went unpatched for months (techtarget.com)

• Windows Vulnerability Could Crack DC Server Credentials Open (darkreading.com)

• ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors (thehackernews.com)

• PoC exploit code for the critical Realtek RCE flaw released online - Security Affairs

Other News

• Exploiting stolen session cookies to bypass multi-factor authentication (MFA) - Help Net Security

• The Future of Endpoint Management | SecurityWeek.Com

• Janet Jackson music video given CVE for crashing laptops • The Register

• More Evil Markets | How It's Never Been Easier To Buy Initial Access To Compromised Networks - SentinelOne

• How aware are organisations of the importance of endpoint management security? - Help Net Security

• The Future of Cyber Security is Prevention | SecurityWeek.Com

• Signal/Twilio Incident - How Secure Are SMS Verifications? Experts Weigh (informationsecuritybuzz.com)

• DigitalOcean Discloses Impact From Recent Mailchimp Cyber Attack | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Three Ransomware Gangs Consecutively Attacked the Same Network

Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted.

It’s bad enough to get one ransomware note, let alone three. Multiple attackers create a whole new level of complexity for recovery, particularly when network files are triple encrypted. Cyber security that includes prevention, detection and response is critical for organisations of any size and type—no business is immune.

The “Multiple Attackers: A Clear and Present Danger” whitepaper further outlines additional cases of overlapping cyber attacks, including cryptominers, remote access trojans (RATs) and bots. In the past, when multiple attackers have targeted the same system, the attacks usually occurred across many months or multiple years. The attacks described in Sophos’ whitepaper took place within days or weeks of each other—and, in one case, simultaneously—often with the different attackers accessing a target’s network through the same vulnerable entry point.

Typically, criminal groups compete for resources, making it more difficult for multiple attackers to operate simultaneously. Cryptominers normally kill their competitors on the same system, and today’s RATs often highlight bot killing as a feature on criminal forums. However, in the attack involving the three ransomware groups, for example, BlackCat—the last ransomware group on the system—not only deleted traces of its own activity, but also deleted the activity of LockBit and Hive.

In another case, a system was infected by LockBit ransomware. Then, about three months later, members of Karakurt Team, a group with reported ties to Conti, was able to leverage the backdoor LockBit created to steal data and hold it for ransom.

https://www.helpnetsecurity.com/2022/08/09/ransomware-gangs-attacks/

• As The Cost of Cyber Insurance Rises, The Number of Organisations Who Can’t Afford It Is Set to Double

The number of organisations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023, according to Huntsman Security.

Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organisation will leave it exposed.

Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cyber security strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many.

Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.

With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organisations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.

In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organisations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process.

https://www.helpnetsecurity.com/2022/08/11/afford-cyber-insurance/

• Identity Cyber Attacks, Microsoft 365 Dominate Cyber Security Incidents, Expel Research Finds

Identity-based cyber attacks (including credential theft, credential abuse and long-term access key theft) accounted for 56% of all incidents in Q2 of 2022, and Microsoft 365 remained the prime target for SaaS attacks, according to Expel’s Quarterly Threat Report.

Among the key findings:

• Business email compromise (BEC) and business application compromise (BAC) access to application data represented 51% of all incidents.

• Identity-based attacks in popular cloud environments like Amazon Web Services (AWS) accounted for 5%.

• Ransomware groups change tactics, with threat groups and their affiliates all but abandoning the use of Visual Basic for Application (VBA) macros and Excel 4.0 macros to gain initial entry to Windows-based environments. In Q1, a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of all pre-ransomware incidents. In Q2, that figure fell sharply to 9%. Instead, ransomware operators opted to use disk image (ISO), short-cut (LNK) and HTML application (HTA) files to gain initial entry.

• Cloud attacks are becoming more sophisticated, with 14% of identity attacks against cloud identity providers tackling the multi-factor authentication (MFA) requirement by continuously sending push notifications.

• Microsoft 365 is a common threat target, with BEC in Microsoft Office 365 (O365) remaining the top threat to organisations in Q2. 45% of all Q2 incidents were BEC attempts in O365. No BEC attempts were identified in Google Workspaces. 19% of BEC attempts bypassed MFA in O365 using legacy protocols, a 16% increase of compared to Q1.

https://www.msspalert.com/cybersecurity-research/identity-cyberattacks-targeting-microsoft-365-dominate-cybersecurity-incidents-expel-research-finds/

• Exploit Activity Surges 150% in Q2 Thanks to Log4Shell

Detections of malware events, botnet activity and exploits all increased significantly in the second quarter of 2022, according to new data from Nuspire.

The managed security services provider (MSSP) gathered the data from its endpoint detection and response (EDR) and managed detection and response (MDR) tools to produce its Q2 2022 Quarterly Threat Report.

The company recorded an increase in malware events of over 25%, a doubling of botnet detections and a rise in exploit activity of 150% versus the first quarter.

Botnet activity in particular surged towards the end of Q2, thanks to the Torpig Mebroot botnet – a banking trojan designed to scrape credit card and payment information from infected devices, the report revealed. Nuspire claimed it is particularly difficult to detect and remove, because it targets a machine’s master boot record.

It attributed much of the surge in exploit activity to the persistent threat posed by the Log4j bugs discovered at the end of December 2021. At the time, experts warned that the ubiquity of the utility, and the difficulty many organisations have in finding all instances of the CVE due to complex Java dependencies, means it may be exploited for years.

https://www.infosecurity-magazine.com/news/exploit-activity-150-q2-log4shell/

• Ransomware Is Not Going Anywhere: Attacks Are Up 24%

Avast released a report revealing a significant increase in global ransomware attacks, up 24% from Q1/2022. Researchers also uncovered a new zero-day exploit in Chrome, as well as signals of how cyber criminals are preparing to move away from macros as an infection vector.

After months of decline, global ransomware attacks increased significantly in Q2/2022, up 24% from the previous quarter. The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%).

Businesses and consumers should be on guard and prepared for encounters with ransomware, as the threat is not going anywhere anytime soon.

The decline in ransomware attacks observed in Q4/2021 and Q1/2022 were thanks to law enforcement agencies busting ransomware group members, and caused by the war in Ukraine, which also led to disagreements within the Conti ransomware group, halting their operations. Things dramatically changed in Q2/2022. Conti members have now branched off to create new ransomware groups, like Black Basta and Karakurt, or may join other existing groups, like Hive, BlackCat, or Quantum, causing an uptick in activity.

https://www.helpnetsecurity.com/2022/08/12/increase-ransomware-attacks/

• Email Is the Single Biggest Threat to Businesses, And Here’s What You Can Do About It

Email remains one of the most popular methods of communication, particularly for business communications. There were 316.9 billion emails sent and received every day in 2021, and this is set to increase to 376.4 billion by 2025. But despite the scale of its use and how much people exchange confidential information over email, it is not a secure system by design.

Consequently, email is a major attack vector for organisations of all sizes. Deloitte found that 91% of all cyber attacks originate from a phishing email (an email that attempts to steal money, identity or personal information through a spoof website link that looks legitimate). The cost to organisations can be catastrophic with the National Cyber Security Centre (NCSC) reporting in August 2021 that phishing email attacks had cost UK organisations more than £5 million in the past 13 months.

It’s not enough for individuals to create complex passwords or rely on the security services of their email provider. Spam filters are not enough to stop malicious emails creeping into inboxes. Fortunately, safeguarding your emails with enterprise-grade email security doesn’t have to cost the earth or be hard to integrate so businesses of any size can protect themselves.

https://informationsecuritybuzz.com/articles/email-is-the-single-biggest-threat-to-businesses-and-heres-what-you-can-do-about-it/

• Realtek SDK Vulnerability Exposes Routers from Many Vendors to Remote Attacks

A serious vulnerability affecting the embedded Configurable Operating System (eCos) software development kit (SDK) made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks.

The security hole, tracked as CVE-2022-27255 and rated ‘high severity’, has been described as a stack-based buffer overflow that can allow a remote attacker to cause a crash or achieve arbitrary code execution on devices that use the SDK. An attack can be carried out through the wide area network (WAN) interface using specially crafted session initiation protocol (SIP) packets.

The Realtek eCos SDK is provided to companies that manufacture routers, access points and repeaters powered by RTL819x family SoCs. The SDK implements the base functionalities of the router, including the web administration interface and the networking stack. Vendors can build on top of this SDK to add custom functionality and their branding to the device.

Realtek informed customers about the eCos SDK vulnerability in March, when it announced the availability of a patch. However, it’s up to the original equipment manufacturer (OEM) using the SDK to ensure that the patch is distributed to end-user devices.

The vulnerability can be exploited remotely — directly from the internet — to hack affected routers running with default settings. No user interaction is required for successful exploitation.

https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many-vendors-remote-attacks

• Most Companies Are at An Entry-Level When It Comes to Cloud Security

Ermetic released a study by Osterman Research that found 84% of respondents were at an entry-level (one or two rating, with four being the highest) in terms of their cloud security capabilities.

The study found that only 16% ranked on the Ermetic Cloud Security Model at the top two levels, and 80% of companies said they lack a dedicated security team responsible for protecting cloud resources from threats.

“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said the author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”

The report shows why new cloud data breaches are being reported all the time. Multi-cloud deployments, plus low investment in security, does not make for a good combination.

The new frontiers of cyber security, such as cloud security or internet of things (IoT) security are often at early stages of maturity. Organisations that are mature in their IT and data centre security are already overwhelmed and stretched thin and that’s why automation and simplification will help organisations accelerate their maturity in areas like cloud security.

There’s a mistaken belief that cloud computing environments inherently have security built-in — they don’t.

https://www.scmagazine.com/news/cloud-security/most-companies-are-at-an-entry-level-when-it-comes-to-cloud-security

• The Impact of Exploitable Misconfigurations on Network Security

Network professionals feel confident with their security and compliance practices but data suggests that they also leave their organisations open to risk, which is costing a significant amount of revenue, according to Titania.

In addition, some businesses are not minimising their attack surface effectively. Companies are prioritising firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and these devices play a vital role in reducing an organisation’s attack surface and preventing lateral movement across the network.

Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation are limiting factors in misconfiguration risk management.

The study, which surveyed 160 senior cyber security decision-makers revealed:

• Misconfigurations cost organisations millions, up to 9% of their annual revenue but the true cost is likely to be higher.

• Compliance is a top priority, with 75% of organisations across all sectors saying their business relies on compliance to deliver security. Whilst almost every organisation reported that it is meeting its security and compliance requirements, this is at odds with a number of the other findings from the survey and other reports that show a decline in organisations maintaining full compliance with regulated data security standards.

• Remediation prioritisation is a challenge. 75% said their network security tools meant they could categorise and prioritise compliance risks ‘very effectively’. However, 70% report difficulties prioritising remediation based on risk and also claim inaccurate automation as the top challenges when meeting security and compliance requirements.

• Routers and switches are mostly overlooked. 96% of organisations prioritise the configuration and auditing of firewalls, but not routers or switches. This leaves these devices exposed to potentially significant and unidentified risks.

https://www.helpnetsecurity.com/2022/08/12/impact-exploitable-misconfigurations-network-security/

• Industrial Spy Ransomware: New Threat Group Emerges to Exfiltrate Data, Extort Victims

A new ransomware group dubbed Industrial Spy that first emerged in April 2022 is specialising in exfiltration and double extortion tactics and has the potential to do significant damage, Zscaler’s threat tracking team said.

The threat crew has shown that it possesses the capability to breach organisations and have been “actively adding unencrypted data from two or three victims every month,” Zscaler said. In some instances, the threat group appears to only exfiltrate and ransom data. In other cases, they encrypt, exfiltrate and ransom the data, the cloud security provider said.

At this point, it’s not clear who’s behind the threat entry or if it’s nation-state affiliated. The group started as a data extortion marketplace where criminals could buy large companies’ internal data, promoting the marketplace through Readme.txt files downloaded using malware downloaders.

In May, 2022, the threat group introduced their own ransomware to create double extortion attacks that combine data theft with file encryption.

What you need to know:

• Industrial Spy started by ransoming stolen data and more recently has combined these attacks with ransomware.

• The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.

• The ransomware utilises a combination of RSA and 3DES to encrypt files.

• Industrial Spy lacks many common features present in modern ransomware families.

• The Industrial Spy ransomware family is relatively basic, and parts of the code appear to be in development.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/new-ransomware-family-industrial-spy-emerges-to-exfiltrate-data-extort-victims/

• UK NHS Service Recovery May Take a Month After MSP Ransomware Attack

Managed service provider (MSP) Advanced confirmed that a ransomware attack on its systems disrupted emergency services (111) from the United Kingdom's National Health Service (NHS). Customers of seven solutions from the British MSP have been impacted either directly or indirectly, the company said. The first has stated it could take a month to recover systems to full service.

The ransomware attack started to disrupt Advanced systems on Thursday, August 4 and was identified around 7 AM. It caused a major outage to NHS emergency services across the UK.

Advanced did not disclose the ransomware group behind the attack but said that it took immediate action to mitigate the risk and isolated Health and Care environments where the incident was detected. The company is working with forensic experts from Microsoft (DART) and Mandiant, who are also helping bring the affected systems back online securely and with added defences:

• Implementing additional blocking rules and further restricting privileged accounts for Advanced staff

• Scanning all impacted systems and ensuring they are fully patched

• Resetting credentials

• Deploying additional endpoint detection and response agents

• Conducting 24/7 monitoring

After implementing the security measures above, Advanced said it would restore connectivity to its environments and assist customers to gradually reconnect safely and securely.

https://www.bleepingcomputer.com/news/security/uk-nhs-service-recovery-may-take-a-month-after-msp-ransomware-attack/

• A Single Flaw Broke Every Layer of Security in MacOS

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam. It's basically one vulnerability that could be applied to three different locations.

https://www.wired.com/story/a-single-flaw-broke-every-layer-of-security-in-macos/

Threats

Ransomware

• Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (bleepingcomputer.com)

• Ransomware, email compromise are top security threats, but deepfakes increase | CSO Online

• Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics | Threatpost

• Black Basta: New ransomware threat aiming for the big league | CSO Online

• Could criminalizing ransomware payments put a stop to the current crime wave? - Help Net Security

• 7-Eleven Denmark confirms ransomware attack behind store closures (bleepingcomputer.com)

• Update: Colosseum Dental Benelux pays ransom to threat actors (databreaches.net)

• SolidBit Ransomware Group Recruiting New Affiliates on Dark Web - Infosecurity Magazine

• Fears for patient data after ransomware attack on NHS software supplier | NHS | The Guardian

• US reveals 'Target' pic of Conti man with $10m reward offer • The Register

• Organisations would like the government to help with ransomware demand costs - Help Net Security

• Hacker uses new RAT malware in Cuba Ransomware attacks (bleepingcomputer.com)

• Maui ransomware linked to North Korean group Andariel • The Register

• How to Stop Zeppelin Ransomware Attacks: CISA, FBI Mitigation Guidance - MSSP Alert

• Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)

• US govt will pay you $10 million for info on Conti ransomware members (bleepingcomputer.com)

Phishing & Email Based Attacks

• LogoKit update: The phishing kit leveraging open redirect vulnerabilities - Help Net Security

• Phishing site masquerading "Have I Been Pwned" website detected. Be careful as very similar URL (exploitone.com)

Other Social Engineering; SMishing, Vishing, etc

• Hackers Behind Twilio Breach Also Targeted Cloudflare Employees (thehackernews.com)

• SMS phishing nabs Twilio employee credentials, allowed access customer data (scmagazine.com)

Malware

• Cyber criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports - Infosecurity Magazine

• Emotet Tops List of July's Most Widely Used Malware - Infosecurity Magazine

• Top malware strains observed in 2021 | Security Magazine

• Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass (bleepingcomputer.com)

Mobile

• Google researchers dissect Android spyware, zero days (techtarget.com)

• Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan (darkreading.com)

• Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments (thehackernews.com)

• Hackers install Dracarys Android malware using modified Signal app (bleepingcomputer.com)

Internet of Things – IoT

• The Time Is Now for IoT Security Standards (darkreading.com)

• Introducing the book: If It's Smart, It's Vulnerable - Help Net Security

Organised Crime & Criminal Actors

• Cisco hacked by access broker with Lapsus$ ties (techtarget.com)

• New dark web markets claim association with criminal cartels (bleepingcomputer.com)

• Dark Utilities C2 service draws thousands of cyber criminals • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Email marketing firm hacked to steal crypto-focused mailing lists (bleepingcomputer.com)

• Swan Bitcoin Discloses Data Leak Due to Phishing Attack on Newsletter Provider - Decrypt

• Phishers Swim Around 2FA in Coinbase Account Heists | Threatpost

• Crypto and the US government are headed for a decisive showdown | Ars Technica

• Cameo’s CEO fell victim to the latest Bored Ape NFT heist - The Verge

Fraud, Scams & Financial Crime

• “Hi Mum” Phishing Scam Swindles Unsuspecting Parents (informationsecuritybuzz.com)

• How hackers are stealing credit cards from classifieds sites (bleepingcomputer.com)

• Why robotexts are scammers' favourite new tool - CyberScoop

AML/CFT/Sanctions

• US Sanctions Crypto 'Laundering' Service Tornado | SecurityWeek.Com

• Virtual Currency Platform ‘Tornado Cash’ Accused of Aiding APTs | Threatpost

• Greece Flies Russian Money Launderer to US: Lawyer | SecurityWeek.Com

Insurance

• BlackBerry Study: Most SMBs Have Less Than $600K in Ransomware Coverage - MSSP Alert

• Number Of Firms Unable To Access Cyber-Insurance Set To Double (informationsecuritybuzz.com)

• Australian court finds insurer not liable for ransomware clean-up costs - Security - iTnews

Cloud/SaaS

• Implementing zero trust for a secure hybrid working enterprise - Help Net Security

• How to Clear Security Obstacles and Achieve Cloud Nirvana (darkreading.com)

• Why SAP systems need to be brought into the cyber security fold - Help Net Security

Open Source

• Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)

Social Media

• Facebook's Metaverse is Expanding the Attack Surface (trendmicro.com)

• Meta's chatbot says the company 'exploits people' - BBC News

• Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost

Training, Education and Awareness

• 25% of employees don't care enough about cyber security to report a security incident - Help Net Security

Privacy

• Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ | Threatpost

Travel

• Don't get stung by these fake holiday cyber-scams this summer | TechRadar

Parental Controls and Child Safety

• Predator Pleads Guilty After Targeting Thousands of Young Girls Online - Infosecurity Magazine

• Huge rise in self-generated child sexual abuse content online, report finds | Internet safety | The Guardian

• Online sexual blackmail of primary school children surges since lockdown (telegraph.co.uk)

Models, Frameworks and Standards

• Compliance Certifications: Worth the Effort? (darkreading.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Russia's digital attacks are haphazard, chaotic, says top Ukrainian cyber official - CyberScoop

• Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China | SecurityWeek.Com

• Killnet Releases 'Proof' of its Attack Against Lockheed Martin | SecurityWeek.Com

• Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook (thehackernews.com)

• New Hacker Forum Takes Pro-Ukraine Stance | Threatpost

• Ex Twitter employee found guilty of spying for Saudi Arabia - Security Affairs

• Ex-CIA security boss predicts coming crackdown on spyware • The Register

Nation State Actors

Nation State Actors – Russia

• Russia Is Escalating Ukraine Hacking, Black Hat Research Says (gizmodo.com)

• Russian invasion has destabilized cyber security norms • The Register

• Russia-Ukraine Conflict Holds Cyberwar Lessons (darkreading.com)

• Industroyer2: How Ukraine avoided another blackout attack (techtarget.com)

Nation State Actors – China

• Chinese Hackers May Be Behind Attacks Targeting Eastern Europe and Afghanistan - Infosecurity Magazine

• China-linked spies used six backdoors to steal defence info • The Register

• Mandiant researchers uncover significant new disinformation campaign (securitybrief.co.nz)

• Stats say Chinese researchers are not deterred by China's vulnerability law (scmagazine.com)

• Chinese scammers target kids with promise of extra gaming • The Register

• Chinese hackers backdoor chat app with new Linux, macOS malware (bleepingcomputer.com)

Nation State Actors – North Korea

• North Korea Allegedly Stole Millions of Dollars Worth of Crypto Assets - IT Security Guru

• Maui ransomware linked to North Korean group Andariel • The Register

• North Korean hackers target crypto experts with fake Coinbase job offers (bleepingcomputer.com)

Vulnerability Management

• Google's bug bounty boss: Finding vulns is 'totally useless' • The Register

• Patch Madness: Vendor Bug Advisories Are Broken, So Broken (darkreading.com)

• Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks (darkreading.com)

Vulnerabilities

• Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws | Threatpost

• Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions (thehackernews.com)

• Yet another Microsoft RCE bug under active exploit • The Register

• Palo Alto Networks: New PAN-OS DDoS flaw exploited in attacks (bleepingcomputer.com)

• CISA adds UnRAR and Windows flaws to Known Exploited Vulnerabilities Catalog - Security Affairs

• Zimbra auth bypass bug exploited to breach over 1,000 servers (bleepingcomputer.com)

• Researchers Debut Fresh RCE Vector for Common Google API Tool (darkreading.com)

• Surge in CVEs as Microsoft Fixes Exploited Zero Day Bugs - Infosecurity Magazine

• Risky Business: Enterprises Can’t Shake Log4j flaw - Security Affairs

• Years after claiming DogWalk wasn't a vulnerability, Microsoft confirms flaw is being exploited and issues patch (bitdefender.com)

• Three flaws allow attackers to bypass UEFI Secure Boot feature - Security Affairs

• Windows devices with newest CPUs are susceptible to data damage (bleepingcomputer.com)

• Critical Flaws Disclosed in Device42 IT Asset Management Software (thehackernews.com)

• Cisco fixed a flaw in ASA, FTD devices that can give access to RSA private key - Security Affairs

• Organisations Warned of Critical Vulnerabilities in NetModule Routers | SecurityWeek.Com

• 4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls (darkreading.com)

• New vulnerability in AMD Ryzen CPUs could seriously jeopardize performance | TechRadar

• ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data | SecurityWeek.Com

• Microsoft Paid $13.7 Million via Bug Bounty Programs Over Past Year | SecurityWeek.Com

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• Microsoft 365 outage triggered by Meraki firewall false positive (bleepingcomputer.com)

• Why VPN no longer has a place in a secure work environment | TechRadar

• VMware: The threat of lateral movement is growing (techtarget.com)

• 36% of orgs expose insecure FTP protocol to the internet, and some still use Telnet - Help Net Security

• 5 key things learned from CISOs of smaller enterprises survey - Help Net Security

• Stolen credentials are the most common attack vector companies face - Help Net Security

• Your cyber security staff are burned out - and many have thought about quitting | ZDNet

• Researchers Use ‘Invisible Finger’ to Remotely Control Touchscreens (vice.com)

• Businesses are struggling to balance security and end-user experience - Help Net Security

• Starlink Successfully Hacked Using $25 Modchip | Threatpost

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Microsoft’s August Patch Tuesday provides updates to address security issues across its product range, including several critical patches. The standout patch in this release is for a Zero-Day flaw, affecting both client and server version of Windows, that is being actively exploited in the wild. This flaw is present within the Microsoft Windows Support Diagnostic Tool (MSDT), which is the same windows component that previously made headlines with the Follina zero day (CVE-2022-30190).

Security updates have also been released for other Microsoft products to tackle different issues, including privilege escalation flaws within Microsoft Exchange servers.

What’s the risk to me or my business?

Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible, particularly as this release contains a patch for an actively exploited Zero-day.

What can I do?

Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.

Technical Summary

The Zero-Day exploit, CVE-2022-34713, requires an end user to either open a crafted file sent as an email attachment, or through a link clicked on a website. This then in turn exploits the vulnerability within the Windows component, granting access to the malicious attacker to execute remote code on the victims computer. Microsoft reinforces the message that further awareness is required to upskill employees to be wary of these types of attacks, since malicious documents and links are a common attack vector which are still being used by attackers to great effect. Further information on this particular vulnerability is available here: CVE-2022-34713 - Security Update Guide - Microsoft - Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Further details on other specific updates within this Patch Tuesday can be found here: Microsoft Windows Security Updates August 2022 overview - gHacks Tech News

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Average Cost of Data Breaches Hits Record High of $4.35 Million: IBM

The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organisations raised product and services prices due to the breaches.

The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.

According to the report, about 83% of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.

The report revealed that ransomware and destructive attacks represented 28% of breaches among the critical infrastructure organisations studied, indicating that threat actors are specifically targeting the sector to disrupt global supply chains. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.

https://www.csoonline.com/article/3668655/average-cost-of-data-breaches-hits-record-high-of-435-million-ibm.html#tk.rss_news

• Researchers Warns of Large-Scale Adversary-in-the-Middle (AiTM) Attacks Targeting Enterprise Users

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.

It uses a technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services.

Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the US, UK, New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organisations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).

The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

https://thehackernews.com/2022/08/researchers-warns-of-large-scale-aitm.html

• UK NHS Suffers Outage After Cyber Attack on Managed Service Provider

The UK National Health Service (NHS) 111 emergency services were affected by a significant and ongoing outage triggered by a cyber attack that hit the systems of British managed service provider (MSP) Advanced.

Advanced's Adastra client patient management solution, which is used by 85% of NHS 111 services, was hit by a major outage together with several other services provided by the MSP, according to a status page.

"There was a major outage of a computer system that is used to refer patients from NHS 111 Wales to out-of-hours GP providers," the Welsh Ambulance Services said. "This system is used by Local Health Boards to coordinate these services for patients. The ongoing outage is significant and has been far-reaching, impacting each of the four nations in the UK."

The UK public was advised to access the NHS 111 emergency services using the online platform until the incident is resolved.

While no details were provided regarding the nature of the cyber attack, based on the wording, it is likely that this was a ransomware or data extortion attack.

https://www.bleepingcomputer.com/news/security/uk-nhs-suffers-outage-after-cyberattack-on-managed-service-provider/

• A Third of Organisations Experience a Ransomware Attack Once a Week

Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organisations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day.

The research, conducted among 500+ IT security decision makers at US and UK organisations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake at night, 41% of respondents say they worry about ransomware attacks evolving beyond their team’s knowledge and skillset, while 39% worry about them evolving beyond their company’s security capabilities.

Their biggest concern, however, is the risk of employees ignoring corporate security advice and clicking on links or attachments containing malware (46%). Respondents worry more about this than they do their own job security, with just a quarter (26%) of respondents worried about losing their job.

According to the report, around half of organisations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack.

Partners/suppliers and employees/contractors are also seen as serious security risks, although one in 10 admit they are unable to identify how the attacks got in. The top three ransomware attack vectors are email (54%), web browsers via a desktop or laptop (49%) and mobile devices (39%).

https://www.helpnetsecurity.com/2022/08/04/organizations-experience-ransomware-attack/

• Ransomware Products and Services Ads on Dark Web Show Clues to Danger

Why is ransomware’s destructive potential so daunting? Some clues are in the “for sale” ads. In an examination of some 35 million dark web URLs, a provider of machine identity management and a forensic specialist found some 475 web pages peddling sophisticated ransomware products and services with a number of high profile crews hawking ransomware-as-a-service.

The work is a joint effort between the Salt Lake City-based Venafi and Forensic Pathways, which took place between November 2021 and March 2022. Researchers used Forensic’s Dark Search Engine to carry out the investigation.

Here are some of the research findings:

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different “brands” of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customised version of Darkside ransomware, which was used in the Colonial Pipeline ransomware attack.

• Source code listings for well-known ransomware generally command higher price points. For example, Babuk source code is listed for $950 and Paradise source code is selling for $593.

Ransomware Sold for as Little as $1: In addition to a variety of ransomware at various price points, a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks are for sale on the dark web, Venafi said. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/ransomware-products-services-ads-on-dark-web-show-clues-to-danger/

• Wolf In Sheep’s Clothing: How Malware Tricks Users and Antivirus

One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.

Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.

According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.

The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.

• Abusing legitimate domains: Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust.

• Using stolen code-signing certificates: Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.

• Disguised as popular software: Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022. Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications are Skype, Adobe Acrobat, VLC, and 7zip.

• Lacing legitimate installers - Finally, there’s the trick of hiding malware inside legitimate application installers and running the infection process in the background while the real apps execute in the foreground. Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures.

https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/

• Microsoft Accounts Targeted with New MFA-Bypassing Phishing Kit

A new large-scale phishing campaign targeting credentials for Microsoft email services use a custom proxy-based phishing kit to bypass multi-factor authentication.

Researchers believe the campaign's goal is to breach corporate accounts to conduct BEC (business email compromise) attacks, diverting payments to bank accounts under their control using falsified documents.

The phishing campaign's targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organisations in the US, UK, New Zealand, and Australia.

The campaign was discovered by Zscaler's ThreatLabz researchers, who report that the operation is still ongoing, and the phishing actors register new phishing domains almost daily.

Starting in June 2022, Zscaler's analysts noticed a spike in sophisticated phishing attempts against specific sectors and users of Microsoft email services.

Some of the newly registered domains used in the campaign are typo-squatted versions of legitimate domains.

Notably, many phishing emails originated from the accounts of executives working in these organisations, whom the threat actors most likely compromised earlier.

https://www.bleepingcomputer.com/news/security/microsoft-accounts-targeted-with-new-mfa-bypassing-phishing-kit/

• Cyber Attack Prevention Is Cost-Effective, So Why Aren’t Businesses Investing to Protect?

Cyber attacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cyber security measures necessary to avoid becoming the next victim.

In a Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cyber security Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors. He offers insight for CISOs, from talking to the Board to proper budget allocation.

https://www.helpnetsecurity.com/2022/08/01/cyberattack-prevention-investing/

• Securing Your Move to the Hybrid Cloud

The combination of private and public cloud infrastructure, which most organisations are already using, poses unique security challenges. There are many reasons why organisations adopt the public cloud, from enabling rapid growth without the burden of capacity planning to leveraging flexibility and agility in delivering customer-centric services. However, this use can leave companies open to threats.

Since regulatory requirements or other preferences dictate that certain applications remain on private (on-prem) infrastructure, many organisations choose to maintain a mix of private and public infrastructure. Additionally, organisations typically use multiple cloud providers simultaneously or preserve the option to move between providers. However, this hybrid approach presents unique and diverse security challenges. Different cloud providers and private cloud platforms may offer similar capabilities but different ways of implementing security controls, along with disparate management tools.

The question then becomes: How can an organisation maintain consistent governance, policy enforcement and controls across different clouds? And how can it ensure that it maintains its security posture when moving between them? Fortunately, there are steps professionals can take to ensure that applications are continuously secure, starting from the early stages of development and extending throughout the lifecycle.

https://threatpost.com/secure-move-cloud/180335/

• Lessons from the Russian Cyber Warfare Attacks

Cyber warfare tactics may not involve tanks and bombs, but they often go hand-in-hand with real combat.

The Russian invasion of Ukraine is a prime example. Before Russian troops crossed the border, Russian hackers had already taken down Ukrainian government websites. And after the conflict started, the hacktivist group Anonymous turned the tables by hacking Russian media to shut down propaganda about the war.

In these unprecedented times of targeted attacks against governments and financial institutions, every organisation should be on heightened alert about protecting their critical infrastructure and digital attack surface.

With the Russia-Ukraine conflict as a backdrop, two Trend Micro security experts recently discussed cyber warfare techniques and how they’re an important reminder for every business to proactively manage cyber risk.

https://www.trendmicro.com/en_us/ciso/22/h/russian-cyber-warfare-attacks.html

• Four Sneaky Attacker Evasion Techniques You Should Know About

Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.

What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.

1. Trusted Application Abuse: Attackers know that many people have applications that they inherently trust, making those trusted applications the perfect launchpad for cyber attacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.

2. Trusted Infrastructure Abuse: Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure. Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.

3. Obfuscation: Although cyber security has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions. According to dictionary.com, this is what obfuscate means: “To make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cyber security: finding ways to conceal malicious behaviour. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.

4. Persistence: Imagine writing up documentation using your computer, something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer. Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree. And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.

https://www.msspalert.com/cybersecurity-guests/four-sneaky-attacker-evasion-techniques-you-should-know-about/

• Zero-Day Defence: Tips for Defusing the Threat

Because they leave so little time to patch and defuse, zero-day threats require a proactive, multi-layered approach based on zero trust.

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai's threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don't have much time to implement a patch and "defuse" the threat before it's too late. But first you need to know that an exploit is underway. That requires a proactive, multi-layered approach to online security based on zero trust.

What do these layers look like? There are a number of different practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

https://www.darkreading.com/attacks-breaches/zero-day-defense-tips-for-defusing-the-threat

Threats

Ransomware

• Reported ransomware attacks are just the tip of the iceberg. That's a problem for everyone | ZDNet

• Initial Access Brokers - Key to Rise In Ransomware Attacks (informationsecuritybuzz.com)

• Ransomware gangs are hitting roadblocks, but aren't stopping (yet) - Help Net Security

• SonicWall: Ransomware Global Cyber Attack Volume Shrinks, Still Exceeds Totals for 2017-2019 - MSSP Alert

• 87% of the ransomware found on the dark web has been delivered via malicious macros - Help Net Security

• LockBit Ransomware Abuses Windows Defender for Payload Loading | SecurityWeek.Com

• German Chambers of Industry and Commerce hit by 'massive' cyber attack (bleepingcomputer.com)

• Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com)

• Ransomware Task Force releases SMB blueprint for defence and mitigation (scmagazine.com)

• Prepare for ransomware before you're hit • The Register

• German semiconductor giant Semikron says hackers encrypted its network | TechCrunch

• Ransomware Hit on European Pipeline & Energy Supplier Encevo Linked to BlackCat (darkreading.com)

• Luxembourg Energy Company Hit by Ransomware | SecurityWeek.Com

• Spanish research agency still recovering after ransomware attack (bleepingcomputer.com)

Phishing & Email Based Attacks

• Countdown Clock Puts Pressure on Phishing Targets - Infosecurity Magazine

• The most impersonated brand in phishing attacks? Microsoft - Help Net Security

• Open Redirect Flaw Snags Amex, Snapchat User Data | Threatpost

• American Express, Snapchat Open-Redirect Vulnerabilities Exploited in Phishing Scheme (darkreading.com)

• A new malware threat is spying on users' Gmail inbox — do this before you're next | Laptop Mag

• Massive New Phishing Campaign Targets Microsoft Email Service Users (darkreading.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine

Other Social Engineering; SMishing, Vishing, etc

• US FCC warns of the rise of smishing attacks - Security Affairs

Malware

• VirusTotal Reveals Most Impersonated Software in Malware Attacks (thehackernews.com)

• Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers (thehackernews.com)

• Woody RAT: A new feature-rich malware spotted in the wild | Malwarebytes Labs

• VirusTotal: Threat Actors Mimic Legitimate Apps, Use Stolen Certs to Spread Malware (darkreading.com)

• New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack (thehackernews.com)

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

• Credential Stealer Malware Raccoon Updated to Obtain Passwords More Efficiently - Infosecurity Magazine

• Attackers cause Discord discord with malicious npm packages • The Register

• Gootkit AaaS malware is still active and uses updated tactics - Security Affairs

Mobile

• Facebook finds new Android malware used by APT hackers (bleepingcomputer.com)

• Google Patches Critical Android Bluetooth Flaw in August Security Bulletin - Infosecurity Magazine

• Banking trojan finds new routes to accounts by infiltrating Google Play Store (scmagazine.com)

Internet of Things – IoT

• A Digital Home Has Many Open Doors (darkreading.com)

• All the Data Amazon's Ring Cameras Collect About You | WIRED

Organised Crime & Criminal Actors

• Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time - Help Net Security

• Nearly $200 Million Stolen from Cryptocurrency Bridge Nomad | SecurityWeek.Com

• Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack | PC Gamer

• Nomad to crooks: Keep 10% as a bounty, return the rest • The Register

• Cyber attackers Drain Nearly $6M From Solana Crypto Wallets (darkreading.com)

• Man robbed of $800,000 in cryptocurrency sues Google • The Register

Insider Risk and Insider Threats

• T-Mobile Store Owner Made $25M Using Stolen Employee Credentials (darkreading.com)

Fraud, Scams & Financial Crime

• UK Branded Europe’s “Capital of Card Fraud” - Infosecurity Magazine

• Huge network of 11,000 fake investment sites targets Europe (bleepingcomputer.com)

• Online payment fraud losses accelerate at an alarming rate - Help Net Security

• COMMENT: 'Hi Mum, Hi Dad' Scams On The Rise - Britons Already (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

AML/CFT/Sanctions

• Robinhood Crypto Penalized $30M for Violating NY Cybersecurity Regulations | SecurityWeek.Com

Dark Web

• A Ransomware Explosion Fosters Thriving Dark Web Ecosystem (darkreading.com)

• The popularity of Dark Utilities 'C2-as-a-Service' rapidly increases - Security Affairs

Software Supply Chain

• Now is the time to focus on software supply chain security improvements - Help Net Security

Cloud/SaaS

• Cyber attackers Increasingly Target Cloud IAM as a Weak Link (darkreading.com)

• What Worries Security Teams About the Cloud? (darkreading.com)

• Who Has Control: The SaaS App Admin Paradox (thehackernews.com)

• Enterprises face a multitude of barriers to securing diverse cloud environments - Help Net Security

Open Source

• New Linux malware brute-forces SSH servers to breach networks (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

• Credential Canaries Create Minefield for Attackers (darkreading.com)

• 5 reasons why businesses should never use consumer-grade password managers | TechRadar

Social Media

• Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts (thehackernews.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks (informationsecuritybuzz.com)

• Increase in Fake Tickets Being Sold by Cyber criminals on Social Media - IT Security Guru

Privacy

• DuckDuckGo browser now blocks all Microsoft trackers, most of the time (bleepingcomputer.com)

Cyber Bullying and Cyber Stalking

• Australia charges dev of Imminent Monitor RAT used by domestic abusers (bleepingcomputer.com)

Regulations, Fines and Legislation

• Most companies are unprepared for CCPA and GDPR compliance - Help Net Security

• Data privacy: Collect what you need, protect what you collect | CSO Online

• India scraps data protection law, promises better successor • The Register

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Austrian Investigation Reveals Spyware Targeting Law Firms, Finance Institutions - Infosecurity Magazine

• Ukraine takes down 1,000,000 bots used for disinformation (bleepingcomputer.com)

• Nancy Pelosi ties Chinese cyber-attacks to Taiwan visit • The Register

• Spanish Research Center Suffers Cyber attack Linked to Russia | SecurityWeek.Com

• Russian organisations attacked with new Woody RAT malware (bleepingcomputer.com)

• Greek intelligence spied on journalist with a surveillance spyware - Security Affairs

• Rare Pegasus screenshots depict NSO Group's spyware capabilities | AppleInsider

Nation State Actors

Nation State Actors – Russia

• Double Whammy: Russian Hackers Launch Cyber Attacks On Lockheed Martin; Armed Forces Hack Into HIMARS -- Reports (eurasiantimes.com)

• Ukraine Shutters Major Russian Bot Farm - Infosecurity Magazine

Nation State Actors – China

• Chinese hackers use new Cobalt Strike-like attack framework (bleepingcomputer.com)

• Massive China-Linked Disinformation Campaign Taps PR Firm for Help (darkreading.com)

• Parliament shuts down TikTok account over China data security concerns (telegraph.co.uk)

• China, Huawei, and the eavesdropping threat | CSO Online

• Global network of fake news sites push Chinese propaganda, researchers find - CyberScoop

• Taiwanese military reports DDoS in wake of US Speaker visit • The Register

Nation State Actors – North Korea

• Cyber crime a Key Revenue Stream For North Korea's Weapons Program - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Use Browser Extension to Spy on Gmail and AOL Accounts - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors – Iran

• Iranian Hackers Likely Behind Disruptive Cyber attacks Against Albanian Government (thehackernews.com)

• Disruptive Cyber attacks on NATO Member Albania Linked to Iran | SecurityWeek.Com

Nation State Actors – Misc APT

• Twitter breach exposes anonymous accounts to nation state hackers - CyberScoop

Vulnerabilities

• VMware urges admins to patch critical auth bypass bug immediately (bleepingcomputer.com)

• Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks (darkreading.com)

• Cisco fixes critical remote code execution bug in VPN routers (bleepingcomputer.com)

• F5 Fixes 21 Vulnerabilities With Quarterly Security Patches | SecurityWeek.Com

• High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover (darkreading.com)

• Hackers Exploit Atlassian Confluence Vulnerability to Deploy New 'Ljl' Backdoor - Infosecurity Magazine

• Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users (thehackernews.com)

• VMware Releases Patches for Several New Flaws Affecting Multiple Products (thehackernews.com)

• Hackers are actively exploiting password-stealing flaw in Zimbra (bleepingcomputer.com)

• Google fixed Critical Remote Code Execution flaw in Android - Security Affairs

• CISA adds Zimbra bug to Known Exploited Vulnerabilities Catalogue - Security Affairs

• Warning! Critical flaws found in US Emergency Alert System • The Register

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

Other News

• APIs attacked in 94% of companies in past year - IT Security Guru

• Over 60% of Organisations Expose SSH to the Internet - Infosecurity Magazine

• How IT and security teams can work together to improve endpoint security - Microsoft Security Blog

• Burnout and attrition impact tech teams sustaining modern digital systems - Help Net Security

• Machine learning creates a new attack surface requiring specialized defences - Help Net Security

• Cyber security lessons learned from COVID-19 pandemic (techtarget.com)

• 10 enterprise database security best practices (techtarget.com)

• Resolving Availability vs. Security, a Constant Conflict in IT (thehackernews.com)

• Tips to prevent RDP and other remote attacks on Microsoft networks | CSO Online

• 5 ways to unite security and compliance | CSO Online

• The Myth of Protection Online — and What Comes Next (darkreading.com)

• The Importance of Data Security in the Enterprise (techtarget.com)

• Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts - SentinelOne

• How IT Teams Can Use 'Harm Reduction' for Better Cyber security Outcomes (darkreading.com)

• Businesses lack visibility into run-time threats against mobile apps and APIs - Help Net Security

• Browser synchronization abuse: Bookmarks as a covert data exfiltration channel - Help Net Security

• Threats emanating from digital ecosystems can be a blind spot for businesses - Help Net Security

• Busting the Myths of Hardware Based Security - Security Affairs

• New Traffic Light Protocol standard released after five years (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

Cisco has supplied patches which address multiple vulnerabilities for their Small Business routers. Three of these vulnerabilities could be used by an unauthenticated attacker to remotely execute code on the device, or cause denial of service to the device.

What’s the risk to me or my business?

The critical vulnerability relates to the web-based management interface, which can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.

What can I do?

Cisco has released software updates to address the vulnerabilities, which are available for download from their website, and should be applied out of band where possible, due to the severity of this issue.

Technical Summary

The following is a breakdown of the vulnerabilities with the affected Cisco products.

CVE-2022-20842: A remote code execution vulnerability with a CVSS 3.0 rating of 9.8, which allows a malicious attacker to exploit insufficient validation on user-supplied input by providing a crafted HTTP input to an affected device, allowing them to execute arbitrary code as the root user, or reload the device resulting in DOS. Affected devices:

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

CVE-2022-20827: A command injection vulnerability with a CVSS 3.0 rating of 9.0, which allows a malicious attacker to exploit insufficient validation on the web filter database update feature, to perform command injection and execute commands with root privileges. Affected devices:

·         RV160 VPN Routers

·         RV160W Wireless-AC VPN Routers

·         RV260 VPN Routers

·         RV260P VPN Routers with PoE

·         RV260W Wireless-AC VPN Routers

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

CVE-2022-20841: A command injection vulnerability with a CVSS 3.0 rating of 8.3, which allows a malicious attacker to exploit insufficient validation on the Open Plug and Play command, to perform command injection and execute commands on the underlying operating system via a man-in-the-middle attack or from another compromised device on the network. Affected devices:

·         RV160 VPN Routers

·         RV160W Wireless-AC VPN Routers

·         RV260 VPN Routers

·         RV260P VPN Routers with PoE

·         RV260W Wireless-AC VPN Routers

·         RV340 Dual WAN Gigabit VPN Routers

·         RV340W Dual WAN Gigabit Wireless-AC VPN Routers

·         RV345 Dual WAN Gigabit VPN Routers

·         RV345P Dual WAN Gigabit POE VPN Routers

Further technical information including links to software patches for specific affected devices can be found here: Cisco Small Business RV Series Routers Vulnerabilities

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Trellix Threat Labs Vulnerability research team discovered an unauthenticated remote code execution vulnerability which affects multiple DrayTek routers, which have their management interface configured to be accessible directly via the internet. This attack can also be performed by a malicious actor who has access within the local network, which is the default configuration for these devices.

What’s the risk to me or my business?

This is a one-click attack that can be performed without any user interaction, and can lead to the full compromise of the device. As these devices are on the network perimeter, compromise of these devices can lead to further breaches of other networked systems and data.

What can I do?

The vendor has released patches for this issue on their website, which should be applied out of band due to the severity of this issue. To mitigate this issue externally, management interfaces should never be configured to be directly accessible via the internet interface, however even with this mitigation it is important that the patch is applied promptly due to the threat of further compromise from an attacker with local network access.

Technical Summary

The following is a breakdown of the vulnerability with the affected DrayTek products.

CVE-2022-32548: This vulnerability has been given a CVSS 3.0 rating of 10.0, the attack works by compromising a buffer overflow vulnerability within the login page, which allows an attacker to provide a carefully crafted username and/or password which could allow an attacker to take control of the “DrayOS” which runs on the routers. Affected models with affected firmware versions include:

• Vigor3910 < 4.3.1.1

• Vigor1000B < 4.3.1.1

• Vigor2962 Series < 4.3.1.1

• Vigor2927 Series < 4.4.0

• Vigor2927 LTE Series < 4.4.0

• Vigor2915 Series < 4.3.3.2

• Vigor2952 / 2952P < 3.9.7.2

• Vigor3220 Series < 3.9.7.2

• Vigor2926 Series < 3.9.8.1

• Vigor2926 LTE Series < 3.9.8.1

• Vigor2862 Series < 3.9.8.1

• Vigor2862 LTE Series < 3.9.8.1

• Vigor2620 LTE Series < 3.9.8.1

• VigorLTE 200n < 3.9.8.1

• Vigor2133 Series < 3.9.6.4

• Vigor2762 Series < 3.9.6.4

• Vigor167 < 5.1.1

• Vigor130 < 3.8.5

• VigorNIC 132 < 3.8.5

• Vigor165 < 4.2.4

• Vigor166 < 4.2.4

• Vigor2135 Series < 4.4.2

• Vigor2765 Series < 4.4.2

• Vigor2766 Series < 4.4.2

• Vigor2832 < 3.9.6

• Vigor2865 Series < 4.4.0

• Vigor2865 LTE Series < 4.4.0

• Vigor2866 Series < 4.4.0

• Vigor2866 LTE Series < 4.4.0

Further technical information on the vulnerability can be found here: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers (trellix.com)

Patches are available from the vendors website here: Latest Firmwares | DrayTek

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 02/08/2022 that updates have been released for multiple products in their range to address multiple different vulnerabilities, recommending that these are patched immediately, due to one of the vulnerabilities allowing a malicious user who already has network access to gain administrator access on the affected VMware system.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. Business services may be hosted on VMware infrastructure, which if exploited could impact Confidentiality, Integrity, or Availability for these services.

What can I do?

As patches have been released, it is important that these are applied as soon as possible.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following is a break down of the different vulnerabilities with the affected VMware products.

CVE-2022-31656: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Affected VMware products:

·         VMware Workspace One Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31658: Important severity range with maximum CVSSv3 base core of 8.0, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31659: Important severity range with maximum CVSSv3 base core of 8.0, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

CVE-2022-31660, CVE-2022-31661, CVE-2022-31664: Important severity range with maximum CVSSv3 base core of 7.8, malicious actor with local access to the system can escalate privileges to ‘root’. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31665: Important severity range with maximum CVSSv3 base core of 7.6, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31657: Moderate severity range with maximum CVSSv3 base core of 5.9, malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

CVE-2022-31662: Moderate severity range with maximum CVSSv3 base core of 5.3, malicious actor with network access may be able to access arbitrary files. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         Connectors

·         vRealize Automation

CVE-2022-31663: Moderate severity range with maximum CVSSv3 base core of 4.7. Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0021 (vmware.com), VMSA-2022-0021: Questions & Answers | VMware

Need help understanding your gaps, or just want some advice? Get in touch with us.