Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 30/01/2023 – GoTo Encrypted Backup and Encryption Keys Theft
Black Arrow Cyber Advisory 30/01/2023 – GoTo Encrypted Backup and Encryption Keys Theft
Executive Summary
Following on from a security incident in November 2022, GoTo, a remote access and communications software provider who also own LastPass, has announced that a threat actor exfiltrated encrypted backups from a third-party cloud storage service, along with an encryption key which allowed access to a “portion” of these encrypted backup files.
What’s the risk to me or my business?
According to GoTo, the products impacted are “Central, Pro, join.me, Hamachi, and RemotelyAnywhere”. GoTo later explain that the affected information varies depending on the product and may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings and some licensing information and product settings. In addition to this, whilst GoToMyPC and Rescue were not exfiltrated, MFA settings of a small subset of their customers were impacted.
What can I do?
As a precaution we would recommend that users change their password of affected accounts and ensure that multi-factor authentication is enabled all accounts where available.
GoTo have been resetting passwords and re-authorising MFA settings of affected users. The users have then been migrated onto an “enhanced Identity Management Platform” to provide additional security with authentication and login-based security options.
Further information on this security incident be found here: https://www.goto.com/blog/our-response-to-a-recent-security-incident
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Informational 30/01/2023 – PoC Released for Microsoft Certification Vulnerability, Devices Still Vulnerable Months After NSA Disclosure
Black Arrow Cyber Informational 30/01/2023 – PoC Released for Microsoft Certification Vulnerability, Devices Still Vulnerable Months After NSA Disclosure
Executive Summary
The security provider Akami has identified that less than 1% of visible devices in data centres have been patched for a Microsoft CryptoAPI spoofing vulnerability (CVE-2022-34689), despite NSA disclosure and a publicly released patch by Microsoft in October 2022. In addition, Akamai have created a proof of concept for how this vulnerability can be exploited.
What’s the risk to me or my business?
Successful exploitation of this vulnerability could allow an attacker to spoof their identity and perform actions such as authentication or code signing from a targeted certificate. If you do not use applications with end-certificate caching, you are not vulnerable to this attack. At this time, the provided proof of concept was only applicable if the attacker had the ability to generate a certificate from the targeted infrastructure, and if the targeted webpage or application was accessed using version v48 of Chrome or earlier, which was released on 25 January 2016.
What can I do?
Patch your Windows endpoints and servers with the latest security patches provided by Microsoft. This vulnerability was addressed as part of the October 2022 Patch Tuesday.
Further information on the vulnerability can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689
Akami’s Report can be found here: https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 27 January 2023
Black Arrow Cyber Threat Briefing 27 January 2023:
-Supply Chain Attacks Caused More Data Compromises Than Malware
-What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks
-Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems
-Cyber Security Pros Sound Alarm Over Insider Threats
-Ransomware Attack Hit KFC and Pizza Hut Stores in the UK
-Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security
-Why CISOs Make Great Board Members
-View From Davos: The Changing Economics of Cyber Crime
-Cloud Based Networks Under Increasing Attack, Report Finds
-GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key
-State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns
-3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Supply Chain Attacks Caused More Data Compromises Than Malware
According to the Identity Theft Resource Center, data compromises steadily increased in the second half of 2022 and cyber attacks remained the primary source of data breaches.
The number of data breaches resulting from supply chain attacks exceeded malware related compromises in 2022 by 40%. According to the report, more than 10 million people were impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyber attacks affected 4.3 million people.
https://www.helpnetsecurity.com/2023/01/26/data-compromises-2022/
What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks
According to the United States’ FBI’s 2021 Internet Crime Report, business email compromise (BEC) accounted for almost a third of the country’s $6.9 billion in cyber losses that year – around $2.4 billion. In surprisingly sharp contrast, ransomware attacks accounted for only $50 million of those losses.
Small and medium-sized businesses (SMBs) are especially vulnerable to this form of attack and BEC’s contribution to annual cyber losses not only makes sense but is also likely underreported.
In stark contrast to highly disruptive ransomware attacks, BEC is subversive and is neither technically complicated nor expensive to deploy. In the case of large organisations, the financial fallout of BEC is almost negligible. That’s not the case for small and medium-sized businesses, which often lack the means to absorb similar financial losses.
BEC’s simplicity gives more credence for attackers to target smaller organisations, and because of that, it’s doubly essential for SMBs to be vigilant.
Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems
It has been observed that attackers will attempt to start exploiting vulnerabilities within the first fifteen minutes of their disclosure. As the time to patch gets shorter, organisations need to be more pragmatic when it comes to remediating vulnerabilities, particularly when it comes to prioritisation.
Attack surfaces constantly evolve and change as new applications are developed, old systems are decommissioned, and new assets are registered. Also, more and more organisations are moving towards cloud-hosted infrastructure, which changes the risk and responsibility for securing those assets. Therefore, it is essential to carry out continuous or regular assessments to understand what systems are at risk, instead of just taking a point-in-time snapshot of how the attack surface looks at that moment.
The first step would be to map “traditional” asset types – those easily associated with an organisation and easy to monitor, such as domains and IP addresses. Ownership of these assets can be easily identified through available information (e.g., WHOIS data). The less traditional asset types (such as GitHub repositories) aren’t directly owned by the organisation but can also provide high-value targets or information for attackers.
It’s also important to understand which technologies are in use to make sound judgements based on the vulnerabilities relevant to the organisation. For example, out of one hundred vulnerabilities released within one month only 20% might affect the organisation’s technologies.
Once organisations have a good understanding of which assets might be at risk, context and prioritisation can be applied to the vulnerabilities affecting those assets. Threat intelligence can be utilised to determine which vulnerabilities are already being exploited in the wild.
What is then the correct answer for this conundrum? The answer is that there is no answer! Instead, organisations should consider a mindset shift and look towards preventing issues whilst adopting a defence-in-depth approach; focus on minimising impact and risk by prioritising assets that matter the most and reducing time spent on addressing those that don’t. This can be achieved by understanding your organisation’s attack surface and prioritising issues based on context and relevance.
https://www.helpnetsecurity.com/2023/01/24/understanding-your-attack-surface/
Cyber Security Pros Sound Alarm Over Insider Threats
Gurucul, a security information and event management (SIEM) solution provider, and Cyber security Insiders, a 600,000-plus member online community for information security professionals, found in their annual 2023 Insider Threat Report that only 3% of respondents surveyed are not concerned with insider risk.
Among all potential insiders, cyber security professionals are most concerned about IT users and admins with far-reaching access privileges (60%). This is followed by third-party contractors (such as MSPs and MSSPs) and service providers (57%), regular employees (55%), and privileged business users (53%).
The research also found that more than half of organisations in the study had been victimised by an insider threat in the past year. According to the data, 75% of the respondents believe they are moderately to extremely vulnerable to insider threats, an 8% spike from last year. That coincided with a similar percentage who said attacks have become more frequent, with 60% experiencing at least one attack and 25% getting hit by more than six attacks.
Ransomware Attack Hit KFC and Pizza Hut Stores in the UK
Nearly 300 fast food restaurants, including branches of KFC and Pizza Hut, were forced to close following a ransomware attack against parent company Yum! Brands. In a statement dated 18 January 2023, Yum! confirmed that unnamed ransomware had impacted some of its IT infrastructure, and that data had been exfiltrated by hackers from its servers. However, although an investigation into the security breach continues, the company said that it had seen no evidence that customer details had been exposed.
What has not yet been made public, and may not even be known to those investigating the breach, is how long hackers might have had access to the company's IT infrastructure, and how they might have been able to gain access to what should have been a secure system. Yum! has also not shared whether it has received a ransom demand from its attackers, and if it did how much ransom was demanded, and whether it would be prepared to negotiate with its extortionists.
Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security
Under rules first proposed in 2022 but expected to be finalised as soon as April 2023, publicly traded companies in the US that determine a cyber incident has become “material”, meaning it could have a significant impact on the business, must disclose details to the SEC and investors within four business days. That requirement would also apply “when a series of previously undisclosed, individually immaterial cyber security incidents has become material in the aggregate.
The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cyber security and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk. The former cyber adviser to the SEC commented that “The problem we have with the current cyber security ecosystem is that it’s very focused on technical mitigation measures and does not contemplate these business, operational, [or] financial factors.”
Whilst this only impacts US firms, we can expect other jurisdictions to follow suit.
Why CISOs Make Great Board Members
Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. The past three years created a perfect storm situation with lasting consequences for how we think about cyber security, and as a result cyber security technologies and teams have shifted from being viewed as a cost centre to a business enabler.
Gartner predicts that by 2025, 40% of companies will have a dedicated cyber security committee. Who is better suited than a CISO to lead that conversation? Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organisation’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.
Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the trade-offs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.
https://www.securityweek.com/why-cisos-make-great-board-members/
View From Davos: The Changing Economics of Cyber Crime
Cyber crime is a risk created by humans, driven by the economic conditions of high profit and easy opportunity. Ransomware is the most recent monetisation of these motives and opportunities, and it has evolved from simple malware to advanced exploits and double or triple extortion models.
The motive for cyber crime is clear: to steal money, but the digital nature of cyber crime makes the opportunity uniquely attractive, due to the following:
· Cryptocurrency makes online extortion, trading illicit goods and services, and laundering fraudulent funds highly anonymous and usually beyond the reach of financial regulators or inspection
· There isn't enough fear of getting caught for cyber crime.
· With the explosion in spending on digital transformation, data is the new gold and it is incredibly easy to steal, due to lapses in basic hygiene like encrypting data-at-rest and in-transit or limiting access to only authorised users.
· Paying extortion through extensive cyber insurance policies only feeds the ransomware epidemic by incentivising further crime, as noted by the FBI.
Fighting cyber crime is a team sport, and to succeed, we must adopt this framework of cyber resilience that integrates the technical, policy, behavioural, and economic elements necessary to manage the reality of ever-growing cyber crime as a predictable and manageable cyber risk.
https://www.darkreading.com/edge-articles/view-from-davos-the-changing-economics-of-cybercrime
Cloud Based Networks Under Increasing Attack, Report Finds
As enterprises around the world continue to move to the cloud, cyber criminals are following right behind them. There was a 48 percent year-over-year jump in 2022 in cyber attacks on cloud-based networks, and it comes at a time when 98 percent of global organisations use cloud services, according to Check Point. The increases in cyber attacks were experienced in various regions, including Asia (with a 60 percent jump), Europe (50 percent), and North America (28 percent) according to a report by Checkpoint last week.
Check Point explained that "The rise in attacks on the cloud was driven both by an overall increase in cyber attacks globally (38 percent overall in 2022, compared to 48 percent in the cloud) and also by the fact that it holds much more data and incorporates infrastructure and services from large amounts of potential victims, so when exploited the attacks could have a larger impact,". Later, Checkpoint highlighted that human error is a significant factor in the vulnerability of cloud-based networks.
The report highlighted the need for defence capabilities in the cloud to improve. According to Check Point, this means adopting zero-trust cloud network security controls, incorporating security and compliance earlier in the development lifecycle, avoiding misconfigurations, and using tools such as an intrusion detection and prevention systems and next-generation web application firewalls. As commented by Check Point “it is still up to the network and security admins to make sure all their infrastructure is not vulnerable.
https://www.theregister.com/2023/01/20/cloud_networks_under_attack/
GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key
On 2022-11-30, GoTo informed customers that it had suffered “a security incident”, summarising the situation as follows:
“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”
Two months later, GoTo has come back with an update, and the news isn’t great:
“[A] threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”
The company also noted that although MFA settings for some Rescue and GoToMyPC customers were stolen, their encrypted databases were not.
State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns
Russian and Iranian state-linked hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns aimed at gaining access to a person’s email, Britain’s online security agency warned on Thursday. The National Cyber Security Centre (NCSC) issued an alert about two groups from Russia and Iran, warning those in government, defence, thinktanks and the media against clicking on malicious links from people posing as conference hosts, journalists or even colleagues.
Both groups have been active for some years, but it is understood they have recently stepped up their activities in the UK as the war in Ukraine continues, as well as operating in the US and other NATO countries.
The hackers typically seek to gain confidence of a target by impersonating somebody likely to make contact with them, such as by falsely impersonating a journalist, and ultimately luring them to click on a malicious link, sometimes over the course of several emails and other online interactions.
NCSC encourages people to use strong email passwords. One technique is to use three random words, and not replicate it as a login credential on other websites. It recommends people use two-factor authentication, using a mobile phone as part of the log on process, ideally by using a special authenticator app.
The cyber agency also advises people exercise particular caution when receiving plausible sounding messages from strangers who rely on Gmail, Yahoo, Outlook or other webmail accounts, sometimes impersonating “known contacts” of the target culled from social media.
3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale
A member of a hacker forum going by the name IntelBroker, has offered a database allegedly containing the personal information of 3.7 million people participating in the Hilton Hotels Honors program. According to the actor, the data in question includes personally identifying information such as name, address and Honors IDs. According to the Hilton Hotel, no guest login credentials, contacts, or financial information have been leaked.
https://informationsecuritybuzz.com/3-7-millions-customers-data-hilton-hotel-up-for-sale/
Threats
Ransomware, Extortion and Destructive Attacks
Rebranded Ransomware Crews Spike Number of Hijacking Incidents in Q4 2022 - MSSP Alert
The Unrelenting Menace of the LockBit Ransomware Gang | WIRED
Ransomware access brokers use Google ads to breach your network (bleepingcomputer.com)
FBI hacked into Hive ransomware gang, disrupted operations | TechTarget
Ransomware victims are refusing to pay, tanking attackers’ profits | Ars Technica
Vice Society Ransomware Group Targets Manufacturing Companies (trendmicro.com)
New Mimic ransomware abuses ‘Everything’ Windows search tool (bleepingcomputer.com)
Contractor error led to Baltimore schools ransomware attack | TechTarget
LAUSD says Vice Society ransomware gang stole contractors’ SSNs (bleepingcomputer.com)
Riot Games receives ransom demand from hackers, refuses to pay (bleepingcomputer.com)
Phishing & Email Based Attacks
State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns | Hacking | The Guardian
ChatGPT is a bigger threat to cyber security than most realize - Help Net Security
Yahoo Most Faked Brand Name in Phishing Attempts by Threat Actors in Q4 2022 - MSSP Alert
SEABORGIUM and TA453 continue their respective... - NCSC.GOV.UK
Bitwarden password vaults targeted in Google ads phishing attack (bleepingcomputer.com)
New 'Blank Image' attack hides phishing scripts in SVG files (bleepingcomputer.com)
Hackers now use Microsoft OneNote attachments to spread malware (bleepingcomputer.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Malware
BlackBerry: Threat Actors Launch A Unique Malware Sample Every Minute - MSSP Alert
Consumers Face Greater Risks from Malware but Many are Unprepared and Vulnerable - MSSP Alert
New 'Blank Image' attack hides phishing scripts in SVG files (bleepingcomputer.com)
ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn (darkreading.com)
Hackers now use Microsoft OneNote attachments to spread malware (bleepingcomputer.com)
ChatGPT Can Write Polymorphic Malware to Infect Your Computer (gizmodo.com)
Microsoft plans to kill malware delivery via Excel XLL add-ins (bleepingcomputer.com)
Hackers use Golang source code interpreter to evade detection (bleepingcomputer.com)
Emotet Malware Makes a Comeback with New Evasion Techniques (thehackernews.com)
'DragonSpark' Malware: East Asian Cyber Attackers Create an OSS Frankenstein (darkreading.com)
Malware exploited critical Realtek SDK bug in millions of attacks (bleepingcomputer.com)
Mobile
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps (thehackernews.com)
New 'Hook' Android malware lets hackers remotely control your phone (bleepingcomputer.com)
Pair of Galaxy App Store Bugs Offer Cyber Attackers Mobile Device Access (darkreading.com)
Google to phase out legacy apps with Android 14 to improve security - GSMArena.com news
Botnets
Denial of Service/DoS/DDOS
Why a hybrid approach can help mitigate DDoS attacks | SC Media
Russia’s largest ISP says 2022 broke all DDoS attack records (bleepingcomputer.com)
Internet of Things – IoT
Nice smart device – how long does it get software updates? • The Register
Why British homes are at risk from ‘Trojan Horse’ smart devices (telegraph.co.uk)
Why most IoT cyber security strategies give zero hope for zero trust - Help Net Security
Data Breaches/Leaks
Companies impacted by Mailchimp breach warn their customers - Security Affairs
LastPass owner GoTo says hackers stole customers’ backups | TechCrunch
GoTo warns customers of crypto key and backup heist • The Register
3.7 Million Customers Data Of Hilton Hotels Put Up For Sale (informationsecuritybuzz.com)
QUT confirms personal data of thousands of staff compromised in cyber attack - ABC News
Riot Games hacked, now it faces problems to release content - Security Affairs
ICE releases asylum seekers after exposing their data • The Register
Hacker Gets Hands on No-Fly List of Alleged Terrorist Suspects (gizmodo.com)
Risk & Repeat: Breaking down the LastPass breach | TechTarget
T-Mobile Cyber Attack Spurs Law Firm Investigation - MSSP Alert
Risk & Repeat: Another T-Mobile data breach disclosed | TechTarget
Entire US "No Fly List" Exposed Online Via Unsecured Server (informationsecuritybuzz.com)
Near-Record Year for US Data Breaches in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Zacks data breach impacted hundreds of thousands of customers - Security Affairs
French rugby club Stade Français leaks source code - Security Affairs
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Inside the crypto ‘prisons’ scamming Britons out of their life savings (telegraph.co.uk)
Hackers Take Over Robinhood Twitter Account To Promote Scam - Decrypt
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Inside the crypto ‘prisons’ scamming Britons out of their life savings (telegraph.co.uk)
P-to-P fraud most concerning cyber threat in 2023: CSI | CSO Online
Hackers Take Over Robinhood Twitter Account To Promote Scam - Decrypt
Insurance
4 tips to find cyber insurance coverage in 2023 | TechTarget
Insurers in talks on adding state-backed cyber to UK reinsurance scheme | Financial Times (ft.com)
Cyber Security Posture & Insurance Outlook with Advisen (trendmicro.com)
Dark Web
Software Supply Chain
Cloud/SaaS
Report: Cloud-based networks under growing attack • The Register
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps (informationsecuritybuzz.com)
Microsoft Azure-Based Kerberos Attacks Crack Open Cloud Accounts (darkreading.com)
Attack Surface Management
Encryption
API
Passwords, Credential Stuffing & Brute Force Attacks
Bitwarden password vaults targeted in Google ads phishing attack (bleepingcomputer.com)
Bitwarden responds to encryption design flaw criticism | The Daily Swig (portswigger.net)
Social Media
Malvertising
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps (thehackernews.com)
Google Ads invites being abused to push spam, adult sites (bleepingcomputer.com)
Ransomware access brokers use Google ads to breach your network (bleepingcomputer.com)
Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages (thehackernews.com)
Training, Education and Awareness
Regulations, Fines and Legislation
Governance, Risk and Compliance
View from Davos: The Changing Economics of Cyber Crime (darkreading.com)
Awareness Training Must Change | CSA (cloudsecurityalliance.org)
Despite Slowing Economy, Demand for Cyber Security Workers Remains Strong (darkreading.com)
Organisations Must Brace for Privacy Impacts This Year (darkreading.com)
Data Protection
Ireland’s data protection watchdog fines WhatsApp €5.5m • The Register
ICO Offers Data Protection Advice to SMBs - Infosecurity Magazine (infosecurity-magazine.com)
Careers, Working in Cyber and Information Security
Despite Slowing Economy, Demand for Cyber Security Workers Remains Strong (darkreading.com)
Can't Fill Open Positions? Rewrite Your Minimum Requirements (darkreading.com)
Veterans bring high-value, real-life experience as potential cyber security employees | CSO Online
Dozens of Cyber Security Companies Announced Layoffs in Past Year - SecurityWeek
Law Enforcement Action and Take Downs
FBI hacked into Hive ransomware gang, disrupted operations | TechTarget
Dutchman Detained for Dealing Details of Tens of Millions of People (darkreading.com)
Dutch suspect locked up for alleged personal data megathefts – Naked Security (sophos.com)
Privacy, Surveillance and Mass Monitoring
Organisations Must Brace for Privacy Impacts This Year (darkreading.com)
Scientists use Wi-Fi routers to see humans through walls | ZDNET
Most consumers would share anonymised personal data to improve AI products - Help Net Security
Artificial Intelligence
ChatGPT is a bigger threat to cyber security than most realize - Help Net Security
Learning to Lie: AI Tools Adept at Creating Disinformation - SecurityWeek
FBI Chief Says He's 'Deeply concerned' by China's AI Program | SecurityWeek.Com
ChatGPT Can Write Polymorphic Malware to Infect Your Computer (gizmodo.com)
Chat Cyber Security: AI Promises a Lot, but Can It Deliver? (darkreading.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns | Hacking | The Guardian
UK authorities warn of phishing from Iran, Russia • The Register
Armis State of Cyberwarfare and Trends Report - IT Security Guru
SEABORGIUM and TA453 continue their respective... - NCSC.GOV.UK
Gamaredon Group Launches Cyber Attacks Against Ukraine Using Telegram (thehackernews.com)
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps (informationsecuritybuzz.com)
FBI Chief Says He's 'Deeply concerned' by China's AI Program | SecurityWeek.Com
“Pegasus” lifts the lid on a sophisticated piece of spyware | The Economist
North Korea-linked TA444 turns to credential harvesting activity - Security Affairs
Nation State Actors
Nation State Actors – Russia
State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns | Hacking | The Guardian
UK authorities warn of phishing from Iran, Russia • The Register
SEABORGIUM and TA453 continue their respective... - NCSC.GOV.UK
Gamaredon Group Launches Cyber Attacks Against Ukraine Using Telegram (thehackernews.com)
Russia’s largest ISP says 2022 broke all DDoS attack records (bleepingcomputer.com)
Nation State Actors – China
Chinese 8220 Gang Aims For Public Clouds And Vulnerable Apps (informationsecuritybuzz.com)
FBI Chief Says He's 'Deeply concerned' by China's AI Program | SecurityWeek.Com
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Extent of reported CVEs overwhelms critical infrastructure asset owners - Help Net Security
Log4j Vulnerabilities Are Here to Stay — Are You Prepared? (darkreading.com)
Trained developers get rid of more vulnerabilities than code scanning tools - Help Net Security
New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch - SecurityWeek
Halo Security unveils KEV feature to improve attack surface visibility - Help Net Security
Vulnerabilities
Crims can still exploit this NSA-discovered Microsoft bug • The Register
75k WordPress sites impacted by critical online course plugin flaws (bleepingcomputer.com)
Log4j Vulnerabilities Are Here to Stay — Are You Prepared? (darkreading.com)
Chrome 109 update addresses six security vulnerabilities - Security Affairs
Microsoft urges admins to patch on-premises Exchange servers (bleepingcomputer.com)
Drupal Patches Vulnerabilities Leading to Information Disclosure | SecurityWeek.Com
Critical Vulnerabilities Patched in OpenText Enterprise Content Management System | SecurityWeek.Com
Around 19,500 end-of-life Cisco routers exposed to hack - Security Affairs
In-the-Wild Exploitation of Recent ManageEngine Vulnerability Commences | SecurityWeek.Com
Apple patches are out – old iPhones get an old zero-day fix at last! – Naked Security (sophos.com)
Apple Patches WebKit Code Execution in iPhones, MacBooks - SecurityWeek
Crooks are already exploiting this bug in old iPhones • The Register
Logfile nightmare deepens thanks to critical VMware flaws • The Register
Malware exploited critical Realtek SDK bug in millions of attacks (bleepingcomputer.com)
Realtek SDK flaw CVE-2021-35394 actively exploited in the wild- Security Affairs
Lexmark warns of RCE bug affecting 100 printer models, PoC released (bleepingcomputer.com)
Crims can still exploit this NSA-discovered Microsoft bug • The Register
Tools and Controls
Is Once-Yearly Pen Testing Enough for Your Organisation? (thehackernews.com)
LastPass owner GoTo says hackers stole customers’ backups | TechCrunch
Bitwarden password vaults targeted in Google ads phishing attack (bleepingcomputer.com)
Bitwarden responds to encryption design flaw criticism | The Daily Swig (portswigger.net)
Companies Struggle With Zero Trust as Attackers Adapt to Get Around It (darkreading.com)
Federal Agencies Infested by Cyber Attackers via Legit Remote Management Systems (darkreading.com)
Why a hybrid approach can help mitigate DDoS attacks | SC Media
Steps To Planning And Implementation Of Endpoint Protection (informationsecuritybuzz.com)
Other News
Hackers can make computers destroy their own chips with electricity | New Scientist
Scientists use Wi-Fi routers to see humans through walls | ZDNET
Microsoft 365 outage takes down Teams, Exchange Online, Outlook (bleepingcomputer.com)
Lessons Learned from the Windows Remote Desktop Honeypot Report (bleepingcomputer.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 20 January 2023
Black Arrow Cyber Threat Briefing 20 January 2023:
-Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
-Cost of Data Breaches to Global Businesses at Five-Year High
-European Data Protection Authorities Issue Record €2.92 Billion In GDPR Fines, an Increase of 168%
-PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
-Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
-Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
-EU Cyber Resilience Regulation Could Translate into Millions in Fines
-Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
-New Report Reveals CISOs Rising Influence
-ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
-Mailchimp Discloses a New Security Breach, the Second One in 6 Months
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'
As economic and geopolitical instability spills into the new year, experts predict that 2023 will be a consequential year for cyber security. The developments, they say, will include an expanded threat landscape and increasingly sophisticated cyber attacks.
"There's a gathering cyber storm," Sadie Creese, a Professor of Cyber Security at the University of Oxford, said during an interview at the World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. "This storm is brewing, and it's really hard to anticipate just how bad that will be."
Already, cyber attacks such as phishing, ransomware and distributed denial-of-service (DDoS) attacks are on the rise. Cloudflare, a major US cyber security firm that provides protection services for over 30% of Fortune 500 companies, found that DDoS attacks—which entail overwhelming a server with a flood of traffic to disrupt a network or webpage—increased last year by 79% year-over-year.
"There's been an enormous amount of insecurity around the world," Matthew Prince, the CEO of Cloudflare, stated during the Annual Meeting. "I think 2023 is going to be a busy year in terms of cyber attacks."
https://www.weforum.org/agenda/2023/01/cybersecurity-storm-2023-experts-davos23/
Cost of Data Breaches to Global Businesses at Five-Year High
Research from business insurer Hiscox shows that the cost of dealing with cyber events for businesses has more than tripled since 2018. The study, which collated data from the organisation’s previous five annual Cyber Readiness reports, has revealed that:
Since 2018 the median IT budgets for cyber security more than tripled.
Between 2020 and 2022 cyber-attacks increased by over a quarter.
Businesses are increasing their cyber security budgets year-on-year.
In the Hiscox 2022 Cyber Readiness report, the financial toll of cyber incidents, including data breaches, was estimated to be $16,950 (£15,265) on average. As the cost of cyber crime grew, so did organisations’ cyber security budgets – average spending on cyber security tripled from 2018 to 2022, rocketing from $1,470,196 (£1,323,973) to $5,235,162 (£4,714,482).
Hiscox has also revealed that half of all companies surveyed suffered at least one cyber attack in 2022, up 11% from 2020. Financial Services, as well as Technology, Media and Telecom (TMT) sectors even reported a minimum of one attack for three consecutive years. Financial Services firms, however, seemed to be hit the hardest, with 66% reporting being impacted by cyber attacks in 2021-2022.
Cyber risk has risen to the same strategic level as traditional financial and operational risks, thanks to a growing realisation by businesses that the impact can be just as severe.
European Data Protection Authorities Issue Record €2.92 Billion in GDPR Fines, an Increase of 168%
European data regulators issued a record €2.92 billion in fines last year, a 168% increase from 2021. That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein. This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data. The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.
Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).
The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.
PayPal Accounts Breached in Large-Scale Credential Stuffing Attack
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorised third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.
Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack
Royal Mail’s chief executive faced questions from MPs last week over the Russia-linked ransomware attack that caused international deliveries to grind to a halt.
Simon Thompson, chief executive of Royal Mail, was asked about the recent cyber attack when he appeared before the Commons Business Select Committee to discuss Royal Mail’s response to the cyber attack at the evidence session on Tuesday Jan 17.
A Royal Mail spokesman said: “Royal Mail has been subject to a cyber incident that is affecting our international export service. We are focused on restoring this service as soon as we are able.”
Royal Mail was forced to suspend all outbound international post after machines used for printing customs dockets were disabled by the Russia-linked Lockbit cyber crime gang. Lockbit’s attackers used ransomware, malicious software that scrambles vital computer files before the gang demands payment to unlock them again. The software also took over printers at Royal Mail’s international sorting offices and caused ransom notes to “spout” from them, according to reports.
Cyber security industry sources cautioned that while Lockbit is known to be Russian in origin, it is not known whether a stolen copy of the gang’s signature ransomware had been deployed by rival hackers.
Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program
Ensuring risk caused by third parties does not occur to your organisation is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring these external entities are a strength and not a weakness isn’t always a straightforward process.
In the coming years we’ll see organisations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security.
As demand for third-party risk management (TPRM) grows, there are key reasons why we believe 2023 could be pivotal for the future of your organisation’s TPRM program, cyber risk being principal amongst them.
Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks, a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier.
It’s not only the frequency of third-party attacks that has increased, but also the methods that cyber criminals are using are becoming increasingly sophisticated. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.
As the sophistication and frequency of supply chain attacks increases, the impact they have on businesses reputations and valuations is also becoming apparent. There is a need for organisations to conduct thorough due diligence of the third parties they choose to work with, otherwise the consequences could be disastrous.
Remember always that cyber security should be a non-negotiable feature of all business transactions.
EU Cyber Resilience Regulation Could Translate into Millions in Fines
The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection.
According to the European Union, there is currently a ransomware attack every eleven seconds. In the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier headquartered in Germany were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.
“The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,” says Jan Wendenburg, CEO, ONEKEY.
The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,” Wendenburg continues.
Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cyber security agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.
https://www.helpnetsecurity.com/2023/01/19/eu-cyber-resilience-regulation-fines/
Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes
Russian cyber-criminals have been observed on dark web forums trying to bypass OpenAI’s API restrictions to gain access to the ChatGPT chatbot for nefarious purposes.
Various individuals have been observed, for instance, discussing how to use stolen payment cards to pay for upgraded users on OpenAI (thus circumventing the limitations of free accounts). Others have created blog posts on how to bypass the geo controls of OpenAI, and others still have created tutorials explaining how to use semi-legal online SMS services to register to ChatGPT.
“Generally, there are a lot of tutorials in Russian semi-legal online SMS services on how to use it to register to ChatGPT, and we have examples that it is already being used,” wrote Check Point Research (CPR). “It is not extremely difficult to bypass OpenAI’s restricting measures for specific countries to access ChatGPT,” said Check Point. “Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes.”
They added that they believe these hackers are most likely trying to implement and test ChatGPT in their day-to-day criminal operations. “Cyber-criminals are growing more and more interested in ChatGPT because the AI technology behind it can make a hacker more cost-efficient,” they explained.
Case in point, just last week, Check Point Research published a separate advisory highlighting how threat actors had already created malicious tools using ChatGPT. These included infostealers, multi-layer encryption tools and dark web marketplace scripts.
More generally, the cyber security firm is not the only one believing ChatGPT could democratise cyber crime, with various experts warning that the AI bot could be used by potential cyber-criminals to teach them how to create attacks and even write ransomware.
https://www.infosecurity-magazine.com/news/russian-hackers-to-bypass-chatgpt/
New Report Reveals CISOs Rising Influence
Cyber security firm Coalfire this week unveiled its second annual State of CISO Influence report, which explores the expanding influence of Chief Information Security Officers (CISOs) and other security leaders.
The report revealed that the CISO role is maturing quickly, and the position is experiencing more equity in the boardroom. In the last year alone, there was a 10-point uptick in CISOs doing monthly reporting to the board. These positive outcomes likely stem from the increasingly metrics-driven reporting CISOs provide, where data is more effectively leveraged to connect security outcomes to business objectives.
An especially promising development in this year's report is how security teams are being looped into corporate projects. Of the security leaders surveyed, 78% say they are consulted early in project development when business objectives are first identified, and two-thirds are now making presentations to the highest levels of enterprise authority. 56% of CISOs present security metrics to their CEOs, up from 43% in 2021.
Cloud migration was universally identified as one of those top business objectives. The move to the cloud saddles CISOs with many challenges. The top priorities listed by CISOs include dealing with an expanding attack surface, staffing, and new compliance requirements — all within constrained budgets. In fact, 43% of security leaders said their budgets remained static or were reduced following business migration to the cloud.
Given these challenges, leading CISOs are transforming their approaches. To address multiple cloud compliance requirements, security leaders are focusing on the most onerous set of rules and creating separate environments for different requirements. Risk assessments were identified as the key tool used to secure funding for these and other cyber initiatives and to set top priorities.
"Costs and risks are up, while at the same time, cyber budgets are trending flat or down," said Colefire. "Cyber security has historically been lower in priority for organisations, but we are witnessing a big shift in enterprise cyber expectations. CISOs are rising to meet those expectations, speaking to the business, and as a result, solidifying their role in the C-suite."
https://www.darkreading.com/threat-intelligence/new-coalfire-report-reveals-cisos-rising-influence
ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks
As a form of OpenAI technology, ChatGPT has the ability to mimic natural language and human interaction with remarkable efficiency. However, from a cyber security perspective, this also means it can be used in a variety of ways to lower the bar for threat actors.
One key method is the ability for ChatGPT to draft cunning phishing emails en masse. By feeding ChatGPT with minimal information, it can create content and entire emails that will lure unsuspecting victims to provide their passwords. With the right API setup, thousands of unique, tailored, and sophisticated phishing emails can be sent almost simultaneously.
Another interesting capability of ChatGPT is the ability to write malicious code. While OpenAI has put some controls in place to prevent ChatGPT from creating malware, it is possible to convince ChatGPT to create ransomware and other forms of malware as code that can be copied and pasted into an integrated development environment (IDE) and used to compile actual malware. ChatGPT can also be used to identify vulnerabilities in code segments and reverse engineer applications.
ChatGPT will expedite a trend that is already wreaking havoc across sectors – lowering the bar for less sophisticated threat actors, enabling them to conduct attacks while evading security controls and bypassing advanced detection mechanisms. And currently, there is not much that organisations can do about it. ChatGPT represents a technological marvel that will usher in a new era, not just for the cyber security space.
https://www.calcalistech.com/ctechnews/article/sj0lfp11oi
Mailchimp Discloses a New Security Breach, the Second One in 6 Months
The popular email marketing and newsletter platform Mailchimp was hacked twice in the past six months. The news of a new security breach was confirmed by the company; the incident exposed the data of 133 customers.
Threat actors targeted the company’s employees and contractors to gain access to an internal support and account admin tool.
“On January 11, the Mailchimp Security team identified an unauthorised actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorised actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.” reads the notice published by the company. “Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts.”
The malicious activity was discovered on January 11, 2023; in response to the intrusion the company temporarily suspended access for impacted accounts. The company also notified the primary contacts for all affected accounts less than 24 hours after the initial discovery.
https://securityaffairs.com/140997/data-breach/mailchimp-security-breach.html
Threats
Ransomware, Extortion and Destructive Attacks
Yum Brands says nearly 300 restaurants in UK impacted due to cyber attack | Reuters
Royal Mail boss to face MPs’ questions over Russian ransomware attack (telegraph.co.uk)
What is LockBit ransomware and how does it operate? | Royal Mail | The Guardian
How cyber-attack on Royal Mail has left firms in limbo - BBC News
Royal Mail restarts limited overseas post after cyber-attack - BBC News
How Royal Mail’s hacker became the world’s most prolific ransomware group | Financial Times (ft.com)
Ransomware Trends In Q4 2022: Key Findings And Recommendations (informationsecuritybuzz.com)
Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw (bleepingcomputer.com)
Microsoft retracts its report on Mac ransomware (techrepublic.com)
Ransomware Dips During 2022: Are Cyber attacks Slowing or Just a Blip? - MSSP Alert
Up to 1,000 ships affected by DNV ransomware attack - Splash247
Avast releases free BianLian ransomware decryptor (bleepingcomputer.com)
Vice Society ransomware leaks University of Duisburg-Essen’s data (bleepingcomputer.com)
Ransomware attack cuts 1,000 ships off from on-shore servers • The Register
Royal Mail promises ‘workarounds’ to restore services after ransomware attack | Computer Weekly
Cyber-crime gangs' earnings slide as victims refuse to pay - BBC News
Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner (bleepingcomputer.com)
Phishing & Email Based Attacks
How AI chatbot ChatGPT changes the phishing game | CSO Online
The big risk in the most-popular, and aging, big tech email programs (cnbc.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
Fake DHL emails allow hackers to breach Microsoft 365 accounts (msn.com)
Other Social Engineering; Smishing, Vishing, etc
Techniques that attackers use to trick victims into visiting malicious content - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
2FA/MFA
CircleCI's hack caused by malware stealing engineer's 2FA-backed session (bleepingcomputer.com)
The Importance of Multi-Factor Authentication (MFA) - MSSP Alert
Malware
New Backdoor Created Using Leaked CIA's Hive Malware Discovered in the Wild (thehackernews.com)
Experts spotted a backdoor that borrows code from CIA's Hive malware - Security Affairs
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Malicious ‘Lolip0p’ PyPi packages install info-stealing malware (bleepingcomputer.com)
Hackers exploit Cacti critical bug to install malware, open reverse shells (bleepingcomputer.com)
Hackers can use GitHub Codespaces to host and deliver malware (bleepingcomputer.com)
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
How to spot a cyberbot – five tips to keep your device safe (theconversation.com)
Mobile
New 'Hook' Android malware lets hackers remotely control your phone (bleepingcomputer.com)
Roaming Mantis’ Android malware adds DNS changer to hack WiFi routers (bleepingcomputer.com)
Botnets
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
6,000+ Customer Accounts Breached, NortonLifeLock Alert Users (informationsecuritybuzz.com)
1.7 TB of data from digital intelligence firm Cellebrite leaked online - Security Affairs
LastPass faces mounting criticism over recent breach | TechTarget
Mailchimp discloses a new incident, the second one in 6 months - Security Affairs
PayPal Breach Exposed PII of Nearly 35K Accounts (darkreading.com)
T-Mobile US says hacker accessed personal data of 37 million customers • TechCrunch
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
Twitter sued over data leak that it denied was caused by a flaw | Business
Nissan North America data breach caused by vendor-exposed database (bleepingcomputer.com)
18k Nissan Customers Affected by Data Breach at Third-Party Software Developer | SecurityWeek.Com
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto exchanges freeze accounts tied to North Korea • The Register
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
Bitcoin is a ‘hyped-up fraud’, says JP Morgan chief (telegraph.co.uk)
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Fraud, Scams & Financial Crime
Hacker stole credit cards from Canada alcohol retailer LCBO - Security Affairs
Europol arrested cryptocurrency scammers that stole millions from victims - Security Affairs
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
FTX Says $415 Million Of Its Crypto Assets Was Hacked (informationsecuritybuzz.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
The threat of location spoofing and fraud - Help Net Security
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
International Arrests Over 'Criminal' Crypto Exchange | SecurityWeek.Com
Insurance
Dark Web
New York man defrauded thousands using credit cards sold on dark web (bleepingcomputer.com)
Illegal Solaris darknet market hijacked by competitor Kraken (bleepingcomputer.com)
Supply Chain and Third Parties
Cloud/SaaS
The Dangers of Default Cloud Configurations (darkreading.com)
Report: Cloud-based networks under growing attack • The Register
Data Security in Multicloud: Limit Access, Increase Visibility (darkreading.com)
Hybrid/Remote Working
Encryption
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
teiss - Cyber Threats - Managing the treat from quantum computers
Threats Of Quantum: The Solution Lies In Quantum Cryptography (informationsecuritybuzz.com)
Why encrypting emails isn't as simple as it sounds - Help Net Security
TLS Connection Cryptographic Protocol Vulnerabilities (trendmicro.com)
Passwords, Credential Stuffing & Brute Force Attacks
Compromise of employee device, credentials led to CircleCI breach | SC Media (scmagazine.com)
PayPal accounts breached in large-scale credential stuffing attack (bleepingcomputer.com)
NortonLifeLock: threat actors breached Norton Password Manager accounts - Security Affairs
Social Media
Twitter says leaked emails not hacked from its systems - BBC News
Hacked! My Twitter user data is out on the dark web -- now what? | ZDNET
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
Malvertising
Hackers turn to Google search ads to push info-stealing malware (bleepingcomputer.com)
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet (cointelegraph.com)
HUMAN Security Stops VASTFLUX Digital Ad Fraud Operation - MSSP Alert
Training, Education and Awareness
Training, endpoint management reduce remote working cyber security risks - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Regulations, Fines and Legislation
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
EU cyber resilience regulation could translate into millions in fines - Help Net Security
Online safety bill: Attempt to jail tech bosses ‘could backfire’ | News | The Times
Culture secretary examines plans to punish tech bosses over online harms | Financial Times (ft.com)
French CNIL fined Tiktok $5.4 Million for violating cookie laws - Security Affairs
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
How Would the FTC Rule on Noncompetes Affect Data Security? (darkreading.com)
The US Has a Massive Money Transfer Surveillance Apparatus (gizmodo.com)
Governance, Risk and Compliance
Technology is a fragile machine that seems to power everything | Android Central
Training, endpoint management reduce remote working cyber security risks - Help Net Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
Cost of data breaches to global businesses at five-year high- IT Security Guru
Experts at Davos 2023 sound the alarm on cyber security | World Economic Forum (weforum.org)
Why Mean Time to Repair Is Not Always A Useful Security Metric (darkreading.com)
Why are there so many cyber attacks lately? An explainer on the rising trend | Globalnews.ca
How To Build A Network Of Security Champions In Your Organisation (forbes.com)
EU cyber resilience regulation could translate into millions in fines - Help Net Security
What is Business Attack Surface Management? (trendmicro.com)
How to build a cyber-resilience culture in the enterprise | TechTarget
Why Businesses Need to Think Like Hackers This Year (darkreading.com)
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Cyber-attack contributes to major Harrogate district firm posting £4.1m loss - The Stray Ferret
Data Protection
GDPR Fines Surge 168% in a Year - Infosecurity Magazine (infosecurity-magazine.com)
European data protection authorities issue record €2.92 billion in GDPR fines | CSO Online
How data protection is evolving in a digital world - Help Net Security
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Careers, Working in Cyber and Information Security
New Coalfire Report Reveals CISOs Rising Influence (darkreading.com)
IT Burnout may be Putting Your Organisation at Risk (bleepingcomputer.com)
Sophos Joins List of Cyber security Companies Cutting Staff | SecurityWeek.Com
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
UK supermarket uses facial recognition tech to track shoppers - Coda Story
State legislators aren't waiting for Congress to regulate children's online privacy - CyberScoop
Artificial Intelligence
How AI chatbot ChatGPT changes the phishing game | CSO Online
ChatGPT and its perilous use as a "Force Multiplier" for cyber attacks | Ctech (calcalistech.com)
Potential threats and sinister implications of ChatGPT - Help Net Security
Criminals seek OpenAI guardrail bypass, use ChatGPT for evil • The Register
ChatGPT Creates Polymorphic Malware - Infosecurity Magazine (infosecurity-magazine.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware (thehackernews.com)
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors
Nation State Actors – Russia
Putin’s Russian cyber attacks could target UK’s infrastructure | News | The Times
Ukraine blames Russia for most of over 2,000 cyber attacks in 2022 | Reuters
Is Elon Musk’s Starlink winning the war for Ukraine? | World | The Sunday Times (thetimes.co.uk)
Pro-Russia Hacktivist Group NoName057(16) Strikes Again (informationsecuritybuzz.com)
Russian hacktivists NoName057 offer cash for DDoS attacks (techmonitor.ai)
Ukraine links data-wiping attack on news agency to Russian hackers (bleepingcomputer.com)
Russian hackers target Ukrainian press briefing about cyber attacks (axios.com)
Russians say they can download software from Intel again • The Register
Nation State Actors – China
Industrial espionage: How China sneaks out America's technology secrets - BBC News
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
China wants 30 percent CAGR for its infosec industry • The Register
Chinese hackers targeted Iranian government entities for months: Report | CSO Online
Nation State Actors – North Korea
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
The Top 10 Vulnerabilities of 2022: Mastering Vulnerability Management - Security Boulevard
3 Lessons Learned in Vulnerability Management (darkreading.com)
Vulnerabilities
Cisco won’t fix critical flaw in small business routers • The Register
Unpatched Zoho ManageEngine Products Under Active Cyber attack (darkreading.com)
Oracle's First Security Update for 2023 Includes 327 New Patches | SecurityWeek.Com
Why it's time to review your on-premises Microsoft Exchange patch status | CSO Online
Attackers Crafted Custom Malware for Fortinet Zero-Day (darkreading.com)
New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (thehackernews.com)
Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability (thehackernews.com)
PoC exploits released for critical bugs in popular WordPress plugins (bleepingcomputer.com)
Vulnerabilities in cryptographic libraries found through modern fuzzing - Help Net Security
Microsoft: Exchange Server 2013 reaches end of support in 90 days (bleepingcomputer.com)
Hackers are using this old trick to dodge security protections | ZDNET
Attackers deploy sophisticated Linux implant on Fortinet network security devices | CSO Online
Researchers to release PoC exploit for critical Zoho RCE bug, patch now (bleepingcomputer.com)
MSI accidentally breaks Secure Boot for hundreds of motherboards (bleepingcomputer.com)
Microsoft fixes SSRF vulnerabilities found in Azure services | TechTarget
Over 4,000 Sophos Firewall devices vulnerable to RCE attacks (bleepingcomputer.com)
Critical Security Vulnerabilities Discovered in Netcomm and TP-Link Routers (thehackernews.com)
Exploited Control Web Panel Flaw Added to CISA 'Must-Patch' List | SecurityWeek.Com
Two critical flaws discovered in Git system - Security Affairs
Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability | SecurityWeek.Com
Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM | SecurityWeek.Com
CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog
Critical Microsoft Azure RCE flaw impacted multiple services - Security Affairs
New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks (thehackernews.com)
Tools and Controls
Training, endpoint management reduce remote working cyber security risks - Help Net Security
Why encrypting emails isn't as simple as it sounds - Help Net Security
As Social Engineering Tactics Change, So Must Your Security Training (darkreading.com)
Zero trust network access for Desktop as a Service - Help Net Security
How to prioritize resilience in the face of cyber-attacks | World Economic Forum (weforum.org)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Join us at 2pm on Thursday 26th of January for 'It Started with a Phish: a Bite-Sized Introduction to Incident Response'
Join us at 2pm on Thursday 26th of January for 'It Started with a Phish: a Bite-Sized Introduction to Incident Response'
Join us at 2pm on Thursday 26th of January for 'It Started with a Phish: a Bite-Sized Introduction to Incident Response' as part of the Islands Data Governance Forum Conference in-person at the Digital Greenhouse in Guernsey.
In this event, Bruce, James and Luke will lead a high-level tabletop taster exercise in incident response, guiding attendees on what to do in the event of a cyber security and data loss incident.
To find out more and to get tickets: It started with a phish: a bite-sized introduction to incident response | Digital Greenhouse
Black Arrow Cyber Advisory 20/01/2023 – Zoho ManageEngine Exploit Released Affecting Multiple Product Lines
Black Arrow Cyber Advisory 20/01/2023 – Zoho ManageEngine Exploit Released Affecting Multiple Product Lines
Executive Summary
CVE-2022-47966 is a remote code execution vulnerability which impacts Zoho’s ManageEngine On-Premise products, due to the use of an outdated third-party dependency, Apache Santuario. The exploit for this vulnerability has now been publicly released. Software updates addressing the vulnerabilities were previously released by Zoho across October/November last year.
What’s the risk to me or my business?
Successful exploitation of this vulnerability would grant an attacker the ability to remotely execute code. Users of ManageEngine On-Demand/cloud products are not affected by this vulnerability. In addition, the exploit is applicable, only when Single Sign-on (SSO) is or was enabled during the initial ManageEngine setup.
What can I do?
For organisations using ManageEngine On-Premise products where Single Sign-on (SSO) is or was enabled during initial setup, it is strongly recommended to install the patched version which addresses this vulnerability.
Further information on the security advisory from Zoho ManageEngine can be found here, including impacted version numbers, and the version numbers where the exploit was fixed: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
What We Expect to See in 2023
What We Expect to See in 2023
2022 proved to be a challenging year for organisations trying to protect themselves against cyber attacks that originate from across the world, and within only the first two weeks of 2023 more high profile attacks have been disclosed.
One indicator of the scale of the problem is to look at how cyber insurance providers have been objectively assessing the risk of a cyber attack on their clients, and how to price that risk. This gives us strong signals about the challenges that cyber security will bring in 2023.
2022 proved to be a challenging year for organisations trying to protect themselves against cyber attacks that originate from across the world, and within only the first two weeks of 2023 more high profile attacks have been disclosed.
One indicator of the scale of the problem is to look at how cyber insurance providers have been objectively assessing the risk of a cyber attack on their clients, and how to price that risk. This gives us strong signals about the challenges that cyber security will bring in 2023.
The signs from the Cyber Insurance market
There have been some foreboding seismic changes in the cyber insurance market. The volume of attacks globally has resulted in insurance premiums that are now out of range for many organisations, and in December last year Zurich insurance said that cyber attacks will become “uninsurable”. Lloyds of London have mandated that all their policies must include an act of war exclusion, to ensure there is no liability when policy holders are caught in the cyber-crossfire by nation states such as Russia; it would not be a surprise if further exclusions were brought in later.
Cyber attackers come in many forms including nation states such as Russia, China and North Korea, as well as independent criminal gangs that operate in those countries and elsewhere. The line between these parties is very blurred, for example when the Russian military collaborates with local criminal gangs. It remains to be seen whether an insurance provider will make a distinction between the actions of a nation state and the country’s criminal gangs as an act of war, especially because attribution is not an exact science and may be outside the capability of an insurance underwriter. It is possible that the insured party will have to wait for some time before the claim is investigated, and they may need to challenge the assessment in court.
All the signs are that if insurance is indeed made available, then it will only be offered to an organisation that shows it has done everything it reasonably can to make itself an attractively low risk to an insurance provider. Consider the dispute between Travellers Insurance and their policyholder in the US in July last year, where the policy holder experienced a ransomware attack but Travellers successfully had the insurance policy annulled because the policyholder did not have the cyber protections in place that they claimed.
Organisations need to be constantly aware of the current and evolving risks of a cyber incident, and review whether their controls are robust enough to keep that risk down. Insurance providers have already started to do their own assessment of their policy holders’ controls, akin to a risk assessment before granting a person a life assurance policy, and they plan to go a lot deeper than you might think. Cloud providers including Google, Microsoft and Amazon are working with insurance companies to review the security configuration settings of their customers as part of the insurance company’s due diligence, to determine whether to offer insurance and at what price. The implications are clear: insurance companies expect you to have robust cyber security before they will consider you as a client. Where previously the application for an insurance policy was based on self-attestation by an organisation, insurance providers are now starting to ask for reports and metrics, however this could result in the applicant sharing highly sensitive information on their cyber security weaknesses which could be exploited if in an attacker’s hands.
Ransomware will remain popular …
A recent report from the insurance industry’s representative body, the Geneva Association, highlighted that 75% of all cyber-insurance claims in 2020 (the latest available analysis) were for ransomware. In 2022 we saw a change in the tactics of ransom attackers, and we expect more to come as attackers copy the success of their peers in trying out new approaches.
Last year, a ransomware gang hacked into the website of their victim to post the ransom note for the world to see, in order to increase the pressure to have the ransom paid. Other attackers have used a new way of encrypting their victim’s files by only encrypting every 16th bit (called Intermitted Encryption) to avoid making too much ‘noise’ and setting off the victim’s detection systems.
We expect attackers to increase their ‘innovation’ in ransomware, especially as the ransomware software has become so much easier to purchase online through the ransomware-as-a service (RaaS) market that the attacker community has established, alongside their call centres and venture capital services to enable the RaaS market to flourish. As a result, organisations need to keep their ear to the ground by reading cyber threat intelligence, such as our weekly blog, to understand the new tactics and check how secure they are against them.
… but new types of attacks are increasing
However, ransomware is not the only type of attack and it looks set to decrease (slightly) in popularity with the recent crash in crypto currencies, which is a currency of choice for cyber attackers as it is like a suitcase of unmarked banknotes that cannot be traced. Coming up in popularity is business email compromise (BEC), and the lesser known email account compromise (EAC), where the attacker gains access to a user’s email account and, without the knowledge of the owner, uses it to conduct further attacks such as sending out emails requesting payments to fraudulent accounts. BEC/EAC are not new, but they seem to be considered easier and more profitable for attackers in late 2022 and into 2023.
It is worth noting that attackers will often lurk for months or years after an email account has been compromised. The attacker will watch and wait for the right moment to strike, for example when the victim is about to transfer funds to a third party and the attacker intercepts and alters emails to divert the funds to the attacker’s bank account.
When there is money to be made, there will be innovation
Every day across the world, hundreds of thousands of clever but dishonest people wake up in the morning, and their definition of a good day’s work is that they have broken through your defences to get access to your information or money.
Recent ‘innovations’ from the attackers perspective include call-back phishing, which has soared in popularity as attackers are refining their techniques. This starts with a classic phishing email that tells the recipient that their information or money is in danger. However, this email encourages the recipient to call a number for help; the person they call is the attacker who will talk them through downloading software (which is, sadly, malicious software or ‘malware’) and transferring money (unknowingly into the attacker’s account) in order to sort out the problem.
The ’robust’ controls of this morning might not be so strong by this afternoon
Last autumn, a contractor at Uber was contacted by someone claiming to be from the company’s IT team, who asked the contractor to accept the multi-factor authentication (MFA) prompts they had been receiving on their device in order that the IT team could work on their account. The contractor complied. The person who contacted them was of course an attacker and now had direct access to Uber’s systems, including the ability to post messages on the company’s Slack channels used for internal messaging.
This is a strong reminder that controls, such as MFA, that are considered robust can still be overcome by a determined attacker, especially if they can convince an employee to help them. To be clear, MFA is a very credible control and should certainly be maintained however there are no silver bullets and no single control offers 100% protection to withstand a determined attacker. The only way to protect yourself is to understand the evolving tactics of attackers, and to maintain a strategy of multiple layers of controls in order that if one of them fails, then the other controls can help to withstand or mitigate the damage; this is referred to as defence in depth.
Subscribe to our weekly round up of threat intelligence
2023 has already started as a yet more challenging year for protecting you and your clients’ information against a cyber attack. The UK’s Royal Mail has fallen victim to ransomware attributed to Russian attackers that has immobilised its international operations, and the Guardian newspaper has shared details of a recent attack on their systems.
This is why your cyber security strategy needs to be regularly reassessed based on what your ear to the ground is telling you. Subscribe to our weekly threat intelligence report on blackarrowcyber.com/subscribe to keep on top of the latest developments and see what our threat intelligence tells you to consider in your cyber security strategy. And contact us if you want to discuss what this all means for you; we know and love cyber security, and would be happy to hear from you.
Black Arrow Cyber Threat Briefing 13 January 2023
Black Arrow Cyber Threat Briefing 13 January 2023:
-Quarter of UK SMBs Hit by Ransomware in 2022
-Global Cyber Attack Volume Surges 38% in 2022
-1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data
-AI-Generated Phishing Attacks Are Becoming More Convincing
-Customer and Employee Data the Top Prize for Hackers
-Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services
-The Guardian Confirms Personal Information Compromised in Ransomware Attack
-Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans
-The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize
-Corrupted File to Blame for Computer Glitch which Grounded Every US Flight
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Quarter of UK SMBs Hit by Ransomware in 2022
Over one in four (26%) British SMBs have been targeted by ransomware over the past year, with half (47%) of those compromised paying their extorters, according to new data from anti-virus provider Avast. The security vendor polled 1000 IT decision makers from UK SMBs back in October, to better understand the risk landscape over the previous 12 months.
More than two-thirds (68%) of respondents said they are more concerned about being attacked since the start of the war in Ukraine, fuelling concerns that have led to half (50%) investing in cyber-insurance. They’re wise to do so, considering that 41% of those hit by ransomware lost data, while 34% lost access to devices, according to Avast.
Given that SMBs comprise over 99% of private sector businesses in the country, it’s reassuring that cyber is now being viewed as a major business risk. Nearly half (48%) ranked it as one of the biggest threats they currently face, versus 66% who cited financial risk stemming from surging operational cost. More respondents cited cyber as a top threat than did physical security (35%) and supply chain disruption (33%).
Avast argued that SMBs are among the groups most vulnerable to cyber-threats as they often have very limited budget and resources, and many don’t have somebody on staff managing security holistically. As a result, not only are SMB’s lacking in their defence, but they’re also slower and less able to react to incidents.
https://www.infosecurity-magazine.com/news/quarter-of-uk-smbs-hit-ransomware/
Global Cyber Attack Volume Surges 38% in 2022
The number of cyber attacks recorded last year was nearly two-fifths (38%) greater than the total volume observed in 2021, according to Check Point.
The security vendor claimed the increase was largely due to a surge in attacks on healthcare organisations, which saw the largest year-on-year (YoY) increase (74%), and the activities of smaller, more agile hacking groups.
Overall, attacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organisation. The average weekly figures for the year were highest for education sector organisations (2314), government and military (1661) and healthcare (1463).
Threat actors appear to have capitalised on gaps in security created by the shift to remote working. The ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Hackers are also now increasingly widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organisations’ employees continue to work remotely.
It is predicted that AI tools like ChatGPT would help to fuel a continued surge in attacks in 2023 by making it quicker and easier for bad actors to generate malicious code and emails.
Recorded cyber-attacks on US organisations grew 57% YoY in 2022, while the figure was even higher in the UK (77%). This chimes with data from UK ISP Beaming, which found that 2022 was the busiest year on record for attacks. It recorded 687,489 attempts to breach UK businesses in 2022 – the equivalent of one attack every 46 seconds.
https://www.infosecurity-magazine.com/news/global-cyberattack-volume-surges/
1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data
New research from cyber security provider Hornetsecurity has found that 33% of companies are not providing any cyber security awareness training to users who work remotely.
The study also revealed nearly three-quarters (74%) of remote staff have access to critical data, which is creating more risk for companies in the new hybrid working world.
Despite the current lack of training and employees feeling ill-equipped, almost half (44%) of respondents said their organisation plans to increase the percentage of employees that work remotely. The popularity of hybrid work, and the associated risks, means that companies must prioritise training and education to make remote working safe.
Traditional methods of controlling and securing company data aren't as effective when employees are working in remote locations and greater responsibility falls on the individual. Companies must acknowledge the unique risks associated with remote work and activate relevant security management systems, as well as empower employees to deal with a certain level of risk.
The independent survey, which quizzed 925 IT professionals from a range of business types and sizes globally, highlighted the security management challenges and employee cyber security risk when working remotely. The research revealed two core problems causing risk: employees having access to critical data, and not enough training being provided on how to manage cyber security or how to reduce the risk of a cyber-attack or breach.
AI-Generated Phishing Attacks Are Becoming More Convincing
It's time for you and your colleagues to become more sceptical about what you read.
That's a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harass, and spread fake news.
Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. Amongst the use cases explored by the research were the use of GPT-3 models to create:
Phishing content – emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link
Social opposition – social media messages designed to troll and harass individuals or to cause brand damage
Social validation – social media messages designed to advertise or sell, or to legitimise a scam
Fake news – research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set
All of these could, of course, be useful to cyber criminals hell-bent on scamming the unwary or spreading unrest.
Customer and Employee Data the Top Prize for Hackers
The theft of customer and employee data accounts for almost half (45%) of all stolen data between July 2021 and June 2022, according to a new report from cyber security solution provider Imperva.
The data is part of a 12-month analysis by Imperva Threat Research on the trends and threats related to data security in its report “More Lessons Learned from Analysing 100 Data Breaches”.
Their analysis found that theft of credit card information and password details dropped by 64% compared to 2021. The decline in stolen credit card and password data pointing to the uptake of basic security tactics like multi-factor authentication (MFA). However, in the long term, PII data is the most valuable data to cyber-criminals. With enough stolen PII, they can engage in full-on identity theft which is hugely profitable and very difficult to prevent. Credit cards and passwords can be changed the second there is a breach, but when PII is stolen, it can be years before it is weaponised by hackers.
The research also revealed the root causes of data breaches, with social engineering (17%) and unsecured databases (15%) two of the biggest culprits. Misconfigured applications were only responsible for 2% of data breaches, but Imperva said that businesses should expect this figure to rise in the near future, particularly with cloud-managed infrastructure where configuring for security requires significant expertise.
It’s really concerning that a third (32%) of data breaches are down to unsecured databases and social engineering attacks, since they’re both straightforward to mitigate. A publicly open database dramatically increases the risk of a breach and, all too often, they are left like this not out of a failure of security practices but rather the total absence of any security posture at all.
https://www.infosecurity-magazine.com/news/customer-employee-data-hackers/
Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services
Royal Mail experienced “severe service disruption” to its international export services following a ransomware attack, the company has announced. A statement said it was temporarily unable to despatch export items including letters and parcels to overseas destinations.
Royal Mail said: “We have asked customers temporarily to stop submitting any export items into the network while we work hard to resolve the issue” and advising that “Some customers may experience delay or disruption to items already shipped for export.”
The attack was later attributed to LockBit, a prolific ransomware gang with close ties to Russia. Both the NCSC and the NCA were involved in responding to the incident.
https://www.independent.co.uk/business/royal-mail-cyber-attack-exports-b2260308.html
The Guardian Confirms Personal Information Compromised in Ransomware Attack
British news organisation The Guardian has confirmed that personal information was compromised in a ransomware attack in December 2022.
The company fell victim to the attack just days before Christmas, when it instructed staff to work from home, announcing network disruptions that mostly impacted the print newspaper.
Right from the start, the Guardian said it suspected ransomware to have been involved in the incident, and this week the company confirmed that this was indeed the case. In an email to staff on Wednesday, The Guardian Media Group’s chief executive and the Guardian’s editor-in-chief said that the sophisticated cyber attack was likely the result of phishing.
They also announced that the personal information of UK staff members was compromised in the attack, but said that reader data and the information of US and Australia staff was not impacted. “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely,” the Guardian representatives said. While the attack forced the Guardian staff to work from home, online publishing has been unaffected, and production of daily newspapers has continued as well.
“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” the Guardian said.
The company continues to work on recovery and estimates that critical systems would be restored in the next two weeks. Staff, however, will continue to work from home until at least early February. “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries,” the Guardian said.
https://www.securityweek.com/guardian-confirms-personal-information-compromised-ransomware-attack
Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans
Another month, another release of personal information stolen from a school system. This time, it's a group of 14 schools in the United Kingdom.
Once again, the perpetrator appears to be Vice Society, which is well known for targeting educational systems in the US. As the Cybersecurity and Infrastructure Security Agency (CISA) pointed out in a bulletin from Sept. 6, "K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers."
The UK hack may have turned up even more confidential information than the Los Angeles school system breach last year. As the BBC reported on Jan. 6, "One folder marked 'passports' contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked 'contract' contains contractual offers made to staff alongside teaching documents on muscle contractions."
Some prominent school cyber attacks in the US include public school districts in Chicago, Baltimore, and Los Angeles. A new study from digital learning platform Clever claims that one in four schools experienced a cyber-incident over the past year, and according to a new report from security software vendor Emsisoft, at least 45 school districts and 44 higher learning institutions suffered ransomware attacks in 2022.
Schools are an attractive target as they are typically data-rich and resource-poor. Without proper resources in terms of dedicated staffing and the necessary tools and training to protect against cyber-attacks, schools can be a soft target. Many of the 14 schools hit by this latest leak are colleges and universities, but primary and secondary schools were also hit, according to the BBC's list.
The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize
Cyber security experts say 2022 may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.
Criminal groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when they realise that it works to do damage or to get people to pay. Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.
For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked.
What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. There have already been large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.
In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cyber security from the beginning.
Corrupted File to Blame for Computer Glitch which Grounded Every US Flight
A corrupted file has been blamed for a glitch on the Federal Aviation Administration's computer system which saw every flight grounded across the US.
All outbound flights were grounded until around 9am Eastern Time (2pm GMT) on Wednesday as the FAA worked to restore its Notice to Air Missions (NOTAM) system, which alerts pilots of potential hazards along a flight route.
On Wednesday 4,948 flights within, into or out of the US had been delayed, according to flight tracker FlightAware.com, while 868 had been cancelled. Most delays were concentrated along the East Coast. Normal air traffic operations resumed gradually across the US following the outage to the NOTAM system that provides safety information to flight crews.
A corrupted file affected both the primary and the backup systems, a senior government official told NBC News on Wednesday night, adding that officials continue to investigate. Whilst Government officials said there was no evidence of a cyber attack, it shows the real world impacts that an outage or corrupted file can cause.
Threats
Ransomware, Extortion and Destructive Attacks
Royal Mail unable to despatch items abroad after 'cyber incident' | UK News | Sky News
Lorenz ransomware gang plants backdoors to use months later (bleepingcomputer.com)
Quarter of UK SMBs Hit by Ransomware in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Worldwide Ransomware Attacks Trend (informationsecuritybuzz.com)
LastPass Faces Class-Action Lawsuit Over Password Vault Breach (pcmag.com)
Rackspace: Ransomware actor accessed 27 customers' data | TechTarget
Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone (darkreading.com)
Risk & Repeat: Analysing the Rackspace ransomware attack | TechTarget
Guardian confirms it was hit by ransomware attack | The Guardian | The Guardian
Post-ransomware attack, The Guardian warns staff their personal data was accessed • Graham Cluley
The Guardian Confirms Personal Information Compromised in Ransomware Attack | SecurityWeek.Com
Royal Mail cyber attack linked to LockBit ransomware operation (bleepingcomputer.com)
Hive Ransomware leaked 550 GB stolen from Consulate Health Care - Security Affairs
Iowa’s largest school district cancels classes after cyber attack (bleepingcomputer.com)
Hackers leak sensitive files after attack on San Francisco transit police (nbcnews.com)
Vice Society ransomware claims attack on Australian firefighting service (bleepingcomputer.com)
Ransomware attack at Hope Sentamu Learning Trust in York | York Press
Phishing & Email Based Attacks
AI-generated phishing emails just got much more convincing • The Register
Better Phishing, Easy Malicious Implants: How AI Could Change Cyber attacks (darkreading.com)
AI-generated phishing attacks are becoming more convincing | Tripwire
Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED
Phishing campaign targets government institution in Moldova - Security Affairs
Malware
Better Phishing, Easy Malicious Implants: How AI Could Change Cyber attacks (darkreading.com)
Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections | WIRED
ChatGPT Used to Develop New Malicious Tools - Infosecurity Magazine (infosecurity-magazine.com)
Russia’s Turla falls back on old malware C2 domains to avoid detection | Computer Weekly
Many of 13 New Mac Malware Families Discovered in 2022 Linked to China | SecurityWeek.Com
Dridex Malware Now Attacking macOS Systems with Novel Infection Method (thehackernews.com)
Over 1,300 fake AnyDesk sites push Vidar info-stealing malware (bleepingcomputer.com)
Attackers abuse business-critical cloud apps to deliver malware - Help Net Security
New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors (thehackernews.com)
6 PyPI Packages Detour Firewall Using Cloudflare Tunnels (informationsecuritybuzz.com)
Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL (bleepingcomputer.com)
Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls (bleepingcomputer.com)
Gootkit Loader Actively Targets Australian Healthcare Industry (trendmicro.com)
Android TV box on Amazon came pre-installed with malware (bleepingcomputer.com)
VLC media player is being hiajcked to send out malware | TechRadar
RAT malware campaign tries to evade detection using polyglot files (bleepingcomputer.com)
Italian Users Warned of Malware Attack Targeting Sensitive Information (thehackernews.com)
Hackers push fake Pokemon NFT game to take over Windows devices (bleepingcomputer.com)
How to protect yourself from bot-driven account fraud - Help Net Security
Mobile
Android spyware strikes again targeting financial institutions and your money | Fox News
Messenger billed as better than Signal is riddled with vulnerabilities | Ars Technica
StrongPity hackers target Android users via trojanized Telegram app (bleepingcomputer.com)
Threema claims encryption flaws never had a real-world impact (bleepingcomputer.com)
Latest Firmware Flaws in Qualcomm Snapdragon Need Attention (darkreading.com)
Threat actors claim access to Telegram servers through insiders - Security Affairs
$20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims (darkreading.com)
Denial of Service/DoS/DDOS
The most significant DDoS attacks in the past year - Help Net Security
Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyber attack Project (darkreading.com)
Internet of Things – IoT
The dark web's criminal minds see IoT as the next big hacking prize (cnbc.com)
Android TV box on Amazon came pre-installed with malware (bleepingcomputer.com)
Hackers can trick Wi-Fi devices into draining their own batteries | New Scientist
Data Breaches/Leaks
Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED
14 UK schools hit by cyber attack and documents leaked - BBC News
Air France and KLM notify customers of account hacks (bleepingcomputer.com)
Vice Society Releases Info Stolen From 14 UK Schools, Including Passport Scans (darkreading.com)
Twitter's mushrooming data breach crisis could prove costly | CSO Online
Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System (thehackernews.com)
CircleCI – code-building service suffers total credential compromise – Naked Security (sophos.com)
Aflac's Japan says US partner leaked cancer customer info • The Register
Data leak exposes information of 10,000 French social security beneficiaries | CSO Online
Chick-fil-A investigates reports of hacked customer accounts (bleepingcomputer.com)
Organised Crime & Criminal Actors
JP Morgan must face suit over $272m cybertheft • The Register
Cyber criminals are already using ChatGPT to own you | SC Media (scmagazine.com)
Russian Cyber Crew Targets Ukraine Financial Sector Via Infected USB Drives - MSSP Alert
2022 Was the Biggest Year Yet for Crypto, if You're a Crook (gizmodo.com)
Researchers Find 'Digital Crime Haven' While Investigating Magecart Activity (darkreading.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
2022 Was the Biggest Year Yet for Crypto, if You're a Crook (gizmodo.com)
European police takes down call centres behind cryptocurrency scams (bleepingcomputer.com)
European cops shut down fake crypto call centres • The Register
Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL (thehackernews.com)
Fraud, Scams & Financial Crime
European police takes down call centres behind cryptocurrency scams (bleepingcomputer.com)
Nationwide warns ‘checking is important’ as thousands targeted in online scam | Personal Finance |
How to protect yourself from bot-driven account fraud - Help Net Security
Insurance
Insurance Co. Beazley Launches $45M 'Cyber Catastrophe Bond' (gizmodo.com)
Insurer Beazley launches first catastrophe bond for cyber threats | Financial Times (ft.com)
4 Cyber Insurance Requirement Predictions for 2023 (trendmicro.com)
Dark Web
Threat actors claim access to Telegram servers through insiders - Security Affairs
$20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims (darkreading.com)
Pakistan tells government agencies to avoid the dark web • The Register
Software Supply Chain
Cloud/SaaS
Attackers abuse business-critical cloud apps to deliver malware - Help Net Security
Top SaaS Cyber security Threats in 2023: Are You Ready? (thehackernews.com)
Why Do User Permissions Matter for SaaS Security? (thehackernews.com)
Attack Surface Management
Why the atomized network is growing, and how to protect it - Help Net Security
Web 3.0 Shifts Attack Surface and Highlights Need for Continuous Security (darkreading.com)
Identity and Access Management
Encryption
RSA crypto cracked? Or perhaps not! – Naked Security (sophos.com)
What is Triple DES and why is it being disallowed? | TechTarget
Passwords, Credential Stuffing & Brute Force Attacks
A fifth of passwords used by federal agency cracked in security audit | Ars Technica
Why FIDO and passwordless authentication is the future - Help Net Security
'Copyright Infringement' Lure Used for Facebook Credential Harvesting (darkreading.com)
Why it might be time to consider using FIDO-based authentication devices | CSO Online
Social Media
Twitter Data Leak: What the Exposure of 200 Million User Emails Means for You | WIRED
Twitter's mushrooming data breach crisis could prove costly | CSO Online
Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System (thehackernews.com)
If governments are banning TikTok, why is it still on your corporate devices? | CSO Online
'Copyright Infringement' Lure Used for Facebook Credential Harvesting (darkreading.com)
Training, Education and Awareness
Regulations, Fines and Legislation
Governance, Risk and Compliance
US cyber security director: The tech ecosystem has ‘become really unsafe’ (yahoo.com)
Global Cyber-Attack Volume Surges 38% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Global Risks Report: Understand the risk landscape in 2023 and beyond - Help Net Security
Why Analysing Past Incidents Helps Teams More Than Usual Security Metrics (darkreading.com)
Cyber security spending and economic headwinds in 2023 | CSO Online
Practical Risk Management - Beyond Certification (informationsecuritybuzz.com)
Vulnerable software, low incident reporting raises risks | TechTarget
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
European cops shut down fake crypto call centres • The Register
European police takes down call centres behind cryptocurrency scams (bleepingcomputer.com)
Privacy, Surveillance and Mass Monitoring
Artificial Intelligence
AI-generated phishing emails just got much more convincing • The Register
ChatGPT: The infosec assistant that is jack of all trades, master of none - Help Net Security
Better Phishing, Easy Malicious Implants: How AI Could Change Cyber attacks (darkreading.com)
VALL-E AI can mimic a person’s voice from a 3-second snippet • The Register
ChatGPT Artificial Intelligence: An Upcoming Cyber security Threat? (darkreading.com)
Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware (hackread.com)
Cyber criminals are already using ChatGPT to own you | SC Media (scmagazine.com)
Trojan Puzzle attack trains AI assistants into suggesting malicious code (bleepingcomputer.com)
ChatGPT Used to Develop New Malicious Tools - Infosecurity Magazine (infosecurity-magazine.com)
DHS, CISA plan AI-based cyber security analytics sandbox • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections | WIRED
Russia’s Turla falls back on old malware C2 domains to avoid detection | Computer Weekly
Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters
Russian cyber attacks on Ukraine halved with help from Amazon and Microsoft (telegraph.co.uk)
New Dark Pink APT group targets govt and military with custom malware (bleepingcomputer.com)
Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyber attack Project (darkreading.com)
Phishing campaign targets government institution in Moldova - Security Affairs
Russian and Belarusian men charged with spying for Russian GRU - Security Affairs
Nation State Actors
Nation State Actors – Russia
Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections | WIRED
Russia’s Turla falls back on old malware C2 domains to avoid detection | Computer Weekly
Exclusive: Russian hackers targeted U.S. nuclear scientists | Reuters
Russian cyber attacks on Ukraine halved with help from Amazon and Microsoft (telegraph.co.uk)
How Elon Musk’s Starlink has changed warfare | The Economist
Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyber attack Project (darkreading.com)
Phishing campaign targets government institution in Moldova - Security Affairs
Russian and Belarusian men charged with spying for Russian GRU - Security Affairs
Musk's Starlink Satellite's Role In Ukraine War Inspires Taiwan To Thwart Potential China Attack
Nation State Actors – China
Many of 13 New Mac Malware Families Discovered in 2022 Linked to China | SecurityWeek.Com
If governments are banning TikTok, why is it still on your corporate devices? | CSO Online
Musk's Starlink Satellite's Role In Ukraine War Inspires Taiwan To Thwart Potential China Attack
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Patch Where it Hurts: Effective Vulnerability Management in 2023 (thehackernews.com)
70% of apps contain at least one security flaw after 5 years in production - Help Net Security
Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone (darkreading.com)
Does a hybrid model for vulnerability management make sense? • Graham Cluley
Vulnerabilities
Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day | SecurityWeek.Com
Microsoft plugs actively exploited zero-day hole (CVE-2023-21674) - Help Net Security
The Roadmap to Secure Access Service Edge (SASE) - MSSP Alert
Hundreds of SugarCRM servers infected with critical in-the-wild exploit | Ars Technica
Cyber criminals bypass Windows security with driver-vulnerability exploit | CSO Online
Attackers target govt networks exploiting Fortinet SSL-VPN CVE-2022-42475 - Security Affairs
Adobe Plugs Security Holes in Acrobat, Reader Software | SecurityWeek.Com
Zoom Patches High Risk Flaws on Windows, MacOS Platforms | SecurityWeek.Com
Cisco warns of auth bypass bug with public exploit in EoL routers (bleepingcomputer.com)
Swiss Threema messaging app found to have vulnerabilities • The Register
Fortinet says hackers exploited critical vulnerability to infect VPN customers | Ars Technica
Critical bug in Cisco Small Business Routers will receive no patch - Security Affairs
Severe Vulnerabilities Allow Hacking of Asus Gaming Router | SecurityWeek.Com
JsonWebToken Security Bug Opens Servers to RCE (darkreading.com)
Latest Firmware Flaws in Qualcomm Snapdragon Need Attention (darkreading.com)
Tools and Controls
How to prevent and detect lateral movement attacks | TechTarget
Data Loss Prevention Capability Guide (informationsecuritybuzz.com)
4 key shifts in the breach and attack simulation (BAS) market - Help Net Security
How to prioritize effectively with threat modeling • The Register
XDR and the Age-old Problem of Alert Fatigue | SecurityWeek.Com
Why FIDO and passwordless authentication is the future - Help Net Security
Why it might be time to consider using FIDO-based authentication devices | CSO Online
DHS, CISA plan AI-based cyber security analytics sandbox • The Register
ChatGPT: The infosec assistant that is jack of all trades, master of none - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 11/01/2023 – Microsoft, Adobe and Zoom release security updates
Black Arrow Cyber Advisory 11/01/2023 – Microsoft, Adobe and Zoom release security updates, including some under active exploitation
Microsoft, Adobe and Zoom have all this week released security updates, including some known to be being actively exploited by malicious actors.
Microsoft
Executive summary
Microsoft’s January Patch Tuesday provides updates to address 98 security issues across its product range. The updates included fixes for 11 critical vulnerabilities, including a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) which has been recorded as being actively exploited by the US Cybersecurity and Infrastructure Agency (CISA).
What’s the risk to me or my business?
The actively exploited vulnerability could allow an attacker to escalate privileges and gain higher levels of access to affected systems, which could compromise the confidentiality, integrity and availability of data stored on the system.
What can I do?
Security updates are available for all supported versions of Windows. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.
Technical Summary
The following is a breakdown of the actively exploited vulnerability which affected Microsoft Operating Systems:
CVE-2023-21674: An elevation of privilege vulnerability with a CVSS rating of 8.8, which allows the user to gain System privileges.
Microsoft guidance for CVE-2023-21674 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21674
Further details on other specific updates within this Patch Tuesday can be found here: https://www.ghacks.net/2023/01/10/microsoft-windows-security-updates-january-2023-overview/
Further details of CISA’s “Known Exploited Vulnerabilities Catalog” can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-21674
Adobe
Executive summary
Security updates have been released by Adobe to address 29 vulnerabilities relating to Adobe Dimension, Adobe InCopy, Adobe InDesign, Adobe Acrobat and Adobe Reader. 11 of the vulnerabilities were rated as critical. None of the critical vulnerabilities related to Adobe Dimension.
What’s the risk to me or my business?
If exploited, the critical vulnerabilities could result in an attacker executing code of their choice, which could impact the confidentiality, integrity and availability of the system.
What can I do?
Updates are available for the impacted versions of Adobe software. For critical vulnerabilities, updates should be applied as soon as possible.
Further technical information can be found here:
Adobe Dimension: https://helpx.adobe.com/security/products/dimension/apsb23-10.html
Adobe InCopy: https://helpx.adobe.com/security/products/incopy/apsb23-08.html
Adobe InDesign: https://helpx.adobe.com/security/products/indesign/apsb23-07.html
Adobe Acrobat and Reader: https://helpx.adobe.com/security/products/acrobat/apsb23-01.html
Zoom
Executive Summary
Zoom has provided security updates that address 5 vulnerabilities within the Zoom video conferencing software. 3 of the vulnerabilities were recorded as critical in severity.
What’s the risk to me or my business?
If exploited, the vulnerabilities could allow an attacker to gain system or root privileges on a machine, which could compromise the confidentiality, integrity and availability of the system. For this to occur, the attacker would need to be a local user.
What can I do?
Updates are available for the impacted versions of Zoom. For critical vulnerabilities, updates should be applied as soon as possible.
Further technical information can be found here: https://explore.zoom.us/en/trust/security/security-bulletin/
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Threat Briefing 06 January 2023
Black Arrow Cyber Threat Briefing 06 January 2023:
-Cyber War in Ukraine, Ransomware Fears Drive Surge in Demand for Threat Intelligence Tools
-Cyber Premiums Holding Firms to Ransom
-Ransomware Ecosystem Becoming More Diverse For 2023
-Attackers Evolve Strategies to Outmanoeuvre Security Teams
-Building a Security-First Culture: The Key to Cyber Success
-Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue
-First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)
-Data of 235 Million Twitter Users Leaked Online
-16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, Infrastructure
-Ransomware Gang Apologizes, Gives SickKids Hospital Free Decryptor
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber War in Ukraine, Ransomware Fears Drive 2022 Surge in Demand for Threat Intelligence Tools
Amid the heightened fear of ransomware in 2022, threat intelligence emerged as a core requirement of doing business in a world gone mad.
A sizable amount of interest in the historically tech-centric discipline was fuelled in part by fear of cyber attacks tied to the war between Russia and Ukraine. In one example, the Ukrainian government warned the world that the Russian military was planning for multi-pronged attacks targeting the energy sector. Other nation-state cyber attack operations also contributed to the demand, including one June 2022 incident were Iran’s Cobalt Mirage exploited PowerShell vulnerabilities to launch ransomware attacks.
And of course, headlines of data breaches tied to vulnerabilities that organisations did not even know existed within their networks caught the attention not just of security teams, but the C-Suite and corporate board. A misconfigured Microsoft server, for example, wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.
Indeed, according to 183 security pros surveyed by CyberRisk Alliance Business Intelligence in June 2022, threat intelligence has become critical in arming their security operations centres (SOCs) and incident response teams with operational data to help them make timely, informed decisions to prevent system downtime, thwart the theft of confidential data, and protect intellectual property.
Threat intelligence has emerged as a useful tool for educating executives. Many also credited threat intelligence for helping them protect their company and customer data — and potentially saving their organisation's reputation.
Cyber Premiums Holding Firms to Ransom
Soaring premiums for cyber security insurance are leaving businesses struggling to pay other bills, a key industry player has warned.
Mactavish, which buys insurance policies on behalf of companies, said that more than half of big businesses that had bought cyber security insurance had been forced to make cuts elsewhere to pay for it.
In a survey of 200 companies with a turnover above £10 million, Mactavish found that businesses were reducing office costs and staff bonuses and were cutting other types of insurance to meet the higher payments.
Last month Marsh, an insurance broker, revealed that costs for cyber insurance had increased by an average of 66 per cent in the third quarter compared with last year.
Meanwhile, the risk to businesses from hackers continues to rise. A government report on digital threats, published this month, showed the proportion of businesses experiencing cyber security incidents at least monthly had increased from 53 per cent to 60 per cent in the past year. Uber, Cisco and InterContinental Hotels Group were among high-profile targets this year.
https://www.thetimes.co.uk/article/cyber-safety-premiums-hold-firms-to-ransom-tnrsz3vs2
Ransomware Ecosystem Becoming More Diverse for 2023
The ransomware ecosystem has changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This democratisation of ransomware is bad news for organisations because it also brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms.
Since 2019 the ransomware landscape has been dominated by big and professionalised ransomware operations that constantly made the news headlines and even looked for media attention to gain legitimacy with potential victims. We've seen ransomware groups with spokespeople who offered interviews to journalists or issued "press releases" on Twitter and their data leak websites in response to big breaches.
The DarkSide attack against Colonial Pipeline that led to a major fuel supply disruption along the US East Coast in 2021 highlighted the risk that ransomware attacks can have against critical infrastructure and led to increased efforts to combat this threat at the highest levels of government. This heightened attention from law enforcement made the owners of underground cyber crime forums reconsider their relationship with ransomware groups, with some forums banning the advertising of such threats. DarkSide ceased operations soon thereafter and was followed later in the year by REvil, also known as Sodinokibi, whose creators were indicted and one was even arrested. REvil was one of the most successful ransomware groups since 2019.
Russia's invasion of Ukraine in February 2022 quickly put a strain on the relationship between many ransomware groups who had members and affiliates in both Russia and Ukraine, or other former USSR countries. Some groups, such as Conti, rushed to take sides in the war, threatening to attack Western infrastructure in support of Russia. This was a departure from the usual business-like apolitical approach in which ransomware gangs had run their operations and drew criticism from other competing groups.
This was also followed by a leak of internal communications that exposed many of Conti's operational secrets and caused uneasiness with its affiliates. Following a major attack against the Costa Rican government the US State Department put up a reward of $10 million for information related to the identity or location of Conti's leaders, which likely contributed to the group's decision to shut down operations in May.
Conti's disappearance led to a drop in ransomware activity for a couple of months, but it didn't last long as the void was quickly filled by other groups, some of them newly set up and suspected to be the creation of former members of Conti, REvil and other groups that ceased operations over the past two years.
Attackers Evolve Strategies to Outmanoeuvre Security Teams
Attackers are expected to broaden their targeting strategy beyond regulated verticals such as financial services and healthcare. Large corporations (41%) will be the top targeted sector for cyber attacks in 2023, favoured over financial institutions (36%), government (14%), healthcare (9%), and education (8%), according to cyber security solution provider Titaniam.
The fast pace of change has introduced new vulnerabilities into corporate networks, making them an increasingly attractive target for cyber attackers. To compete in the digital marketplace, large companies are adopting more cloud services, aggregating data, pushing code into production faster, and connecting applications and systems via APIs.
As a result, misconfigured services, unprotected databases, little-tested applications, and unknown and unsecured APIs abound, all of which can be exploited by attackers.
The top four threats in 2022 were malware (30%), ransomware and extortion (27%), insider threats (26%), and phishing (17%).
The study found that enterprises expected malware (40%) to be their biggest challenge in 2023, followed by insider threats (26%), ransomware and related extortion (21%), and phishing (16%).
Malware, however, has more enterprises worried for 2023 than it did for 2022. It is important to note that these threats can overlap, where insiders can have a hand in ransomware attacks, phishing can be a source of malware, etc.
Attackers are evolving their strategies to surprise and outmanoeuvre security teams, which have hardened ransomware defences and improved phishing detection. They’re using new malware, such as loaders, infostealers, and wipers to accelerate attacks, steal sensitive data and create mayhem.
They’re also buying and stealing employee credentials to walk in through the front door of corporate networks.
https://www.helpnetsecurity.com/2023/01/04/attackers-evolve-strategies-outmaneuver-security-teams/
Building a Security-First Culture: The Key to Cyber Success
Everyone has heard a car alarm go off in the middle of the night, but how often does that notification actually lead to action? Most people will hear the alarm, glance in its direction and then hope the owner will quickly remedy the situation.
Cars alarms often fail because they go off too often, leading to apathy and annoyance instead of being a cause for emergency. For many, cyber security has also become this way. While we see an increase in the noise surrounding the need for organisations to improve the security skillset and knowledge base of employees, there continues to be little proactive action on this front. Most organisations only provide employees with elementary-grade security training, often during their initial onboarding process or as part of a standard training requirement.
At the same time, many organisations also make the grave mistake of leaving all of their security responsibilities and obligations in the hands of IT and security teams. Time and time again, this approach has proven to be highly ineffective, especially as cyber criminals refine their social engineering tactics and target user accounts to execute their attacks.
Alarmingly, recent research found that 30% of employees do not think that they play a role in maintaining their company’s cyber security posture. The same report also revealed that only 39% of employees say they are likely to report a security incident.
As traditional boundaries of access disintegrate and more employees obtain permissions to sensitive company data and systems to carry out their tasks, business leaders must change the mindset of their employees when it comes to the role they play in keeping the organisation safe from cyber crime. The key is developing an integrated cyber security strategy that incorporates all aspects—including all stakeholders—of the organisation. This should be a strategy that breaks down departmental barriers and creates a culture of security responsibility where every team member plays a part.
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue
Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalogue to help federal agencies and critical infrastructure organisations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalogue across 58 updates from January to end of November 2022, according to cyber security solution provider Grey Noise in its first-ever "GreyNoise Mass Exploits Report."
Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalogue's existence.
Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalogue in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalogue were older vulnerabilities dating back to before 2022. Many of these vulnerabilities have been around for two decades.
Several of the vulnerabilities in the KEV catalogue are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from cyber security solution provider Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalogue lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.
Even though the catalogue was originally intended for critical infrastructure and public-sector organisations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalogue's curated list of CVEs under active attack to create their priority lists.
First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)
In the past week, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.
The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.
The most concerning of the two new breaches is the one hitting CircleCI. The company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.
CircleCI says it’s used by more than 1 million developers in support of 30,000 organisations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.
It’s possible that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies. Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.
For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.
Data of 235 Million Twitter Users Leaked Online
A data leak containing email addresses for 235 million Twitter users has been published on a popular hacker forum. Many experts have immediately analysed it and confirmed the authenticity of many of the entries in the huge leaked archive.
In January 2022, a report claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options. The vulnerability was exploited by multiple threat actors to scrape Twitter user profiles containing both private (phone numbers and email addresses) and public data, and was present within the social media platforms application programming interface (API) from June 2021 until January 2022.
At the end of July 2022, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting the forementioned, now-fixed vulnerability in the popular social media platform. The scraped data was then put up for sale on various online cyber crime marketplaces. In August, Twitter confirmed that the data breach was caused by a now-patched zero-day flaw.
In December another Twitter data leak made the headlines, a threat actor obtained data of 400,000,000 Twitter users and attempted to sell it. The seller claimed the database is private, and he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, who is a member of a popular data breach forum, claimed the data was scraped via a vulnerability. The database includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of special usernames.
https://securityaffairs.com/140352/data-breach/twitter-data-leak-235m-users.html
16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, and Infrastructure
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.
Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.
According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.
Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.
They could also lock users out of remote vehicle management and could change car ownership.
https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure
Ransomware Gang Apologises, and Gives SickKids Hospital Free Decrypter
The LockBit ransomware gang has released a free decrypter for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organisation. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.
On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.
On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. Two days after SickKids' latest announcement, the LockBit ransomware gang apologised for the attack on the hospital and released a decrypter for free.
“We formally apologise for the attack on sikkids.ca and give back the decrypter for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate programme," stated the ransomware gang.
Threats
Ransomware, Extortion and Destructive Attacks
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)
Rackspace: Customer email data accessed in ransomware attack (bleepingcomputer.com)
Ransomware gang cloned victim’s website to leak stolen data (bleepingcomputer.com)
Rackspace identifies hacking group responsible for early December ransomware attack | TPR
Ransomware ecosystem becoming more diverse for 2023 | CSO Online
Rackspace Sunsets Email Service Downed in Ransomware Attack (darkreading.com)
December ransomware disclosures reveal high-profile victims | TechTarget
The Guardian ransomware attack hits week two as staff WFH • The Register
Unraveling the techniques of Mac ransomware - Microsoft Security Blog
Bitdefender releases free MegaCortex ransomware decryptor (bleepingcomputer.com)
Ransomware Research: More than 200 US Infrastructure Organisations Attacked in 2022 - MSSP Alert
Ransomware impacts over 200 govt, edu, healthcare orgs in 2022 (bleepingcomputer.com)
Guardian ransomware attack: Staff told work from home to 23 Jan (pressgazette.co.uk)
Rail giant Wabtec discloses data breach after Lockbit ransomware attack (bleepingcomputer.com)
Christmas Eve 'cyber attack' forced Arnold Clark's network down | STV News
Royal ransomware claims attack on Queensland University of Technology (bleepingcomputer.com)
LockBit: Sorry for SickKids, but not housing authority • The Register
Canadian mining firm shuts down mill after ransomware attack (bleepingcomputer.com)
Phishing & Email Based Attacks
Data of 235 million Twitter users leaked online - Security Affairs
Is NHS The Most Impersonated UK Government "Brand"? (informationsecuritybuzz.com)
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Ongoing Flipper Zero phishing attacks target infosec community (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe (thehackernews.com)
Hackers abuse Windows error reporting tool to deploy malware (bleepingcomputer.com)
New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)
Bluebottle hackers used signed Windows driver in attacks on banks (bleepingcomputer.com)
Dridex Returns, Targets MacOS Using New Entry Method (trendmicro.com)
New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)
PyTorch discloses malicious dependency chain compromise over holidays (bleepingcomputer.com)
WordPress Sites Under Attack from Newly Found Linux Trojan (darkreading.com)
Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain (thehackernews.com)
Raspberry Robin Worm Hatches a Highly Complex Upgrade (darkreading.com)
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley
Five Guys Data Breach Puts HR Data Under a Heat Lamp (darkreading.com)
Analysis Of Top 10 Countries Mostly Targeted By Data Breaches (informationsecuritybuzz.com)
I bought a $15 router at Goodwill — and found a millionaire's dirty secrets (nypost.com)
Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs
Toyota, Mercedes, BMW API flaws exposed owners’ personal info (bleepingcomputer.com)
Threat actors stole Slack private source code repositories - Security Affairs
Data of over 200 million Deezer users stolen, leaks on hacking forum • Graham Cluley
Organised Crime & Criminal Actors
Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)
Attackers create 130K fake accounts to abuse limited-time cloud computing resources | CSO Online
Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Insider Risk and Insider Threats
Software engineer busted after being inspired by Office Space scam | PC Gamer
Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Fraud, Scams & Financial Crime
Avast: Expect Cyber crime "Scamdemic" to Continue in 2023 - MSSP Alert
Software engineer busted after being inspired by Office Space scam | PC Gamer
US regulators warn banks over cryptocurrency risks - BBC News
RedZei Chinese Scammers Targeting Chinese Students in the UK (thehackernews.com)
Ukrainian Cops Bust Prolific Fraud Call Centre - Infosecurity Magazine (infosecurity-magazine.com)
Impersonation Attacks
AML/CFT/Sanctions
Insurance
Cyber safety premiums holding firms to ransom | Business | The Times
How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security
Dark Web
Supply Chain and Third Parties
Software Supply Chain
Cloud/SaaS
Encryption
API
Car companies massively exposed to web vulnerabilities | The Daily Swig (portswigger.net)
16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure | SecurityWeek.Com
What Are Some Ways to Make APIs More Secure? (darkreading.com)
Critical flaws found in Ferrari, BMW, Porsche, and other carmakers - Security Affairs
Open Source
New SHC-compiled Linux malware installs cryptominers, DDoS bots (bleepingcomputer.com)
New Linux malware uses 30 plugin exploits to backdoor WordPress sites (bleepingcomputer.com)
Social Media
Data of 235 million Twitter users leaked online - Security Affairs
The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media (thehackernews.com)
Are Meta and Twitter Ushering in a New Age of Insider Threats? (darkreading.com)
Meta fined €390m over use of data for targeted ads - BBC News
More Political Storms for TikTok After US Government Ban | SecurityWeek.Com
Parental Controls and Child Safety
Regulations, Fines and Legislation
Governance, Risk and Compliance
Cyber safety premiums holding firms to ransom | Business | The Times
Attackers never let a critical vulnerability go to waste - Help Net Security
Attackers evolve strategies to outmanoeuvre security teams - Help Net Security
How to start planning for disaster recovery - Help Net Security
Building A Security-First Culture: The Key To Cyber Success (forbes.com)
Data backup is no longer just about operational fallback - Help Net Security
Threat Actors Evade Detection Through Geofencing & Fingerprinting (darkreading.com)
How can businesses decrease cyber insurance premiums while maintaining coverage? - Help Net Security
Secure Disposal
Backup and Recovery
Data Protection
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
National security fears over police using Chinese tech | News | The Times
Meta fined €390m over use of data for targeted ads - BBC News
Artificial Intelligence
ChatGPT: An Easy Cyber crime Target For Cyber attacks (informationsecuritybuzz.com)
OpenAI's ChatGPT previews how AI can help hackers breach more networks (axios.com)
NATO tests AI’s ability to protect critical infrastructure against cyber attacks | CSO Online
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
War and Geopolitical Conflict: The New Battleground for DDoS Attacks (darkreading.com)
Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online
It's time to focus on information warfare's hard questions (cyberscoop.com)
National security fears over police using Chinese tech | News | The Times
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Pro-Russia cyber attacks aim at destabilizing Poland - Security Affairs
Poland warns of attacks by Russia-linked Ghostwriter hacking group (bleepingcomputer.com)
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
National security fears over police using Chinese tech | News | The Times
Ex-GE engineer sentenced for stealing turbine tech for China • The Register
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)
Attackers never let a critical vulnerability go to waste - Help Net Security
Vulnerabilities
Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks (bleepingcomputer.com)
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog (darkreading.com)
Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations (darkreading.com)
Zoho urges admins to patch severe ManageEngine bug immediately (bleepingcomputer.com)
Android's First Security Updates for 2023 Patch 60 Vulnerabilities | SecurityWeek.Com
Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities (thehackernews.com)
Qualcomm, Lenovo flag multiple high impact firmware vulnerabilities | SC Media (scmagazine.com)
Netgear Wi-Fi routers need to be patched immediately | TechRadar
Other News
The cyber security industry will undergo significant changes in 2023 - Help Net Security
SecurityAffairs Top 10 cybersecurity posts of 2022 - Security Affairs
BleepingComputer's most popular cybersecurity stories of 2022
WordPress Security: 22 Ways To Protect Your Website (informationsecuritybuzz.com)
Cyber attacks against governments jumped 95% in last half of 2022, CloudSek says | CSO Online
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Informational 05/01/2023 – Twitter Data Leak
Black Arrow Cyber Informational 05/01/2023 – Twitter Data Leak
Executive Summary
A data leak containing the email addresses for over 200 million Twitter users has been published on a popular hacking forum for free. The leak appears to be the same as the one reported in December 2022, with a number of experts confirming the authenticity of entries in the leak.
What’s the risk to me or my business?
The leak contains details of Twitter users and their email addresses, which could be used by threat actors to conduct phishing attacks against accounts.
What can I do?
Although no immediate response is required, Black Arrow recommends that any individual or organisation which has used twitter remains vigilant and on the lookout for potential phishing attacks
Further information on the data leak be found here: https://www.bleepingcomputer.com/news/security/200-million-twitter-users-email-addresses-allegedly-leaked-online/
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatintelligence #cybersecurity
Black Arrow Cyber Advisory 04/01/2023 – Over 60,000 Microsoft Exchange Servers Remain Vulnerable to “ProxyNotShell”
Black Arrow Cyber Advisory 04/01/2023 – Over 60,000 Microsoft Exchange Servers Remain Vulnerable to “ProxyNotShell”
Executive Summary
ShadowServer, a nonprofit security organisation, has identified that more than 60,000 Microsoft Exchange on-premises servers exposed online are yet to be patched against the CVE-2022-41082 remote code execution (RCE) vulnerability and CVE-2022-41040 Server-Side Request Forgery (SSFR) vulnerability, previously described in our advisory of 3rd October 2022. The two exploits are known collectively as “ProxyNotShell” and require authentication with the exchange server. This means an attacker would need to already have standard user working credentials.
What’s the risk to me or my business?
Successful exploitation of these vulnerabilities would grant an attacker the ability to remotely execute code on the underlying server, allowing them to perform reconnaissance on the environment and exfiltration of data off the network. Microsoft Exchange Online users are not affected by these vulnerabilities.
What can I do?
Microsoft strongly recommends applying the Exchange Server updates for CVE-2022-41040 and CVE-2022-41082. The previous mitigations given by Microsoft are no longer recommended.
Further information on the two vulnerabilities can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040 & https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
Microsoft Customer guidance can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
ShadowServer Vulnerability Report: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 30 December 2022
Black Arrow Cyber Threat Briefing 30 December 2022:
-Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief
-Your Business Should Compensate for Modern Ransomware Capabilities Right Now
-Reported Phishing Attacks Have Quintupled
-Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group
-Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs
-Will the Crypto Crash Impact Cyber Security in 2023? Maybe.
-The Worst Hacks of 2022
-Geopolitical Tensions Expected to Further Impact Cyber Security in 2023
-Fraudsters’ Working Patterns Have Changed in Recent Years
-Hacktivism is Back and Messier Than Ever
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Attacks Set to Become ‘Uninsurable’, Says Zurich Chief
The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.
Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn.
But Mario Greco, chief executive at insurer Zurich, told the Financial Times that cyber was the risk to watch. “What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” Recent attacks that have disrupted hospitals, shut down pipelines and targeted government departments have all fed concern about this expanding risk among industry executives. Focusing on the privacy risk to individuals was missing the bigger picture, Greco added: “First off, there must be a perception that this is not just data . . . this is about civilisation. These people can severely disrupt our lives.”
Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are exemptions written into policies for certain types of attacks. In 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a “warlike action”. The two sides later settled. In September, Lloyd’s of London defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.
https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d
Your Business Should Compensate for Modern Ransomware Capabilities Right Now
The “if, not when” mentality surrounding ransomware may be the biggest modern threat to business longevity. Companies of all sizes and across all industries are increasingly common targets for ransomware attacks, and we know that 94% of organisations experienced a cyber security incident last year alone. Yet, many enterprises continue to operate with decades-old security protocols that are unequipped to combat modern ransomware. Leaders have prioritised improving physical security measures in light of the pandemic — so why haven’t ransomware protections improved?
Maybe it’s the mistaken notion that ransomware attacks are declining. In reality, Q1 of 2022 saw a 200% YoY increase in ransomware incidents. Meanwhile, the rise in Ransomware as a Service (RaaS) offerings suggests that cyber threats have become a commodity for bad actors.
The RaaS market presents a new and troubling trend for business leaders and IT professionals. With RaaS — a subscription ransomware model that allows affiliates to deploy malware for a fee — the barrier to entry for hackers is lower than ever. The relatively unskilled nature of RaaS hackers may explain why the average ransomware downtime has plummeted to just 3.85 days (compared to an average attack duration of over two months in 2019).
While the decrease in attack duration is promising, the rise of RaaS still suggests an inconvenient truth for business leaders: All organisations are at risk. And in time, all organisations will become a target, which is why it’s time for IT and business leaders to implement tough cyber security protocols.
Reported Phishing Attacks Have Quintupled
In the third quarter of 2022, the international Anti-Phishing Working Group (APWG) consortium observed 1,270,883 total phishing attacks; the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG.
Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. The rise in Q3 2022 was attributable, in part, to increasing numbers of attacks reported against several specific targeted brands. These target companies and their customers suffered from large numbers of attacks from persistent phishers.
Threat researchers at the cyber security solution provider Fortra noted a 488 percent increase in response-based email attacks in Q3 2022 compared to the prior quarter. While every subtype of these attacks increased compared to Q2, the largest increase was in Advance Fee Fraud schemes, which rose by a staggering 1,074 percent.
In the third quarter of 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.2 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well. Phishing against social media services fell to 11 percent of the total, down from 15.3 percent.
Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — fell from 4.5 percent of all phishing attacks in Q2 2022 to 2 percent in Q3. This mirrored the fall in value of many cryptocurrencies since mid-year.
https://www.helpnetsecurity.com/2022/12/28/reported-phishing-attacks-quintupled/
Ransomware, DDoS See Major Upsurge Led by Upstart Hacker Group
Cyber threat actors Cuba and Royal are driving a 41% boom in ransomware and other attacks hitting industry and consumer goods and services.
According to the Global Threat Intelligence team of information assurance firm NCC Group, November saw a 41% increase in ransomware attacks from 188 incidents to 265. In its most recent Monthly Threat Pulse, the group reported that the month was the most active for ransomware attacks since April this year.
Key takeaways from the study:
Ransomware attacks rose by 41% in November.
Threat group Royal (16%) was the most active, replacing LockBit as the worst offender for the first time since September 2021.
Industrials (32%) and consumer cyclicals (44%) remain the top two most targeted sectors, but technology experienced a large 75% increase over the last month.
Regional data remains consistent with last month — North America (45%), Europe (25%) and Asia (14%)
DDoS attacks continue to increase.
Recent examples in the services sector include the Play ransomware group’s claimed attack of the German H-Hotels chain, resulting in communications outages. This attack reportedly uses a vulnerability in Microsoft Exchange called ProxyNotShell, which as the name implies, has similarities to the ProxyShell zero-day vulnerability revealed in 2021.
Also, back on the scene is the TrueBot malware downloader (a.k.a., the silence.downloader), which is showing up in an increasing number of devices. TrueBot Windows malware, designed by a Russian-speaking hacking group identified as Silence, has resurfaced bearing Ransom.Clop, which first appeared in 2019. Clop ransomware encrypts systems and exfiltrates data with the threat that if no ransom is forthcoming, the data will show up on a leak site.
https://www.techrepublic.com/article/ransomware-ddos-major-upsurge-led-upstart-hacker-group/
Videoconferencing Worries Grow, With SMBs in Cyber Attack Crosshairs
Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.
It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.
But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.
Organisations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.
However, a recent report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.
Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.
The risks include the potential for interruptions, unauthorised access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information.
Will the Crypto Crash Impact Cyber Security in 2023? Maybe.
With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cyber security world is, how will this rapid decline of cryptocurrency valuations change the cyber crime economy?
Throughout the most recent crypto boom, and even before then, cyber criminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cyber criminal enterprises.
Even so, according to cyber security experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.
Regardless of crypto values, cyber criminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetise their attacks including the use by some ransomware groups taking advantage of yield farming within decentralised finance (DeFi), as an example.
The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid. The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it.
Threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. In many ways, the downturn in crypto values has increased the risk appetite of cyber criminals and is spurring them into more investment fraud and cryptocurrency scams.
https://www.darkreading.com/threat-intelligence/crypto-crash-impact-cybersecurity-2023-maybe
The Worst Hacks of 2022
The year was marked by sinister new twists on cyber security classics, including phishing, breaches, and ransomware attacks.
With the pandemic evolving into an amorphous new phase and political polarisation on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defences.
Technology magazine Wired looked back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.
Russia Hacking Ukraine
For years, Russia has pummelled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access.
Twilio and the 0ktapus Phishing Spree
Over the summer, a group of researchers dubbed 0ktapus went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organisations. The majority of the victim institutions were US-based, but there were dozens in other countries as well.
Ransomware Still Hitting the Most Vulnerable Targets
In recent years, countries around the world and the cyber security industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialised in targeting both categories, and it focused its attacks on the education sector this year.
The Lapsus$ Rampage Continues
The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta.
LastPass
The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys.
Vanuatu
At the beginning of November, Vanuatu, an island nation in the Pacific, was hit by a cyber attack that took down virtually all of the government's digital networks. Agencies had to move to conducting their work on paper because emergency systems, medical records, vehicle registrations, driver's license databases, and tax systems were all down.
Honourable Mention: Twitter-Related Bedlam
Twitter has been in chaos mode for months following Elon Musk's acquisition of the company earlier this year. Amidst the tumult, reports surfaced in July and then again in November of a trove of 5.4 million Twitter users' data that has been circulating on criminal forums since at least July, if not earlier. The data was stolen by exploiting a vulnerability in a Twitter application programming interface, or API.
https://www.wired.com/story/worst-hacks-2022/
Geopolitical Tensions Expected to Further Impact Cyber Security in 2023
Geopolitics will continue to have an impact on cyber security and the security posture of organisations long into 2023.
The impact of global conflicts on cyber security was thrust into the spotlight when Russia made moves to invade Ukraine in February 2022. Ukraine’s Western allies were quick to recognise that with this came the threat of Russian-backed cyber-attacks against critical national infrastructure (CNI), especially in retaliation to hefty sanctions. While this may not have materialised in the way many expected, geopolitics is still front of mind for many cyber security experts looking to 2023.
Russia has always been among a handful of states recognised for their cyber prowess and being the source of many cyber criminal gangs. As previously mentioned, we have failed to see a significant cyber-attack, at least one comparable to the Colonial Pipeline incident, in 2022. However the cyber security services provider, e2e-assure, warned: “We have underestimated Russia’s cyber capability. There is a wide view that Russian cyber activity leading up to and during their invasion of Ukraine indicated that they aren’t the cyber power we once thought. Patterns and evidence will emerge in 2023 that shows this wasn’t the case, instead Russia was directing its cyber efforts elsewhere, with non-military goals (financial and political).”
NordVPN, the virtual private network (VPN) provider, warns that the cyber-war is only just starting: “With China’s leader securing his third term and Russia’s war in Ukraine, many experts predict an increase in state-sponsored cyber-attacks. China may increase cyber-attacks on Taiwan, Hong Kong, and other countries opposing the regime. Meanwhile, Russia is predicted to sponsor attacks on countries supporting Ukraine.”
We are used to seeing cyber-attacks that encrypt data and ask for ransom, but it is likely in this era of nation-state sponsored attacks we could experience attacks for the sake of disruption.
https://www.infosecurity-magazine.com/news/geopolitical-tensions-impact/
Fraudsters’ Working Patterns Have Changed in Recent Years
Less sophisticated fraud — in which doctored identity documents are readily spotted — has jumped 37% in 2022, according to the identify verfication provider Onfido. Fraudsters can scale these attacks on an organisation’s systems around the clock.
It is estimated that the current global financial cost of fraud is $5.38 trillion (£4.37 trillion), which is 6.4% of the world’s GDP. With most fraud now happening online (80% of reported fraud is cyber-enabled), Onfido’s Identity Fraud Report uncovers patterns of fraudster behaviour, attack techniques, and emerging tactics.
Over the last four years, fraudsters’ working patterns have dramatically changed. In 2019, attacks mirrored a typical working week, peaking Monday to Friday and dropping off during the weekends. Yet over the last three years, fraudulent activity started to shift so that levels of fraud span every day of the week.
In 2022, fraud levels were consistent across 24 hours, seven days a week. With technology, fraudsters are more connected across the globe and are able to traverse regions and time zones, and can easily take advantage of businesses’ closed hours when staff are likely offline. This hyperconnectivity means there are no more ‘business hours’ for fraudsters and sophisticated fraud rings — they will scam and defraud 24/7.
“As criminals look to take advantage of digitisation processes, they’re able to commit financial crimes with increasing efficiency and sophistication, to the extent that financial crime and cyber crime are now invariably linked,” said Interpol. “A significant amount of financial fraud takes place through digital technologies, and the pandemic has only hastened the emergence of digital money laundering tools and other cyber-enabled financial crimes.”
https://www.helpnetsecurity.com/2022/12/29/less-sophisticated-fraud/
Hacktivism is Back and Messier Than Ever
Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.
During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labelled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.
The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organisations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge.
Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.
Threats
Ransomware, Extortion and Destructive Attacks
Jersey school locked out of systems as hackers demand "ransom" | Bailiwick Express Jersey
Vice Society Ransomware Attackers Adopt Robust Encryption Methods (thehackernews.com)
Global counter-ransomware task force to become active in January - CyberScoop
Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion (darkreading.com)
Rackspace criticized for PR response to ransomware attack (expressnews.com)
Ransomware, DDoS see major upsurge led by upstart hacker group (techrepublic.com)
6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)
Your business should compensate for modern ransomware capabilities right now | VentureBeat
Vice Society Adds Custom-branded Payload PolyVice to its Arsenal | Cyware Alerts - Hacker News
Hackers stole data from multiple electric utilities in recent ransomware attack | CNN Politics
Ransomware attack at Louisiana hospital impacts 270,000 patients (bleepingcomputer.com)
The mounting death toll of hospital cyber attacks - POLITICO
Royal ransomware claims attack on Intrado telecom provider (bleepingcomputer.com)
Healthcare Providers and Hospitals Under Ransomware's Siege (darkreading.com)
Guardian Australia staff sent home after cyber attack takes out systems (theage.com.au)
Dumfries Arnold Clark garages hit by company-wide cyber attack - Daily Record
Ransom Deadline Given By LockBit In Port Of Lisbon Attack (informationsecuritybuzz.com)
Phishing & Email Based Attacks
Reported phishing attacks have quintupled - Help Net Security
6 Ways to Protect Your Organisation Against LAPSUS$ (darkreading.com)
Other Social Engineering; Smishing, Vishing, etc
Malware
GuLoader implements new evasion techniques - Security Affairs
PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware (thehackernews.com)
2022 sees over 5000 times new Windows malware vs macOS, over 60 times vs Linux - Neowin
APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector (thehackernews.com)
New information-stealing malware is being spread by fake pirate sites | TechSpot
Mobile
Denial of Service/DoS/DDOS
Internet of Things – IoT
Smart Home Cyber security Hubs: Protecting Endpoints in Your Smarthome (compuquip.com)
Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)
Data Breaches/Leaks
BetMGM discloses security breach impacting 1.5 Million customers - Security Affairs
Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)
Massive EDiscovery Provider Shut Down Over 'Unauthorized Access' - Above the LawAbove the Law
Data of 400 Million Twitter users up for sale - Security Affairs
It’s all in the (lack of) details: 2022’s badly handled data breaches | TechCrunch
Military device with biometric database of 2K people sold on eBay for $68 | Ars Technica
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
How ‘brazen’ multibillion-dollar crypto fraud fell to pieces | Business | The Times
BTC.com lost $3 million worth of cryptocurrency in cyber attack (bleepingcomputer.com)
Hackers steal $8 million from users running trojanized BitKeep apps (bleepingcomputer.com)
Bitcoin Mining Pool Btc.com Suffers $3 Million Cyber attack – Mining Bitcoin News
Crypto wallet BitKeep lost over $9M over a cyber attack - Security Affairs
Case for blockchain in financial services dented by failures | Financial Times (ft.com)
Digital Assets Of $9.9 Million Stolen In BitKeep Cyber Attack (informationsecuritybuzz.com)
Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)
Fraud, Scams & Financial Crime
Linkedin Is Full Of Job Scams – Be Careful Out There (informationsecuritybuzz.com)
Scam complaints from Revolut users more than double since 2020 (telegraph.co.uk)
Fraudsters’ working patterns have changed in recent years - Help Net Security
Experts warn of attacks exploiting WordPress gift card plugin - Security Affairs
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com
Ukraine shuts down fraudulent call center claiming 18,000 victims (bleepingcomputer.com)
Insurance
Supply Chain and Third Parties
Software Supply Chain
Why Attackers Target GitHub, and How You Can Secure It (darkreading.com)
Improving Software Supply Chain Cyber security (trendmicro.com)
Cloud/SaaS
Identity and Access Management
Enterprises waste money on identity tools they don't use - Help Net Security
Steps To Planning And Implementation Of PAM Solutions (informationsecuritybuzz.com)
Encryption
API
Crypto platform 3Commas admits hackers stole API keys (bleepingcomputer.com)
Google: With Cloud Comes APIs & Security Headaches (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Biometrics
Social Media
TikTok User Data Has Been Compromised (giantfreakinrobot.com)
Elon Musk ‘orders Twitter to remove suicide prevention feature’ | Twitter | The Guardian
Massive Twitter data leak investigated by EU privacy watchdog (bleepingcomputer.com)
Meta settles Cambridge Analytica scandal case for $725m - BBC News
TikTok bans haven't really banned much of anything - The Washington Post
Twitter restores suicide prevention feature | Twitter | The Guardian
Data of 400 Million Twitter users up for sale - Security Affairs
Hacker claims to be selling Twitter data of 400 million users (bleepingcomputer.com)
Malvertising
Privacy
Regulations, Fines and Legislation
Governance, Risk and Compliance
IBM and 70 Global Banks Co-Create New Cyber security, Risk Framework (accelerationeconomy.com)
Economic uncertainty compels IT leaders to rethink their strategy - Help Net Security
3 important changes in how data will be used and treated - Help Net Security
2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)
Secure Disposal
Careers, Working in Cyber and Information Security
IT Jobs: How To Become An Information Security Analyst (informationsecuritybuzz.com)
‘There's a career in cyber security for everyone,’ Microsoft Security CVP says | Fortune
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
Google Home speakers allowed hackers to snoop on conversations (bleepingcomputer.com)
Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian
The Threat of Predictive Policing to Data Privacy and Personal Liberty (darkreading.com)
Meta settles Cambridge Analytica scandal case for $725m - BBC News
78% of Employers Are Using Remote Work Tools to Spy on You (entrepreneur.com)
Germany: Police surveillance software a legal headache – DW – 12/22/2022
Artificial Intelligence
Code-generating AI can introduce security vulnerabilities, study finds | TechCrunch
AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
2022 Top Five Immediate Threats in Geopolitical Context (thehackernews.com)
Russia’s Cyberwar Foreshadowed Deadly Attacks on Civilians | WIRED
Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU
Ukrainian Hackers Gather Data on Russian Soldiers, Minister Says - Bloomberg
North Korean hackers targeted nearly 1,000 South Korean foreign policy experts
German double agent ‘passed Ukraine intelligence to Russia’ (telegraph.co.uk)
Nation State Actors
Nation State Actors – Russia
Hundreds of Russian cyber attacks on CHPPs, regional power plants prevented - SBU
Russian mobile calls, internet seen deteriorating after Nokia, Ericsson leave – EURACTIV.com
Nation State Actors – China
Police in China can track protests by enabling ‘alarms’ on Hikvision software | China | The Guardian
Nation State Actors – North Korea
BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection (thehackernews.com)
North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains | SecurityWeek.Com
North Korean hacking outfit impersonating venture capital firms | SC Media (scmagazine.com)
North Korean hackers targeted nearly 1,000 South Korean foreign policy experts
Nation State Actors – Iran
Nation State Actors – Misc
Vulnerability Management
Vulnerabilities
Patch now: Serious Linux kernel security hole uncovered | ZDNET
Microsoft Patches Azure Cross-Tenant Data Access Flaw | SecurityWeek.Com
Critical Linux Kernel flaw affects SMB servers with ksmbd enabled - Security Affairs
Critical “10-out-of-10” Linux kernel SMB hole – should you worry? – Naked Security (sophos.com)
Log4Shell remains a big threat and a common cause for security breaches | CSO Online
Thousands of Citrix servers vulnerable to patched critical flaws (bleepingcomputer.com)
Netgear warns users to patch recently fixed WiFi router bug (bleepingcomputer.com)
CISA Warns of Active exploitation of JasperReports Vulnerabilities (thehackernews.com)
Tools and Controls
Other News
AI cyber attacks are a ‘critical threat’. This is how NATO is countering them | Euronews
Review: 10 Biggest Hacks And Cyber Security Threats Of 2022 (informationsecuritybuzz.com)
New information-stealing malware is being spread by fake pirate sites | TechSpot
Trend Micro: Expect 2023 to Bring Uncertainty to Cyber Attackers and Defenders - MSSP Alert
After the Uber Breach: 3 Questions All CISOs Should Ask Themselves (darkreading.com)
Top 10 Cyber Security Predictions For 2023 Based On Expert Responses (informationsecuritybuzz.com)
The Five Stories That Shaped Cyber security in 2022 | SecurityWeek.Com
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Threat Briefing 23 December 2022
Black Arrow Cyber Threat Briefing 23 December 2022:
-LastPass Users: Your Info and Password Vault Data are Now in Hackers’ Hands
-Ransomware Attacks Increased 41% In November
-The Risk of Escalation from Cyber Attacks Has Never Been Greater
-FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
-North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
-UK Security Agency Wants Fresh Approach to Combat Phishing
-GodFather Android malware targets 400 banks, crypto exchanges
-Companies Overwhelmed by Available Tech Solutions
-Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
-UK Privacy Regulator Names and Shames Breached Firms
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
LastPass Admits Attackers have an Encrypted Copy of Customers’ Password Vaults
Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contain the passwords to their accounts.
In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that in the August 2022 attack “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”
The update reveals that the attacker also copied “customer vault” data, the file LastPass uses to let customers record their passwords. That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” The passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.
LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.” One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.
LastPass therefore offered the following advice to individual and business users: If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimising risk by changing passwords of websites you have stored.
LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.
https://www.theregister.com/2022/12/23/lastpass_attack_update/
Ransomware Attacks Increased 41% In November
Ransomware attacks rose 41% last month as groups shifted among the top spots and increasingly leveraged DDoS attacks, according to new research from NCC Group.
A common thread of NCC Group's November Threat Pulse was a "month full of surprises," particularly related to unexpected shifts in threat actor behaviour. The Cuba ransomware gang resurged with its highest number of attacks recorded by NCC Group. Royal replaced LockBit 3.0 as the most active strain, a first since September of last year.
These factors and more contributed to the significant jump in November attacks, which rose from 188 in October to 265.
"For 2022, this increase represents the most reported incidents in one month since that of April, when there were 289 incidents, and is also the largest month-on-month increase since June-July's marginally larger increase of 47%," NCC Group wrote in the report.
Operators behind Royal ransomware, a strain that emerged earlier this year that operates without affiliates and utilises intermittent encryption to evade detection, surpassed LockBit 3.0 for the number one spot, accounting for 16% of hack and leak incidents last month.
The Risk of Escalation from Cyber Attacks Has Never Been Greater
In 2022, an American dressed in his pyjamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.
In 2023, the world might not get so lucky. There will almost certainly be a major cyber attack. It could shut down Taiwan’s airports and trains, paralyse British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.
This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.
More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom … Russia? China? Iran? It's a gamble, and they could get unlucky.
Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.
FBI Recommends Ad Blockers as Cyber Criminals Impersonate Brands in Search Engine Ads
The Federal Bureau of Investigation (FBI) this week raised the alarm on cyber criminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats.
The attackers register domains similar to those of legitimate businesses or services, and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
Links included in these ads take users to pages that are identical to the official web pages of the impersonated businesses, the FBI explains. If the user searches for an application, they are taken to a fake web page that uses the real name of the program the user searches for, and which contains a link to download software that is, in fact, malware.
“These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms,” the FBI notes. Seemingly legitimate exchange platforms, the malicious sites prompt users to provide their login and financial information, which the cyber criminals then use to steal the victim’s funds.
“While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link,” the FBI says.
Businesses are advised to use domain protection services to be notified of domain spoofing, and to educate users about spoofed websites and on how to find legitimate downloads for the company’s software.
Users are advised to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches. Ad blockers can have a negative impact on the revenues of online businesses and advertisers, but they can be good for online security, and even the NSA and CIA are reportedly using them.
North Korea-Linked Hackers Stole $626 Million in Virtual Assets in 2022
South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press. The Government of Pyongyang focuses on crypto hacking to fund its military program following harsh UN sanctions.
“South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cyber crimes since UN economic sanctions were toughened in 2017 in response to its nuclear and missile tests.” reported the AP agency. North Korea cannot export its products due to the UN sanctions imposed in 2016 and 1017, and the impact on its economy is dramatic.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea. Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
https://securityaffairs.co/wordpress/139909/intelligence/north-korea-cryptocurrency-theft.html
UK Security Agency Wants Fresh Approach to Combat Phishing
The UK National Cyber Security Centre (NCSC) has called for a defence-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.
Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work. For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.
This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said. It’s not the user’s responsibility to spot a phish – rather, it’s their organisation’s responsibility to protect them from such threats, Dave C argued.
As such, they should build layered technical defences, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organisations should consider the following to prevent code from executing:
Allow-listing for executables
Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed
Disabling the mounting of .iso files on user endpoints
Making sure macro settings are locked down
Enabling attack surface reduction rules
Ensuring third-party software is up to date
Keeping up to date about current threats
Additionally, organisations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behaviour, the NCSC advised.
https://www.infosecurity-magazine.com/news/uk-security-agency-combat-phishing/
GodFather Android malware targets 400 banks, crypto exchanges
An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges.
The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log into the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.
The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defences. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.
Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play. Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.
Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).
Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.
Companies Overwhelmed by Available Tech Solutions
92% of executives reported challenges in acquiring new tech solutions, highlighting the complexities that go into the decision-making process, according to GlobalDots.
Moreover, some 34% of respondents said the overwhelming amount of options was a challenge when deciding on the right solutions, and 33% admitted the time needed to conduct research was another challenge in deciding.
Organisations of all varieties rely on technology more than ever before. The constant adoption of innovation is no longer a luxury but rather a necessity to stay on par in today’s fast-paced and competitive digital landscape. In this environment, IT and security leaders are coming under increased pressure to show ROIs from their investment in technology while balancing operational excellence with business innovation. Due to current market realities, IT teams are short-staffed and suffering from a lack of time and expertise, making navigating these challenges even more difficult.
The report investigated how organisations went about finding support for their purchasing decisions. Conferences, exhibitions, and online events served as companies’ top source of information for making purchasing decisions, at 52%. Third-party solutions, such as value-added resellers and consultancies, came in second place at 48%.
54% are already using third parties to purchase, implement, or support their solutions, highlighting the value that dedicated experts with in-depth knowledge of every solution across a wide range of IT fields provide.
We are living in an age of abundance when it comes to tech solutions for organisations, and this makes researching and purchasing the right solutions for your organisation extremely challenging.
https://www.helpnetsecurity.com/2022/12/20/tech-purchasing-decisions/
Nine in 10 Third-party Contractors, Freelancers Use Personal, Unmanaged Devices Likely to be Infected
Talon Cyber Security surveyed 258 third-party providers to better understand the state of third-party working conditions, including work models, types of devices and security technologies used, potentially risky actions taken, and how security and IT tools impact productivity.
Looking at recent high-profile breaches, third parties have consistently been at the epicenter, so they took a step back with their research to better understand the potential root causes. The findings paint a picture of a third-party work landscape where individuals are consistently working from personal, unmanaged devices, conducting risky activities, and having their productivity impacted by legacy security and IT solutions.
Here’s what Talon discovered:
Most third parties (89%) work from personal, unmanaged devices, where organisations lack visibility and cannot enforce the enterprise’s security posture on. Talon pointed to a Microsoft data point that estimated users are 71% more likely to be infected on an unmanaged device.
With third parties working from personal devices, they tend to carry out personal, potentially risky tasks. Respondents note that at least on occasion, they have used their devices to:
Browse the internet for personal needs (76%)
Indulge in online shopping (71%)
Check personal email (75%)
Save weak passwords in the web browser (61%)
Play games (53%)
Allow family members to browse (36%)
Share passwords with co-workers (24%)
Legacy apps such as Virtual Desktop Infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions are prominent, with 45% of respondents using such technologies while working for organisations.
UK Privacy Regulator Names and Shames Breached Firms
The UK Information Commissioner’s Office (ICO) has taken the unusual step of publishing details of personal data breaches, complaints and civil investigations on its website, according to legal experts.
The data, available from Q4 2021 onwards, includes the organisation’s name and sector, the relevant legislation and the type of issues involved, the date of completion and the outcome.
Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website. Indeed, it seems to have flown almost entirely under the radar.
Understanding whether their breach or complaint will be publicised by European regulators is one of – if not the – main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement. Now, at least in the UK, the era of relative anonymity looks to be over.
Despite the lack of fanfare around the announcement, this naming and shaming approach could make the ICO one of the more aggressive privacy regulators in Europe. In the future, claimant firms in class action lawsuits may adopt “US-style practices” of scanning the ICO database to find evidence of repeat offending or possible new cases.
The news comes even as data reveals the value of ICO fines issued in the past year tripled from the previous 12 months. In the year ending October 31 2022, the regulator issued fines worth £15.2m, up from £4.8m the previous year. The sharp increase in the value of fines shows the ICO’s increasing willingness selectively to crack down on businesses – particularly those that the ICO perceives has not taken adequate measures to protect customer and employee data.
https://www.infosecurity-magazine.com/news/uk-privacy-regulator-names-and/
Threats
Ransomware, Extortion and Destructive Attacks
20 companies affected by major ransomware attacks in 2021 | TechTarget
NCC Group: Ransomware attacks increased 41% in November | TechTarget
Adversarial risk in the age of ransomware - Help Net Security
FIN7 hackers create auto-attack platform to breach Exchange servers (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
British newspaper The Guardian says it’s been hit by ransomware | TechCrunch
Play ransomware actors bypass ProxyNotShell mitigations | TechTarget
FIN7 Cyber crime Syndicate Emerges as Major Player in Ransomware Landscape (thehackernews.com)
Vice Society ransomware gang is using a custom locker - Security Affairs
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
German industrial giant ThyssenKrupp targeted in a cyber attack - Security Affairs
Paying Ransom: Why Manufacturers Shell Out to Cyber criminals (darkreading.com)
France Seeks to Protect Hospitals After Series of Cyber attacks | SecurityWeek.Com
Fire and rescue service in Victoria, Australia, confirms cyber attack - Security Affairs
Play Ransomware Gang Lay Claims For Cyber Attack On H-Hotels (informationsecuritybuzz.com)
Evolving threats and broadening responses to Ransomware in the UAE - Security Boulevard
Phishing & Email Based Attacks
Five Best Practices for Consumers to Beat Phishing Campaigns This Holiday Season - CPO Magazine
Hackers continue to exploit hijacked MailChimp accounts in cyber crime campaigns (bitdefender.com)
Holiday Spam, Phishing Campaigns Challenge Retailers (darkreading.com)
Email hijackers scam food out of businesses, not just money • The Register
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Simple Steps to Avoid Phishing Attacks During This Festive season | Tripwire
BEC – Business Email Compromise
Telling users to ‘avoid clicking bad links’ still isn’t working - NCSC.GOV.UK
What happens once scammers receive funds from their victims - Help Net Security
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Why Security Teams Shouldn't Snooze on MFA Fatigue (darkreading.com)
Comcast Xfinity accounts hacked in widespread 2FA bypass attacks (bleepingcomputer.com)
Malware
Malicious ‘SentinelOne’ PyPI package steals data from developers (bleepingcomputer.com)
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages (darkreading.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
Raspberry Robin Worm Targets Telcos & Governments (darkreading.com)
Raspberry Robin worm drops fake malware to confuse researchers (bleepingcomputer.com)
Number of command-and-control servers spiked in 2022: report - The Record by Recorded Future
Mobile
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Godfather makes banking apps an offer they can’t refuse • The Register
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Botnets
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Flaws within IoT devices exploited by the Zerobot botnet (izoologic.com)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Denial of Service/DoS/DDOS
DDoS Attacks are Slowly Growing in the Technology Era (analyticsinsight.net)
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
BYOD
Internet of Things – IoT
Millions of IP cameras around the world are unprotected | TechRadar
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal (darkreading.com)
Throw away all your Eufy cameras right now | Android Central
Read what Anker’s customer support is telling worried Eufy camera owners - The Verge
Amazon Ring Cameras Used in Nationwide ‘Swatting’ Spree, US Says - Bloomberg
Connected homes are expanding, so is attack volume - Help Net Security
Security Risks, Serious Vulnerabilities Rampant Among XIoT Devices in the Workplace - CPO Magazine
Data Breaches/Leaks
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Okta's source code stolen after GitHub repositories hacked (bleepingcomputer.com)
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
NIO suffers user data breach, hacker demands $2.25 million worth of bitcoin - CnEVPost
Shoemaker Ecco leaks over 60GB of sensitive data for 500+ days - Security Affairs
Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale (bleepingcomputer.com)
Leading sports betting firm BetMGM discloses data breach (bleepingcomputer.com)
Organised Crime & Criminal Actors
'Russian hackers' help two New York men game JFK taxi system - CyberScoop
What happens once scammers receive funds from their victims - Help Net Security
[FIN7] Fin7 Unveiled: A deep dive into notorious cyber crime gang - PRODAFT
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
GodFather Android malware targets 400 banks, crypto exchanges (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
North Korea-linked hackers stole $626M in virtual assets in 2022 - Security Affairs
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
FTX's alleged run-of-the-mill frauds depended entirely on crypto (yahoo.com)
“Suspicious login” scammers up their game – take care at Christmas – Naked Security (sophos.com)
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Over 67,000 DraftKings Betting Accounts Hit by Hackers (gizmodo.com)
What happens once scammers receive funds from their victims - Help Net Security
T-Mobile hacker gets 10 years for $25 million phone unlock scheme (bleepingcomputer.com)
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Two associates of Sam Bankman-Fried plead guilty to fraud charges in FTX fall | FTX | The Guardian
Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers (darkreading.com)
Supply Chain and Third Parties
Cloud/SaaS
McGraw Hill's S3 buckets exposed 100,000 students' grades • The Register
AWS simplifies Simple Storage Service to prevent data leaks • The Register
New Brand of Security Threats Surface in the Cloud (darkreading.com)
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses (darkreading.com)
Hybrid/Remote Working
Attack Surface Management
Encryption
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
LastPass admits attackers copied password vaults • The Register
LastPass users: Your info and password vault data are now in hackers’ hands | Ars Technica
Social Media
Malvertising
Fraudulent ‘popunder’ Google Ad campaign generated millions of dollars • The Register
Don't click too quick! FBI warns of malicious search engine ads | Tripwire
Google Ad fraud campaign used adult content to make millions (bleepingcomputer.com)
Parental Controls and Child Safety
Buggy parental-control apps could allow device takeover • The Register
Children And The Dangers Of The Virtual World (informationsecuritybuzz.com)
Regulations, Fines and Legislation
TSB fined nearly $60m for platform migration disaster • The Register
FCC proposes record-breaking $300 million fine against robocaller (bleepingcomputer.com)
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
The long, long reach of the UK’s national security laws | Financial Times
Governance, Risk and Compliance
Make sure your company is prepared for the holiday hacking season - Help Net Security
The benefit of adopting a hacker mindset for building security strategies - Help Net Security
Careers, Working in Cyber and Information Security
CISO roles continue to expand beyond technical expertise - Help Net Security
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Law Enforcement Action and Take Downs
Privacy, Surveillance and Mass Monitoring
France Fines Microsoft 60 Million Euros Over Advertising Cookies | SecurityWeek.Com
What is surveillance capitalism? - Definition from WhatIs.com (techtarget.com)
Google Maps: Important reason you should blur your house on Street View (ladbible.com)
Blur Your House ASAP if It's on Google Maps. Here's Why - CNET
Artificial Intelligence
Threat Modeling in the Age of OpenAI's Chatbot (darkreading.com)
This is how OpenAI's ChatGPT can be used to launch cyber attacks (techmonitor.ai)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
State level cyber attacks – Why and how (ukdefencejournal.org.uk)
The risk of escalation from cyber attacks has never been greater | Ars Technica
Ukraine's DELTA military system users targeted by info-stealing malware (bleepingcomputer.com)
Trojanized Windows 10 installers compromised the Ukrainian government | SC Media (scmagazine.com)
NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine (darkreading.com)
Russian APT Gamaredon Changes Tactics in Attacks Targeting Ukraine | SecurityWeek.Com
Kremlin-linked hackers tried to spy on oil firm in NATO country, researchers say | CNN Politics
‘Our weapons are computers’: Ukrainian coders aim to gain battlefield edge | Ukraine | The Guardian
The long, long reach of the UK’s national security laws | Financial Times
UK secret services wants ‘corkscrew thinkers’ for new cyber force | News | The Times
Nation State Actors
Nation State Actors – Russia
Nation State Actors – China
Apple accused of censoring apps in Hong Kong and Russia • The Register
The long, long reach of the UK’s national security laws | Financial Times
Nation State Actors – North Korea
Vulnerability Management
Open source vulnerabilities add to security debt - Help Net Security
Top 5 Vulnerabilities Routinely Exploited by Threat Actors in 2022 (socradar.io)
Over 50 New CVE Numbering Authorities Announced in 2022 | SecurityWeek.Com
A Guide to Efficient Patch Management with Action1 (thehackernews.com)
Digging into the numbers one year after Log4Shell | SC Media (scmagazine.com)
Vulnerabilities
Critical Windows code-execution vulnerability went undetected until now | Ars Technica
FoxIt Patches Code Execution Flaws in PDF Tools | SecurityWeek.Com
Old vulnerabilities in Cisco products actively exploited in the wild - Security Affairs
OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
Microsoft reports macOS Gatekeeper has an 'Achilles' heel • The Register
Microsoft will turn off Exchange Online basic auth in January (bleepingcomputer.com)
Cisco’s Talos security bods predict new wave of Excel Hell • The Register
Microsoft pushes emergency fix for Windows Server Hyper-V VM issues (bleepingcomputer.com)
Ransomware Uses New Exploit to Bypass ProxyNotShell Mitigations | SecurityWeek.Com
Zerobot malware now spreads by exploiting Apache vulnerabilities (bleepingcomputer.com)
Two New Security Flaws Reported in Ghost CMS Blogging Software (thehackernews.com)
Critical Security Flaw Reported in Passwordstate Enterprise Password Manager (thehackernews.com)
This critical Windows security flaw could be as serious as WannaCry, experts claim | TechRadar
Google WordPress Plug-in Bug Allows AWS Metadata Theft (darkreading.com)
Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems (thehackernews.com)
Tools and Controls
Companies overwhelmed by available tech solutions - Help Net Security
Is Enterprise VPN on Life Support or Ripe for Reinvention? | SecurityWeek.Com
Reports Published in the Last Week
Other News
The Growing Risk Of Malicious QR Codes (informationsecuritybuzz.com)
NASA infosec again falls short of required standard • The Register
US Joint Cyber Force Elevated to Newest Subordinate Unified Command - MSSP Alert
The Rise of the Rookie Hacker - A New Trend to Reckon With (thehackernews.com)
What enumeration attacks are and how to prevent them | TechTarget
US consumers seriously concerned over their personal data | CSO Online
The FBI is worried about wave of crime against small businesses (cnbc.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 23/12/2022 – Heightened Phishing Risk Following the LastPass Data Breach Incident
Black Arrow Cyber Alert 23/12/2022 – Heightened Phishing Risk Following the LastPass Data Breach Incident
Executive Summary
Yesterday, LastPass provided an update to their ongoing investigations into a previously disclosed security incident as detailed in our Cyber Alert (referenced below). The investigation by LastPass had confirmed customer data had been accessed and downloaded by malicious actors which could lead to an increase of Phishing attacks.
What’s the risk to me or my business?
With malicious actors having access to customer data, including: “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service” and URLs for end user accounts stored within the vault, there is a high chance of this information being used as part of targeted phishing attacks, focusing on the services that are known to have been used by the end user.
What can I do?
LastPass state that “it is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
You should also employ the following tips to increase protection from phishing scams:
1) Adopt a zero-trust stance – Regardless of the application or sender, you should always be wary, even if a message looks legitimate at first glance.
2) Avoid using the contact information from a suspicious message - If you need to contact the sender of message to verify the contents of a message, look up their contact information separately using a trusted source.
3) Employ Multi-factor Authentication (MFA) as another layer of protection, so more than just your password is required to login to a service.
4) Don’t click on links or open attachments unless you’ve requested and know you can trust them.
Further information relating to Black Arrow’s Cyber alert can be found here: Black Arrow Cyber Consulting — Black Arrow Cyber Alert 22/12/2022 – ACTION REQUIRED: LastPass Security Incident Update
Further information on this security incident provided by LastPass can be found here: Notice of Recent Security Incident - The LastPass Blog
Further information on LastPass advice for avoiding phishing scams can be found here: LastPass - Avoiding Phishing Scams
Black Arrow Cyber Alert 22/12/2022 – ACTION REQUIRED: LastPass Security Incident Update
Black Arrow Cyber Alert 22/12/2022 – ACTION REQUIRED: LastPass Security Incident Update
Executive Summary
LastPass has today provided an update to investigations of its security incident described in our Advisory of 02 December 2022. LastPass has now confirmed that customer data, including encrypted copies of password vaults, has been accessed and downloaded by malicious actors. While LastPass is still stating that the protected data should be secure if its best practice guidance was followed, we recommend, as advised by LastPass, that all users should reset the master password for their account and ensure that multi-factor authentication is enabled wherever possible. Given our focus on reducing risk, we also recommend that users should change the passwords stored within the service at the earliest opportunity, and prioritise those in the most critical accounts.
What’s the risk to me or my business?
LastPass has confirmed that the following un-encrypted data has been accessed during the data breach: “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.” LastPass has also confirmed that website URLs for end user accounts were also copied, along with encrypted fields such as “website usernames and passwords, secure notes, and form-filled data”, but noted that these fields remain 256-bit AES encrypted, and should be protected from brute force attack.
LastPass also notes that customers may be targeted with phishing attacks, credential stuffing and other brute force attacks against online accounts associated with the LastPass Vault.
Although the latest information provided by LastPass is troubling, Black Arrow continues to recommend the use of password managers such as LastPass as part of a defence in depth approach to cyber security. Password managers can reduce the overall risks caused by practices such as using weak passwords, re-using passwords and writing down passwords.
What can I do?
LastPass notes that if the master password exceed 12 characters (as per LastPass’ default settings post-2018) and best practices, then end user master passwords should remain secure. However, LastPass notes that if the password did not meet its defaults then the number of attempts needed to brute force the password could be significantly reduced.
As above we recommend that all users should reset the master password for their account, and ensure that multi-factor authentication is enabled wherever possible. We also recommend that users should change the passwords stored within the service at the earliest opportunity, and prioritise those in the most critical accounts.
Further information on this security incident be found here: Notice of Recent Security Incident - The LastPass Blog
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 19/12/2022 – Veeam Vulnerabilities Under Active Exploitation
Black Arrow Cyber Advisory 19/12/2022 – Veeam Vulnerabilities Under Active Exploitation
Executive Summary
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities which impact Veeam Backup and Replication, to its ‘Known Exploited Catalog’, due to evidence of the vulnerabilities being actively exploited in the wild.
The two now-patched vulnerabilities (CVE-2022-26500 and CVE-2022-26501) were published 12th March 2022 by Veeam and allow an attacker to remotely execute malicious code without authentication. The impacted versions of Veeam Backup and Replication were 9.5, 10 and 11.
What’s the risk to me or my business?
If organisations are still using a version of Veeam Backup and Replication with these vulnerabilities, then there is the potential that an attacker could gain control over a system, impacting the confidentiality, integrity and availability of an organisations data.
What can I do?
Organisations using Veeam should contact their MSP to ensure that they have either installed the patches as per Veeam guidance or are using a newly deployed version of 10a or 11a that used installation files dated post 2nd March 2022.
Temporary mitigation would involve stopping and disabling the Veeam Distribution Service.
Further information on this vulnerability be found here: https://www.veeam.com/kb4288
The CISA Known ‘Exploited Vulnerabilities Catalog’ can be found here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 16 December 2022
Black Arrow Cyber Threat Briefing 16 December 2022:
-Executives Take More Cyber Security Risks Than Office Workers
-CISO Role is Diversifying from Technology to Leadership & Communication Skills
-How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor
-Cyber Security Drives Improvements in Business Goals
-Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering
-Managing Cyber Risk in 2023: The People Element
-What We Can't See Can Hurt Us
-Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online
-When Companies Compensate the Hackers, We All Foot the Bill
-HSE Cyber-Attack Costs Ireland $83m So Far
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Executives Take More Cyber Security Risks Than Office Workers
IT software company Ivanti worked with cyber security experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and to find out how companies are preparing for yet-unknown future threats.
The report revealed that despite 97% of leaders and security professionals reporting their organisation is as prepared, or more prepared, to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar that they could prevent a damaging breach.
In fact, the study finds that organisations are racing to fortify against cyber attacks, but the industry still struggles with a reactive, checklist mentality. This is most pronounced in how security teams are prioritising patches. While 92% of security professionals reported they have a method to prioritise patches, they also indicated that all types of patches rank high – meaning none do.
“Patching is not nearly as simple as it sounds,” said Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritisation challenges amidst other pressing demands. To reduce risk without increasing workload, organisations must implement a risk-based patch management solution and leverage automation to identify, prioritise, and even address vulnerabilities without excess manual intervention”.
Cyber security insiders view phishing, ransomware, and software vulnerabilities as top industry-level threats for 2023. Approximately half of respondents indicated they are “very prepared” to meet the growing threat landscape including ransomware, poor encryption, and malicious employees, but the expected safeguards such as deprovisioning credentials is ignored a third of a time and nearly half of those surveyed say they suspect a former employee or contractor still has active access to company systems and files.
The report also revealed that leaders engage in more dangerous behaviour and are four times more likely to be victims of phishing compared to office workers.
Additionally:
More than 1 in 3 leaders have clicked on a phishing link
Nearly 1 in 4 use easy-to-remember birthdays as part of their password
They are much more likely to hang on to passwords for years
And they are 5x more likely to share their password with people outside the company.
One survey taker shared, “We’ve experienced a few advanced phishing attempts and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated over the last two years – even our most experienced staff are falling prey to it.”
To cope with a rapidly expanding threat landscape, organisations must move beyond a reactive, rules-based approach.
CISO Role is Diversifying from Technology to Leadership & Communication Skills
The role of chief information security officer (CISO), a relatively new executive position, is undergoing some significant changes and an archetype has yet to emerge, a new global report from Marlin Hawk, an executive recruiting and leadership consultant, said.
CISOs are still more likely to serve on advisory boards or industry bodies than on the board of directors. Only 13% of the global CISOs analysed are women; approximately 20% are non-white. Each diversity dimension analysed is down one percentage point year-on-year.
According to James Larkin, managing partner at Marlin Hawk, “Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the chief information officer (CIO), which is to act as the primary gateway from the tech department into the wider business and the outside marketplace. This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”
The job does not come without its downsides. For one, according to the search firm, many CISOs change roles and leave their jobs. Their skillset may not be adequate or new leaders get appointed to the job, they lack the necessary internal support, or their company may not have the required commitment to cyber security to make the job effective.
Key findings from the report include:
45% of global CISOs have been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-on-year. While there is still a lot of movement in the CISO seat, there is potentially some stabilisation emerging.
Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% were hired internally compared to 36% in 2021) but a large gap remains in appropriate successors.
36% of CISOs analysed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
How Emerging AIs, Like ChatGPT, Can Turn Anyone into a Ransomware and Malware Threat Actor
Ever since OpenAI launched ChatGPT at the end of November, commentators on all sides have been concerned about the impact AI-driven content-creation will have, particularly in the realm of cybersecurity. In fact, many researchers are concerned that generative AI solutions will democratise cyber crime.
With ChatGPT, any user can enter a query and generate malicious code and convincing phishing emails without any technical expertise or coding knowledge.
While security teams can also leverage ChatGPT for defensive purposes such as testing code, by lowering the barrier for entry for cyber attacks, the solution has complicated the threat landscape significantly. From a cyber security perspective, the central challenge created by OpenAI’s creation is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on-demand.
Whilst it can be used for good to assist developers in writing code for good, it can (and already has) been used for malicious purposes. Examples including asking the bot to create convincing phishing emails or assist in reverse engineering code to find zero-day exploits that could be used maliciously instead of reporting them to a vendor.
ChatGPT does have inbuilt guardrails designed to prevent the solution from being used for criminal activity. For instance, it will decline to create shell code or provide specific instructions on how to create shellcode or establish a reverse shell and flag malicious keywords like phishing to block the requests.
The problem with these protections is that they’re reliant on the AI recognising that the user is attempting to write malicious code (which users can obfuscate by rephrasing queries), while there’s no immediate consequences for violating OpenAI’s content policy.
https://venturebeat.com/security/chatgpt-ransomware-malware/
Cyber Security Drives Improvements in Business Goals
Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impacts of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.
In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.
"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."
Deloitte categorised organisations' cyber security maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment.
Whether or not the organisation adopted any of these three practices hinged on stakeholders recognising the importance of cyber responsibility and engagement across the whole organisation, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organisational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.
https://www.darkreading.com/edge-threat-monitor/cybersecurity-drives-improvements-in-business-goals
Incoming FCA Chair Says Crypto Firms Facilitate Money Laundering
The man who will lead UK efforts to regulate cryptocurrency firms issued a stark condemnation of the sector on Wednesday, telling MPs that in his experience crypto platforms were “deliberately evasive”, facilitated money laundering at scale and created “massively untoward risk”.
The comments from Ashley Alder, the incoming chair of the Financial Conduct Authority, suggest that crypto firms hoping to build businesses in the UK will face an uphill battle when the FCA assumes new powers to regulate broad swaths of the sector.
They also put Alder, who will become FCA chair in February, on a potential collision course with the government’s aspiration to create a high quality crypto hub that fosters innovation, a vision ministers have remained loyal to even as the global crypto market lurches from crisis to crisis, epitomised by the collapse of FTX. The FCA declined to comment on whether their incoming chair’s views were at odds with those of the government.
Alder comments came during a sometimes terse appointment hearing with the cross-party Treasury select committee, where he faced sustained criticism for appearing virtually from Hong Kong and for his lack of familiarity with some parts of the UK market place and its accountability structures.
https://www.ft.com/content/7bf0a760-5fb5-4146-b757-1acc5fc1dee5
Managing Cyber Risk in 2023: The People Element
2022 has had many challenges from cyber war between Russia and Ukraine, continuing ransomware attacks, and a number of high-profile vulnerabilities and zero day attacks. With the attack surface constantly expanding, CISOs and security leaders are acutely aware of the need to minimise risk across people, processes, and technology.
Top infrastructure risk: people
It’s common knowledge that it’s not if, but when, your organisation will be the target of a cyber attack. CISOs and security leaders seem to share the same opinion—according to Trend Micro’s latest Cyber Risk Index (CRI) (1H’2022), 85% of 4,100 respondents across four global regions said its somewhat to very likely they will experience a cyber attack in the next 12 months. More concerning was 90% of respondents had at least one successful cyber attack in the past 12 months.
The CRI (1H’2022) also found that CISOs, IT practitioners, and managers identified that most organisations’ IT security objectives are not aligned with the business objectives, which could cause challenges when trying to implement a sound cyber security strategy.
It’s important to note that while ideal, avoiding a cyber attack isn’t the main goal—companies need to address critical challenges across their growing digital attack surface to enable faster detection and response, therefore minimising cyber risk.
While it's commonly assumed that security efforts should be largely focused on protecting critical servers and infrastructure, the human attack vector shouldn’t be so quickly forgotten.
https://www.trendmicro.com/en_us/ciso/22/e/managing-cyber-risk.html
What We Can't See Can Hurt Us
In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.
Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.
This is unfortunate, since what we can't see can hurt us. That being said, cloud visibility is becoming a top priority for many businesses. There are a few areas where many businesses are looking for visibility to play a key role, including Compliance, Monitoring, Investigation, Response, API Discovery, Application Breaches, and Malicious User Detection.
Organisation have been a bit behind in terms of ensuring the requisite visibility into cloud environments. Whilst time has been lost, it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.
https://www.darkreading.com/edge-articles/what-we-can-t-see-can-hurt-us
Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online
Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cyber security incident.
On Saturday last week, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.
The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM and TripActions MDM platforms. Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyber attack on Uber where threat actors gained access to the internal network and the company's Slack server.
News outlet BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.
While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.
When Companies Compensate the Hackers, We All Foot the Bill
Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cyber security and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.
If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cyber criminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behaviour and empowers hackers to increase the number and volume of ransoms.
When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.
As for smaller companies, about 50% of US small businesses don't have a cyber security plan in place, despite the fact that small businesses are three times more likely to be targeted by cyber criminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.
When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognise and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.
Cyber security professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organisations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.
HSE Cyber-Attack Costs Ireland $83m So Far
The cost of the cyber-attack that hit the Irish Health Service Executive (HSE) last year has officially reached €80m ($83.75m).
The figures come from a letter from HSE’s chief information officer, seen by The Irish Times. This comes months after the Department of Health suggested in February the attack could end up costing up to €100m ($104m). The letter confirmed that the costs reached €42m ($43.97m) in 2021 and almost €39m ($40.83m) until October of this year.
Ireland has a very capable national cyber security centre and a well-oiled CSIRT team that engages the public/private sector. If the cost does continue to escalate to €100m, that is the equivalent to everyone in the Republic of Ireland having been defrauded by €20. According to The Irish Times, the costs were said to be “enormous,” and the government has been asked to complete a comprehensive assessment of the impact caused by the breach.
The cyber-attack, believed to have been conducted by Russia-based state actors, was reportedly caused by a malicious Microsoft Excel file delivered via a phishing email. According to a December 2021 report, the file was opened at an HSE workstation in March 2021. The malware would have been latent for two months before the breach, which was reportedly discovered in May, two months later. A total of roughly 100,000 people had their personal data stolen during the cyber-attack.
Healthcare continues to be a target of attacks given their enormous attack surface across critical applications, cloud environments and IoT devices.
https://www.infosecurity-magazine.com/news/hse-cyber-attack-ireland-dollar83m/
Threats
Ransomware, Extortion and Destructive Attacks
HSE Cyber-Attack Costs Ireland $83m So Far - Infosecurity Magazine (infosecurity-magazine.com)
Ransomware-hit Rackspace email outage enters 12th day • The Register
The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets (bleepingcomputer.com)
Rash of New Ransomware Variants Springs Up in the Wild (darkreading.com)
Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com
Preventing a ransomware attack with intelligence: Strategies for CISOs - Help Net Security
LockBit ransomware crew claims attack on California Department of Finance - CyberScoop
When Companies Compensate the Hackers, We All Foot the Bill (darkreading.com)
Clop ransomware uses TrueBot malware for access to networks (bleepingcomputer.com)
TrueBot infections were observed in Clop ransomware attacks - Security Affairs
Play ransomware claims attack on Belgium city of Antwerp (bleepingcomputer.com)
Brooklyn hospital network victim of cyber hack crash (msn.com)
Cyber security Experts Uncover Inner Workings of Destructive Azov Ransomware (thehackernews.com)
Cybereason warns of rapid increase in Royal ransomware | TechTarget
New Royal ransomware group evades detection with partial encryption | CSO Online
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Check Point classifies Azov as wiper, not ransomware | TechTarget
Phishing & Email Based Attacks
Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)
Phishing attack uses Facebook posts to evade email security (bleepingcomputer.com)
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Malware
Microsoft digital certificates have once again been abused to sign malware | Ars Technica
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert
Crooks use HTML smuggling to spread QBot malware via SVG files - Security Affairs
A clever trick turns antivirus software into unstoppable data wiping scourges | TechSpot
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Mobile
Android Malware Campaign Leverages Money-Lending Apps to Blackmail Victims (thehackernews.com)
Why You Should Enable Apple’s New iOS 16.2 Security Feature | Reviews by Wirecutter (nytimes.com)
Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch
Internet of Things – IoT
3.5m IP cameras exposed, with US in the lead - Security Affairs
Are robots too insecure for lethal use by law enforcement? | CSO Online
10 Ways Doorbell Cameras Pose a Threat to Privacy and Security - Listverse
Data Breaches/Leaks
Uber suffers new data breach after attack on vendor, info leaked online (bleepingcomputer.com)
Twitter confirms recent user data leak is from 2021 breach (bleepingcomputer.com)
HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch
Australia's Telstra suffers privacy breach, 132,000 customers impacted | Reuters
Unauthorised server access caused AirAsia data leak: Fahmi | Malaysia | The Vibes
FBI's InfraGard Cyber security Program Breached by Hackers (gizmodo.com)
Aussie Data Breaches Surge 489% in Q4 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Uber staff information leaks after IT supply chain attack • The Register
TPG Telecom joins list of hacked Australian companies, shares slide | Reuters
How companies can avoid costly data breaches - Help Net Security
Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Incoming FCA chair says crypto firms facilitate money laundering | Financial Times (ft.com)
Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times
DOJ divided over charging Binance for alleged crypto crimes, report says | Ars Technica
Facebook Asks Lawmakers Not to Regulate Crypto Too Harshly Just Because of All the Fraud (vice.com)
The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman
Hackers leak personal info allegedly stolen from 5.7M Gemini users (bleepingcomputer.com)
Insider Risk and Insider Threats
Executives take more cyber security risks than office workers - Help Net Security
Managing Cyber Risk in 2023: The People Element (trendmicro.com)
Fraud, Scams & Financial Crime
Britons lose life savings to ‘Ali Baba and the cryptocurrency scammers’ | News | The Times
Restaurant closes after fraudsters posing as officials steal thousands | News | The Times
Woman gets 66 months in prison for role in $3.3 million ID fraud op (bleepingcomputer.com)
Patrick Giblin conned women all over the US. Now he's going to prison for 5 years | CNN
UK arrests five for selling dodgy point of sale software • The Register
The amateur sleuths who helped to bring down Sam Bankman-Fried - New Statesman
8 charged with conspiracy to commit securities fraud • The Register
AML/CFT/Sanctions
Insurance
Dark Web
Supply Chain and Third Parties
Uber staff information leaks after IT supply chain attack • The Register
Report highlights serious cyber security issues with US defence contractors | CSO Online
Software Supply Chain
How Naming Can Change the Game in Software Supply Chain Security (darkreading.com)
Microsoft digital certificates have once again been abused to sign malware | Ars Technica
Denial of Service DoS/DDoS
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)
Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica
‘Booter’ sites taken down in global cyber crime bust (gbnews.uk)
Microsoft discovers Windows/Linux botnet used in DDoS attacks | Ars Technica
Cloud/SaaS
Microsoft launches EU 'data boundary' from next year • The Register
HR platform Sequoia says hackers accessed customer SSNs and COVID-19 data | TechCrunch
Lego fixes dangerous API vulnerability in BrickLink service | TechTarget (computerweekly.com)
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
Hybrid/Remote Working
Encryption
Zscaler: Nearly 90% of Cyber attacks Now Use Encrypted Channels, Malware Tops - MSSP Alert
The FBI Says Apple’s New Encryption Is “Deeply Concerning” (futurism.com)
Over 85% of Attacks Hide in Encrypted Channels - Infosecurity Magazine (infosecurity-magazine.com)
Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)
API
Open Source
Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities (thehackernews.com)
Open-source repositories flooded by 144,000 phishing packages (bleepingcomputer.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business
Meta warns spyware still being used to target people on social media | Meta | The Guardian
Elon Musk Bans Journalists From Twitter After Reinstating Nazis (gizmodo.com)
Russian disinformation rampant on far-right social media platforms - CyberScoop
HowTo: Fight Cyber-Threats in the Metaverse - Infosecurity Magazine
US politicians propose TikTok ban over China security concerns (telegraph.co.uk)
Training, Education and Awareness
Keep Your Grinch at Bay: Here's How to Stay Safe Online this Holiday Season (thehackernews.com)
Remote Work Cyber security Requires a Change in Mindset (informationsecuritybuzz.com)
Parental Controls and Child Safety
TikTok may push potentially harmful content to teens within minutes, study finds | CNN Business
Microsoft Teams is a vector for child sexual abuse material • The Register
Cyber Bullying, Cyber Stalking and Sextortion
Xnspy stalkerware spied on thousands of iPhones and Android devices | TechCrunch
Proposed law offers support to tech-enabled abuse survivors • The Register
Regulations, Fines and Legislation
Privacy concerns are limiting data usage abilities - Help Net Security
European Commission takes step toward approving EU-US data privacy pact | Computerworld
Governance, Risk and Compliance
Managing Cyber Risk in 2023: The People Element (trendmicro.com)
Executives take more cyber security risks than office workers - Help Net Security
Cyber security Drives Improvements in Business Goals (darkreading.com)
Compliance Is Not Enough: How to Manage Your Customer Data (darkreading.com)
5 tips for building a culture of cyber security accountability - Help Net Security
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
What CISOs consider when building up security resilience - Help Net Security
CISO Role is Diversifying From Technology to Leadership & Communication Skills - MSSP Alert
Models, Frameworks and Standards
Why PCI DSS 4.0 Should Be on Your Radar in 2023 (thehackernews.com)
PCI Secure Software Standard version 1.2 sets out new payment security requirements | CSO Online
Backup and Recovery
Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms (thehackernews.com)
Prosecutors charge 6 people for allegedly waging massive DDoS attacks | Ars Technica
8 charged with conspiracy to commit securities fraud • The Register
Privacy, Surveillance and Mass Monitoring
Privacy advocates are aghast at UK’s anti-encryption plans (thenextweb.com)
Apple should pay €6m for tracking users – French official • The Register
European Commission takes step toward approving EU-US data privacy pact | Computerworld
Privacy concerns are limiting data usage abilities - Help Net Security
Artificial Intelligence
Are robots too insecure for lethal use by law enforcement? | CSO Online
How ChatGPT can turn anyone into a ransomware and malware threat actor | VentureBeat
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant
Reassessing cyberwarfare. Lessons learned in 2022 | Securelist
As Wiretap Claims Rattle Government, Greece Bans Spyware | SecurityWeek.Com
Ex-Twitter Worker Gets Prison Time in Saudi 'Spy' Case | SecurityWeek.Com
Reassessing cyberwarfare. Lessons learned in 2022 | Securelist
Nation State Actors
Nation State Actors – Russia
Seven accused of smuggling out US military tech for Moscow • The Register
Neo-Nazi Russian militia appeals for intelligence on Nato member states | Ukraine | The Guardian
NSA cyber director warns of Russian digital assaults on global energy sector - CyberScoop
Russian disinformation rampant on far-right social media platforms - CyberScoop
Nation State Actors – China
NSA Outs Chinese Hackers Exploiting Citrix Zero-Day | SecurityWeek.Com
US politicians propose TikTok ban over China security concerns (telegraph.co.uk)
Hackers target Japanese politicians with new MirrorStealer malware (bleepingcomputer.com)
US to add Chinese chipmaker to trade blacklist | Financial Times (ft.com)
AIIMS cyber attack suspected to have originated in China, Hong Kong - Rediff.com India News
Spies and Lies by Alex Joske — inside China’s intelligence operation | Financial Times (ft.com)
Nation State Actors – North Korea
Nation State Actors – Iran
Vulnerability Management
Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)
24% of technology applications contain high-risk security flaws - Help Net Security
Vulnerabilities
Hackers exploit critical Citrix ADC and Gateway zero day, patch now (bleepingcomputer.com)
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Adobe Patches 38 Flaws in Enterprise Software Products | SecurityWeek.Com
VMware fixed critical VM Escape bug demonstrated at Geekpwn hacking contest - Security Affairs
Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities (thehackernews.com)
Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks (bleepingcomputer.com)
Transitive Dependencies Account for 95% of Bugs - Infosecurity Magazine (infosecurity-magazine.com)
Citrix Releases Security Updates for Citrix ADC, Citrix Gateway | CISA
Security Flaw in Atlassian Products Affecting Multiple Companies (darkreading.com)
Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware – Naked Security (sophos.com)
Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks | SecurityWeek.Com
New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products (thehackernews.com)
Apple patches everything, finally reveals mystery of iOS 16.1.2 – Naked Security (sophos.com)
Apple fixed the tenth actively exploited zero-day this year - Security Affairs
High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update | SecurityWeek.Com
Top 5 Web App Vulnerabilities and How to Find Them (thehackernews.com)
Severe vulnerabilities found in most industrial controllers - The Washington Post
Akamai WAF bypassed via Spring Boot to trigger RCE | The Daily Swig (portswigger.net)
Tools and Controls
CISA Warns Veeam Backup & Replication Vulnerabilities Exploited in Attacks | SecurityWeek.Com
Why Your MSSP Should Offer Backup-as-a-Service (BaaS) - MSSP Alert
Data Destruction Policies in the Age of Cloud Computing (darkreading.com)
Other News
Cyber Threats Loom as 5B People Prepare to Watch World Cup Final (darkreading.com)
Tech companies must start sharing intelligence to avert global conflicts | Financial Times (ft.com)
Microsoft Defender, Avast, AVG turned against Windows to permanently delete files - Neowin
Analysis Shows Attackers Favour PowerShell, File Obfuscation (darkreading.com)
Automated Cyber campaign Creates Masses of Bogus Software Building Blocks (darkreading.com)
12 types of wireless network attacks and how to prevent them | TechTarget
FuboTV says World Cup streaming outage caused by a cyber attack (bleepingcomputer.com)
MTTR “not a viable metric” for complex software system reliability and security | CSO Online
Low-code/no-code security risks climb as tools gain traction | TechTarget
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 14/12/2022 – Adobe, Citrix and VMware release patches for vulnerabilities
Black Arrow Cyber Advisory 14/12/2022 – Adobe, Citrix and VMware release patches for vulnerabilities
Adobe
Executive Summary
Adobe has released patches to address 38 vulnerabilities in multiple enterprise products with vulnerabilities rated important to moderate.
Products affected include Adobe Experience Manager, AEM Cloud Service, and Adobe Illustrator on both Windows and macOS platforms.
What’s the risk to me or my business?
Exploitation of these vulnerabilities could result in arbitrary code execution and security feature bypass which would lead to further compromise of confidentiality, integrity and availability of organisation information.
What can I do?
Contact your Managed Service Provider (MSP) to confirm if AEM is currently used in your organisation and confirm if the vulnerabilities are being managed and patched in line with Adobe guidance.
Further technical information on the vulnerabilities can be found here: https://helpx.adobe.com/security/products/experience-manager/apsb22-59.html
Citrix
Executive Summary
Citrix have released updates after Citrix and the National Security Agency (NSA) identified usage of vulnerabilities which have allowed attackers to target Citrix Access Delivery Controller (ADC) and Citrix Gateway to remotely perform arbitrary code execution.
What’s the risk to me or my business?
The vulnerabilities could allow for attackers to bypass authentication controls and gain access your organisation, which would lead to further compromise of confidentiality, integrity and availability of organisation information.
What can I do?
Contact your MSP to confirm if Citrix ADC and Citrix Gateway is currently being used for your organisation and confirm if the vulnerabilities are being managed and patched in line with Citrix guidance.
Further information can be found here: https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
The NSA guidance can be found here: https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
VMware
Executive Summary
VMware fixed three flaws in multiple products including a virtual machine escape issue. Products affected include VMware ESXi, Workstation and Fusion.
What’s the risk to me or my business?
Vulnerabilities could lead to variously code execution, command injection or directory traversal attacks.
What can I do?
Contact your IT team or MSP to see if VMware ESXi, Workstation or Fusion are currently being used for your organisation and confirm if the vulnerabilities are being managed and patched in line with VMware guidance.
More information can be found here: https://www.vmware.com/security/advisories/VMSA-2022-0033.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 14/12/2022 – Microsoft Patch Tuesday – 48 Patches, Two Zero-Days Fixed, one under active exploitation
Black Arrow Cyber Advisory 14/12/2022 – Microsoft Patch Tuesday – 48 Patches, Two Zero-Days Fixed, one under active exploitation
Executive Summary
Microsoft’s December Patch Tuesday provides 48 patches to address security issues across its product range. Also included are a critical patch to address an actively exploited Zero-Day vulnerability that allowed bypass of Mark Of The Web (MOTW) defences, as well as another publicly disclosed Zero-Day vulnerability which identified privilege escalation vulnerabilities with DirectX.
What’s the risk to me or my business?
Security updates are available for all supported versions of Windows. As some of these updates address vulnerabilities that are known to be actively exploited, the updates should be applied as soon as possible.
What can I do?
Apply the available updates from Microsoft as soon as possible, while taking into consideration any potential downtime that these updates may cause.
Technical Summary
The following is a breakdown of the two Zero-Day vulnerabilities which affected Microsoft products:
CVE-2022-44710: An elevation of privilege vulnerability with a CVSS rating of 7.8, which allows the user to gain System privileges.
CVE-2022-44698: A bypass vulnerability with a CVSS 3.1 rating of 5.4, which allowed an attacker to create a malicious file that would evade MOTW defences.
Further details on other specific updates within this Patch Tuesday can be found here: https://www.ghacks.net/2022/12/13/microsoft-windows-security-updates-december-2022-overview/
Need help understanding your gaps, or just want some advice? Get in touch with us.