Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 14 April 2023
Black Arrow Cyber Threat Briefing 14 April 2023:
-Almost Half of Former Employees Say Their Passwords Still Work
-Efficient Risk Based Patch Management Means Eliminating Just 2% of Exposures Could Protect 90% of Critical Assets
-Printers Pose Persistent Yet Overlooked Threat
-Employees Are as Likely as Cyber Criminals to Cause Cyber Incidents
-Over 90% of Organisations Find Threat Hunting a Challenge
-75% of Organisations Have Suffered a Cyber Security Breach
-Leak Shows Evolving Russian Cyber War Capabilities
-Outsourced Payroll and HR Services Firm Forced to Shut Down After Cyber Attack
-When a Cyber Criminal Steals Personal Data from Your Organisation What Do You Do and Who Do You Need to Inform?
-Insider Threat and Ransomware: A Growing Issue
-How LockBit Changed Cyber Security Forever
-Hybrid Work Environments Are Stressing CISOs
-Protect Your Data with a USB Condom
-Strategising Cyber Security: Why a Risk-based Approach is Key
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Almost Half of Former Employees Say Their Passwords Still Work
An alarming number of organisations are not properly offboarding employees when they leave, especially in regard to passwords. In a new survey of 1,000 workers who had access to company passwords at their previous jobs, 47% admitted to using them after leaving the company.
According to the survey one in three respondents said they had been using the passwords for upwards of two years, which is a distressingly long time for organisations not to be aware of who is accessing those accounts and services.
When asked what they use the passwords for, 64% said to access their former email accounts and 44% to access company data. A concerning 10% of respondents said they were trying to disrupt company activities.
Efficient Risk Based Patch Management Means Eliminating Just 2% of Exposures Could Protect 90% of Critical Assets
A recent cyber security report analysed over 60 million security exposures, or weaknesses that could give an attacker access to systems. The report found that only 2% enabled attackers access to critical assets, while 75% of exposures along attack paths lead to “dead ends”. Further, the report shows that average organisations have 11,000 exploitable security exposures monthly, with techniques targeting credentials and permissions affecting 82% of organisations and exploits accounting for over 70% of all identified security exposures.
The report found that most security alerts were benign and did not lead to critical assets. By applying efficient risk based patch management and reducing unnecessary access to critical assets, organisations can mitigate a significant amount of risk. This isn’t a simple task however, for an organisation to be able to employ efficient risk based patch management it must have a sufficient level of cyber maturity and internal vulnerability scanning accompanied by a dynamic threat intelligence component.
https://www.infosecurity-magazine.com/news/eliminating-2-exposures-protect-90/
Printers Pose Persistent Yet Overlooked Threat
A rash of printer-related vulnerabilities in 2023 have punctuated security expert warnings that printers continue to be a significant vulnerability within companies — especially as remote workers require printing resources or access to corporate printers. So far in 2023, Lexmark advised that a publicly available remote exploit had already targeted a code execution flaw in its printers, HP warned of a vulnerable firmware version on some of its enterprise printers, and Microsoft fixed three remote code execution vulnerabilities in its printer drivers.
Printers remain a likely soft spot in most companies’ attack surface area, particularly because they are not always part of a company’s asset management process and are often left out of security assessments and risk registers. Many organisations don’t know where their printers are, their security status, configuration, monitoring or logging activity. Research has shown that 67% of companies are worried about the risk home printers may pose and only 26% of information technology and cyber security professionals are confident in their organisation’s printing infrastructure security.
https://www.darkreading.com/vulnerabilities-threats/printers-pose-persistent-yet-overlooked-threat
Employees Are as Likely as Cyber Criminals to Cause Cyber Incidents
Employees and cyber criminals cause similar numbers of data leakages. Kaspersky’s 2022 IT Security Economics survey found cyber-attacks caused 23% of data leakages, while employees caused a similar proportion, at 22%. The rise in employees causing leakages may be linked with more remote working since the pandemic, with new staff laptops, tablets, and virtual private networks (VPNs) featuring among the extra endpoints and systems needing security. Although innocent mistakes or ignoring cyber-security policy were behind most leakages, security managers reported 36% of employee-triggered leakages were deliberate acts of sabotage or espionage. The high number of cyber-incidents stemming from employee action shows all organisations need thorough cyber-security awareness training to teach all staff how to avoid common security mistakes.
Over 90% of Organisations Find Threat Hunting a Challenge
Executing essential cyber security operations tasks during the threat hunting process is an increasingly challenging proposition to the vast majority of organisations, with 93% of those polled for a Sophos report saying they find basic security operations a chore.
In the report, “The state of cybersecurity 2023: The business impact of adversaries on defenders”, Sophos said these findings were likely the result of the ongoing cyber security skills shortage, which is creating a domino effect in security operations: a lack of skilled personnel makes investigating alerts take longer, which reduces the security team’s capacity and increases the organisation’s exposure to higher levels of risk.
Organisations that suffer the most are those with revenues of less than $10m (£8m), which are more likely to lack the necessary skillsets, followed by organisations with revenues of more than $5bn, where organisational and system complexity likely play a more prominent role.
75% of Organisations Have Suffered a Cyber Security Breach
Most organisations need stronger security controls to stop cyber security breaches and cyber attacks, according to “The Data Dilemma: Cloud Adoption and Risk Report” from security service edge (SSE) company Skyhigh Security. Key takeaways from the report include:
97% of organisations indicated they are experiencing private cloud problems.
75% have experienced a cyber security breach, threat and/or theft of data.
75% said shadow IT “impairs their ability to keep data secure.”
60% allow employees to download sensitive data to their personal devices.
52% noted their employees are using SaaS services that are commissioned by departments outside of IT and without direct involvement of their IT department.
37% said they do not trust the public cloud to secure their sensitive data.
Leak Shows Evolving Russian Cyber War Capabilities
The leak of thousands of pages of secret documentation related to the development of Moscow’s cyber and information operations capabilities paint a picture of a government obsessed with social control and committed to scaling their capacity for non-kinetic interference.
The leaked documents detail methods and training simulations intended to prepare an operator workforce for offensive operations against critical infrastructure targets. Tools revealed by these recent leaks suggest a desire and an ability to extensively map foreign vulnerabilities and make the job of Russia’s cyber conflict operators as accessible and scalable as possible.
This leak reinforces the significant concern regarding the threat posed by Russian cyber forces to firms across the globe.
Outsourced Payroll and HR Services Firm Forced to Shut Down After Cyber Attack
Belgian headquartered HR and payroll giant SD Worx has suffered a cyber attack causing them to shut down all IT systems for their UK and Ireland services. While the login portals for other European countries are working correctly, the company's UK customer portal was not accessible. As a full-service human resources and payroll company, SD Worx manages a large amount of sensitive data for their client's employees.
According to the company's general conditions agreement, this data may include tax information, government ID numbers, addresses, full names, birth dates, phone numbers, bank account numbers, employee evaluations, and more.
When a Cyber Criminal Steals Personal Data from Your Organisation What Do You Do and Who Do You Need to Inform?
If that happens it might be time for your management to clear their desks. The prospect of financial penalties and reputational damage is very real. You need to know your obligations — for instance, reporting the breach to applicable authorities and regulators within strict timeframes — understand the breach, and prioritise. Then you communicate and remedy. If you haven’t planned well, it’s going to be tough.
You need to understand the data breach. Who is affected — is it staff or customer data? What exactly have the cyber criminals accessed? Consider the type of information: salary details and passport copies, or customer payment information.
If personal data has been lost or compromised, you will likely have an obligation under data protection regulations to report the breach to your applicable data protection authority within 72 hours, and if you are a regulated business there will likely be similar requirements to report to your regulator within a similar timeframe. Knowing your obligations — ideally before any hack takes place — will guide how well you respond.
https://www.thetimes.co.uk/article/who-should-i-inform-after-a-data-hack-dcrzvgp2x
Insider Threat and Ransomware: A Growing Issue
Ransomware is a growing epidemic. 2022 saw a slew of high-profile attacks leading to massive paydays for cyber criminals. Cyber criminals work just as hard to conceal their identities and location as they do to exploit weaknesses and capture valuable data to hold hostage. Organisations not only stand to lose money in this scenario, but the damage to their reputation and trustworthiness in the market can be challenging to recover from. Customers place high trust in the safety of their personal information, and it’s the company they hold accountable – not the thieves – if it slips into the wrong hands.
Even if you have good technical controls, the low-hanging fruit is capitalising on the human element and gaining entrance through a person within your organisation. Insider threats come in all shapes and sizes and roles, including employees, executives, former employees, board members, contractors, and service providers. Insider threats, by their very nature, pose a unique challenge for organisations.
https://informationsecuritybuzz.com/insider-threat-and-ransomware-a-growing-issue/
How LockBit Changed Cyber Security Forever
LockBit are one of the most prolific ransomware gangs globally, accounting for almost half of ransomware attacks in 2022. They not only maintain a high profile, but they’ve also turned ransom monetisation upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched in 2022. LockBit made history by launching the industry’s first bug bounty program initiated by a ransomware group. The operation invites security experts to uncover vulnerabilities and report them for rewards ranging from $1,000 to a staggering $1 million. This has since been expanded and now offers bounties for creative ways to enhance ransomware operations.
https://securityintelligence.com/articles/how-lockbit-changed-cybersecurity/
Hybrid Work Environments Are Stressing CISOs
The impact of the hybrid workforce on security posture, as well as the risks introduced by this way of working, are posing concerns for CISOs and driving them to develop new strategies for hybrid work security, according to a new report.
Among the report’s most critical findings is the revelation that browsing-based threats ranked as CISOs’ number one concern, regardless of whether their organisation was operating primarily in an in-office, hybrid, or remote setting.
And as for the risks posed by hybrid and remote workers specifically, insecure browsing also topped the list of CISOs’ concerns.
https://www.helpnetsecurity.com/2023/04/12/hybrid-work-environments-stressing-cisos/
Protect Your Data with a USB Condom
USB isn't just a charging protocol, it also allows data to flow back and forth, and while most of the time this data flow is safe, it is possible to create a malicious charging port that can do bad things, such as plant malware on your device or steal your data. Equally, an employee plugging their personal phone into a corporate USB port may present a danger to the corporate network through the phone. A USB condom is a small dongle that adds a layer of protection between your device and the charging point you're attaching it to by blocking the data being transferred through the port. If you must use a charger, cable, or charging port that isn't under your control, it makes sense to use a USB condom.
https://www.zdnet.com/article/protect-your-data-with-a-usb-condom/
Strategising Cyber Security: Why a Risk-based Approach is Key
By 2027, cyber crime could cost the global economy nearly $24 trillion. Businesses often find themselves at the sharp end of this challenge, and, as such, cyber security is a critical aspect of the modern business landscape. Cyber threats are multiplying and pose serious financial, legal and reputational challenges to organisations.
Modern and effective cyber security management entails more than managing technology risk; it encompasses managing business risk. Organisations must recognise cyber security as a strategic imperative integrated into their overall risk management framework — and this starts at the board level. In some cases, board members may find it beneficial to seek help in assessing appropriate levels of control.
https://www.weforum.org/agenda/2023/04/strategizing-cybersecurity-why-a-risk-based-approach-is-key/
Threats
Ransomware, Extortion and Destructive Attacks
Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit (thehackernews.com)
Microsoft patches vulnerability used in Nokoyawa ransomware attacks | CSO Online
How LockBit Changed Cyber security Forever (securityintelligence.com)
Insider Threat And Ransomware: A Growing Issue (informationsecuritybuzz.com)
Rorschach ransomware deployed by misusing a security tool - Help Net Security
Medusa ransomware claims attack on Open University of Cyprus (bleepingcomputer.com)
Cyble — New Cylance Ransomware with Power-Packed CommandLine Options
Taiwanese PC Company MSI Falls Victim to Ransomware Attack (thehackernews.com)
KFC, Pizza Hut owner discloses data breach after ransomware attack (bleepingcomputer.com)
7 Things Your Ransomware Response Playbook Is Likely Missing (darkreading.com)
Cyber crime group exploits Windows zero-day in ransomware attacks-Security Affairs
Windows zero-day vulnerability exploited in ransomware attacks (bleepingcomputer.com)
Ransomware gangs increasingly deploy zero-days to maximize attacks | CyberScoop
Latitude Financial Refuses to Pay Ransom - Infosecurity Magazine (infosecurity-magazine.com)
Superyacht-Maker Hit by Easter Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)
Phishing & Email Based Attacks
Microsoft: Phishing attack targets accountants as Tax Day approaches (bleepingcomputer.com)
Researchers Uncover Thriving Phishing Kit Market on Telegram Channels (thehackernews.com)
Phishing Campaign Targeting YouTube Content Creators, Malware Hitting Charging Stations - MSSP Alert
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Comparing enabled and enforced MFA in Microsoft 365 | TechTarget
Rilide browser extension steals MFA codes - Help Net Security
Malware
New Mirai Variant Employs Uncommon Tactics to Distribute Malware (darkreading.com)
Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques (thehackernews.com)
BlackGuard Stealer Extends its Capabilities in New Variant - MSSP Alert
Check Point Software Technologies: Qbot Top Malware in March 2023 - MSSP Alert
Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages (thehackernews.com)
Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads (darkreading.com)
Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks (bleepingcomputer.com)
Microsoft, Fortra Gains Legal Rights Against Cobalt Strike Abuse (informationsecuritybuzz.com)
Legion Malware Marches onto Web Servers to Steal Credentials, Spam Mobile Users (darkreading.com)
WhatsApp boosts defence against account takeover via malware (bleepingcomputer.com)
Mobile
FBI warns about dangers of public USB charging ports | Popular Science (popsci.com)
Researchers Uncover Thriving Phishing Kit Market on Telegram Channels (thehackernews.com)
Android phones vulnerable to remote hacking — update right now | Tom's Guide (tomsguide.com)
Burglars tunnel through Apple Store’s neighbour, allegedly steal $500K in iPhones | Ars Technica
5G connections set to rise past 5.9 billion by 2027 - Help Net Security
Cyber criminals To Add Android Malware On Google Play Up To $20,000 (informationsecuritybuzz.com)
WhatsApp boosts defence against account takeover via malware (bleepingcomputer.com)
Denial of Service/DoS/DDOS
Hackers Flood NPM with Bogus Packages Causing a DoS Attack (thehackernews.com)
DDoS attacks shifting to VPS infrastructure for increased power (bleepingcomputer.com)
DDoS alert traffic reaches record-breaking level of 436 petabits in one day - Help Net Security
DDoS attacks rise as pro-Russia groups attack Finland, Israel (techrepublic.com)
Internet of Things – IoT
Printers Pose Persistent Yet Overlooked Threat (darkreading.com)
There’s a new form of keyless car theft that works in under 2 minutes | Ars Technica
Special Report: Tesla workers shared sensitive images recorded by customer cars | Reuters
Default static key in ThingsBoard IoT platform can give attackers admin access | CSO Online
5G connections set to rise past 5.9 billion by 2027 - Help Net Security
Zigbee PRO 2023 introduces new security mechanisms, feature enhancements - Help Net Security
Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data - SecurityWeek
Data Breaches/Leaks
Samsung employees unwittingly leaked company secret data by using ChatGPT-Security Affairs
Cloud accounting firm in a pickle after researchers find admin login data | TechRadar
Service NSW breach exposes personal data affecting thousands of customers | 7NEWS
Military Intel Leak Investigated By US Officials (informationsecuritybuzz.com)
Hyundai data breach exposes owner details in France and Italy (bleepingcomputer.com)
Organised Crime & Criminal Actors
Criminal businesses adopt corporate behaviour as they grow - Help Net Security
Seized Genesis malware market's infostealers infected 1.5 million computers | CSO Online
Breached shutdown sparks migration to ARES data leak forums (bleepingcomputer.com)
FBI: Crooks posing as PRC agents prey on Chinese in the US • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Sentiment DeFi Hacker Makes Amends by Returning 90% of Funds (beincrypto.com)
Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages (thehackernews.com)
Insider Risk and Insider Threats
Employees are as likely as cyber-criminals to cause cyber-incidents | The Independent
Cyber criminals use simple trick to obtain personal data - Help Net Security
Insider Threat And Ransomware: A Growing Issue (informationsecuritybuzz.com)
Fraud, Scams & Financial Crime
FBI warns of companies exploiting sextortion victims for profit (bleepingcomputer.com)
Cambodia deports 19 Japanese cyber crime scam suspects | News | Al Jazeera
‘Overemployed’ Hustlers Exploit ChatGPT To Take On Even More Full-Time Jobs (vice.com)
When Banking Laws Don't Protect Consumers From Cybertheft (darkreading.com)
AI clones child’s voice in fake kidnapping scam | The Independent
Five arrested after 33,000 victims lose $98M to online investment fraud (bleepingcomputer.com)
Stolen Card Numbers Plummet 94% Globally - Infosecurity Magazine (infosecurity-magazine.com)
Supply Chain and Third Parties
3CX confirms North Korean hackers behind supply chain attack (bleepingcomputer.com)
Capita: IT outsourcer reels from being locked out of its own IT (thetimes.co.uk)
Cloud/SaaS
Western Digital struggles to fix massive My Cloud outage, offers workaround (bleepingcomputer.com)
Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse - SecurityWeek
Iranian APT group launches destructive attacks in hybrid Azure AD environments | CSO Online
Cloud accounting firm in a pickle after researchers find admin login data | TechRadar
Securing the Chaos – Harnessing Dispersed Multi-Cloud, Hybrid Environments - SecurityWeek
Hybrid/Remote Working
Hybrid work environments are stressing CISOs - Help Net Security
‘Overemployed’ Hustlers Exploit ChatGPT To Take On Even More Full-Time Jobs (vice.com)
Attack Surface Management
How to Secure Web Applications in a Growing Digital Attack Surface (bleepingcomputer.com)
The new weakest link in the cyber security chain - Help Net Security
Shadow IT
Identity and Access Management
Identity Management Day: 3 Things MSSPs Need to Know - MSSP Alert
Centralized vs. decentralized identity management explained | TechTarget
The Service Accounts Challenge: Can't See or Secure Them Until It's Too Late (thehackernews.com)
Encryption
API
Google launches dependency API and curated package repository with security metadata | CSO Online
Why Shadow APIs are More Dangerous than You Think (thehackernews.com)
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Almost Half of Former Employees Say Their Passwords Still Work (darkreading.com)
Why it's time to move towards a passwordless future - Help Net Security
AI can crack most password in less than a minute | TechRadar
How an AI tool could crack your passwords in seconds | ZDNET
Meet PassGAN, the supposedly “terrifying” AI password cracker that’s mostly hype | Ars Technica
Social Media
Malvertising
Training, Education and Awareness
Regulations, Fines and Legislation
Lagging regulations frustrate protecting data from cyber attacks (themandarin.com.au)
Battle could be brewing over new FCC data breach reporting rules | CSO Online
When Banking Laws Don't Protect Consumers From Cyber Theft (darkreading.com)
Governance, Risk and Compliance
Employees are as likely as cyber-criminals to cause cyber-incidents | The Independent
Skyhigh Security Report: 75% of Organizations Have Suffered a Cyber security Breach - MSSP Alert
Strategising cyber security: Why a risk-based approach is key | World Economic Forum (weforum.org)
Outcome-based cyber security paves way for organizational goals - Help Net Security
Why reporting an incident only makes the cyber security community stronger | CSO Online
6 common challenges facing cyber security teams and how to overcome them | TechCrunch
Top 10 Cyber security Trends for 2023: From Zero Trust to Cyber Insurance (thehackernews.com)
Most Security Exposures Do Not Put Organizations' Critical Assets At Risk, Study Shows - MSSP Alert
Threat hunting programs can save organizations from costly security breaches - Help Net Security
Gartner: Human-Centric Design Is Top Cyber Security Trend for 2023 (darkreading.com)
Law Enforcement Action and Take Downs
Seized Genesis malware market's infostealers infected 1.5 million computers | CSO Online
Spanish cops arrest teenage 'Robin Hood hacker' • The Register
Australia Is Scouring the Earth for Cyber criminals — the US Should Too (darkreading.com)
Cambodia deports 19 Japanese cyber crime scam suspects | News | Al Jazeera
Dutch Police mails RaidForums members to warn they’re being watched (bleepingcomputer.com)
Five arrested after 33,000 victims lose $98M to online investment fraud (bleepingcomputer.com)
Privacy, Surveillance and Mass Monitoring
Tesla Sued Over Workers' Alleged Access to Car Video Imagery - SecurityWeek
Consumers take data control into their own hands amid rising privacy concerns - Help Net Security
Artificial Intelligence
Samsung employees unwittingly leaked company secret data by using ChatGPT - Security Affairs
Cyber crime: be careful what you tell your chatbot helper… | Chatbots | The Guardian
US cyber chiefs warn of threats from China and AI • The Register
When you're talking to a chatbot, who's listening? | CNN Business
Bad Actors Will Use Large Language Models — but Defenders Can, Too (darkreading.com)
AI can crack most password in less than a minute | TechRadar
‘Overemployed’ Hustlers Exploit ChatGPT To Take On Even More Full-Time Jobs (vice.com)
AI clones child’s voice in fake kidnapping scam | The Independent
European privacy watchdog creates ChatGPT task force | Reuters
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Russian hackers linked to widespread attacks targeting NATO and EU (bleepingcomputer.com)
NTC Vulkan leak shows evolving Russian cyberwar capabilities | CSO Online
The Discord servers at the center of a massive US intelligence leak | CyberScoop
Cisco trashed offices and destroyed spares as it quit Russia • The Register
Another zero-click Apple spyware biz shows up in town again • The Register
Ukrainian hackers spend $25,000 of pro-Russian blogger's money on sex toys (bitdefender.com)
DDoS attacks rise as pro-Russia groups attack Finland, Israel (techrepublic.com)
Russian Hacker Group Zarya Hit Canadian Pipeline—Leaked Docs (gizmodo.com)
Russia's Joker DPR Claims Access to Ukraine Troop Movement Data (darkreading.com)
Spyware Offered to Cyber attackers via PyPI Python Repository (darkreading.com)
Russian hackers ‘target security cameras inside Ukraine coffee shops’ | Ukraine | The Guardian
Nation State Actors
Russia-linked APT29 is behind recent attacks targeting NATO and EU-Security Affairs
North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack (thehackernews.com)
US cyber chiefs warn of threats from China and AI • The Register
Ukrainian hackers spend $25,000 of pro-Russian blogger's money on sex toys (bitdefender.com)
Google is on a crusade against cyber security threats from North Korea | TechRadar
Russian Hacker Group Zarya Hit Canadian Pipeline—Leaked Docs (gizmodo.com)
Iranian APT group launches destructive attacks in hybrid Azure AD environments | CSO Online
FBI: Crooks posing as PRC agents prey on Chinese in the US • The Register
Vulnerability Management
Most Security Exposures Do Not Put Organizations' Critical Assets At Risk, Study Shows - MSSP Alert
Ransomware gangs increasingly deploy zero-days to maximize attacks | CyberScoop
Vulnerabilities
Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit (thehackernews.com)
Windows admins warned to patch critical MSMQ QueueJumper bug (bleepingcomputer.com)
Nokoyawa ransomware attacks with Windows zero-day | Securelist
Thousands at risk from critical RCE bug in legacy MS service | Computer Weekly
1M+ WordPress Sites Hacked via Zero-Day Plug-in Bugs (darkreading.com)
Sophos Patches Critical Code Execution Vulnerability in Web Security Appliance - SecurityWeek
Cisco Patches Code and Command Execution Vulnerabilities in Several Products - SecurityWeek
CISA orders agencies to patch Backup Exec bugs used by ransomware gang (bleepingcomputer.com)
CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
Data-leak flaw in Qualcomm, HiSilicon-based Wi-Fi AP chips • The Register
Twitter 'Shadow Ban' Bug Gets Official CVE (darkreading.com)
Exploit available for critical bug in VM2 JavaScript sandbox library (bleepingcomputer.com)
Microsoft finally gets around to fixing half-decade-old Firefox CPU bug | TechRadar
SAP releases security updates for two critical-severity flaws (bleepingcomputer.com)
Adobe Plugs Gaping Security Holes in Reader, Acrobat - SecurityWeek
Limit Login Attempts Plugin Patches Severe Unauthenticated Stored XSS Vulnerability – WP Tavern
Fortinet Patches Critical Vulnerability in Data Analytics Solution - SecurityWeek
How Microsoft’s Shared Key authorization can be abused and how to fix it | CSO Online
Microsoft shares fix for Outlook issue blocking access to emails (bleepingcomputer.com)
Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data - SecurityWeek
Tools and Controls
Threat hunting programs can save organizations from costly security breaches - Help Net Security
Stopping criminals from abusing security tools - Microsoft On the Issues
Most Security Exposures Do Not Put Organizations' Critical Assets At Risk, Study Shows - MSSP Alert
The Pope's Security Gets a Boost With Vatican's MDM Move (darkreading.com)
Bad Actors Will Use Large Language Models — but Defenders Can, Too (darkreading.com)
Cyber crime: be careful what you tell your chatbot helper… | Chatbots | The Guardian
Detailed Analysis Of The Best Password Managers In 2023 (informationsecuritybuzz.com)
How CIEM Can Improve Identity, Permissions Management for Multicloud Deployments (darkreading.com)
Centralized vs. decentralized identity management explained | TechTarget
The Service Accounts Challenge: Can't See or Secure Them Until It's Too Late (thehackernews.com)
What is an Intrusion Prevention System (IPS)? (techtarget.com)
Securing the Chaos – Harnessing Dispersed Multi-Cloud, Hybrid Environments - SecurityWeek
How to Secure Web Applications in a Growing Digital Attack Surface (bleepingcomputer.com)
4 strategies to help reduce the risk of DNS tunnelling | CSO Online
Reports Published in the Last Week
Other News
MSI Confirms Cyber Attack, Issues Firmware Download Guidance - SecurityWeek
1M+ WordPress Sites Hacked via Zero-Day Plug-in Bugs (darkreading.com)
Western Digital restores service; attack details remain unclear | TechTarget
Rapid7 Has Good News for UK Security Posture - Infosecurity Magazine (infosecurity-magazine.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 13 April 2023 – Fortinet Patches Multiple Vulnerabilities, Including Some High Severity
Black Arrow Cyber Advisory 13 April 2023 – Fortinet Patches Multiple Vulnerabilities, Including Some High Severity
Executive summary
As part of its April 2023 vulnerability advisories update, Fortinet has released patches for one actively exploited vulnerability (CVE-2022-0847) which impacted FortiAuthenticator, FortiProxy and FortiSIEM. The advisory also addressed high severity vulnerabilities in FortiOS, FortiProxy, FortiSOAR, FortiClient, FortiNAC, FortiADC, FortiDDoS, FortiDDoS-F, FortiPresence, Fortiweb, FortiADC, FortiAnalyzer, FortiSandbox, FortiDeceptor, FortiManager, FortiGate and FortiAuthenticator.
Technical Summary
CVE-2022-0847 is an actively exploited Linux kernel privilege escalation vulnerability known as “dirty pipe” which was patched in March last year. Some versions of FortiAuthenticator, FortiProxy and FortiSIEM use a version of the linux kernel which was still vulnerable to this exploit, prior to Fortinet releasing the April updates.
What’s the risk to me or my business?
The vulnerabilities, if exploited, could allow an attacker to escalate privileges, perform command execution, bypass anti brute-force defences, create files and perform man-in-the-middle attacks; all of which can compromise the confidentiality, integrity and availability of data in your organisation.
According to Fortinet, the following products are affected by the actively exploited vulnerability:
FortiAuthenticator version 6.3.0 through 6.3.3 and 6.4.0 through 6.4.1
FortiProxy version 7.0.0 through 7.0.3
FortiSIEM version 6.1.0 through 6.1.2, 6.2.0 through 6.2.1, 6.3.0 through 6.3.3 and 6.4.0
What can I do?
Patches are available for the products affected by the exploited vulnerability and should be applied immediately. Security updates are available for the other vulnerabilities addressed by Fortinet. Further information for each vulnerability can be found in the advisory from Fortinet.
More information on the Fortinet vulnerabilities can be found here: https://www.fortiguard.com/psirt-monthly-advisory/april-2023-vulnerability-advisories
More information on the actively exploited vulnerability can be found here:
https://www.fortiguard.com/psirt/FG-IR-22-050
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 12 April 2023 – Microsoft Patch Tuesday, Adobe and SAP Updates Summary
Black Arrow Cyber Advisory 12 April 2023 – Microsoft Patch Tuesday, Adobe and SAP Updates Summary
Executive Summary
Microsoft’s April patch Tuesday addressed 97 security issues including one actively exploited zero-day actively being used to launch ransomware attacks. Adobe released updates to fix security issues across a range of their products including Acrobat and Adobe Reader. SAP have also this week issued fixes for a number of their products including BusinessObjects.
Microsoft
Microsoft’s April Patch Tuesday provides updates to address 97 security issues across its product range, including one actively exploited zero-day vulnerability (CVE-2023-28252) being used to launch ransomware attacks. The exploited zero-day vulnerability is a privilege escalation vulnerability which has been added the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. 7 critical vulnerabilities were also patched through updates provided by Microsoft.
What’s the risk to me or my business?
The actively exploited vulnerability could allow an attacker with access, to gain SYSTEM privileges and further compromise the confidentiality, integrity and availability of data stored by an organisation.
What can I do?
Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.
Technical Summary
CVE-2023-28252: The actively exploited vulnerability could allow an attacker to gain SYSTEM privileges, effectively providing the attacker with the highest permissions of access to a system. The vulnerability is a post exploitation vulnerability which an attacker can exploit once they have gained access to a vulnerable target.
Adobe
This month, Adobe released fixes for 56 vulnerabilities, of which 49 were rated critical across Adobe Acrobat and Reader (14), InCopy (1), Substance 3D Designer (9), Substance 3D Stager (10), Digital Editions (1) and Dimension (14). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.
SAP
Enterprise software vendor SAP has addressed vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP Diagnostic Agent and SAP BusinessObjects Business Intelligence Platform. The updates included fixes for 19 vulnerabilities. Including remote execution and authentication bypass. A total of 5 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.
Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/04/11/microsoft-windows-security-updates-april-2023-what-you-need-to-know-before-installation/
Further details about CVE-2023-28252 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252
Further details of the vulnerabilities addressed in Adobe Acrobat and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-24.html
Further details of the vulnerabilities addressed in Adobe InCopy can be found here: https://helpx.adobe.com/security/products/incopy/apsb23-13.html
Further details of the vulnerabilities addressed in Adobe Substance 3D Designer can be found here: https://helpx.adobe.com/security/products/substance3d_designer/apsb23-28.html
Further details of the vulnerabilities addressed in Adobe Substance 3D Stager can be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb23-26.html
Further details of the vulnerabilities addressed in Adobe Digital Editions can be found here: https://helpx.adobe.com/security/products/Digital-Editions/apsb23-04.html
Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-27.html
Further information on the patches by SAP can be found here: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 07 April 2023
Black Arrow Cyber Threat Briefing 07 April 2023:
-15 Million Public-Facing Services Vulnerable to Known Exploited Vulnerabilities
-New Research Highlights Increased Security Risks Posed by Remote Working and BYOD
-Lack of Security Employees Makes SMBs Sitting Ducks for Cyber Attacks
-IT and Security Pros Pressured to Keep Quiet About Data Breaches
-Phishing Emails are Seeing a Huge Rise, So Stay on Your Guard"
-Ransomware Attacks Skyrocket as Threat Actors Double Down on Global Attacks
-MSPs a Favoured Target of Supply Chain and Infrastructure Attacks
-Fake Ransomware Gang Targets Organisations with Empty Data Leak Threats
-GCHQ Updates Security Guidance for Boards
-More than 60% of Organisations have been Hit with Unplanned Downtime on a Monthly Basis
-For Cyber Crime Gangs, Professionnalisation Comes With “Corporate” Headaches
-UK’s Offensive Hacking Unit Takes on Military Opponents and Terrorist Groups
-Man Kills Himself After an AI Chatbot 'Encouraged' Him to Sacrifice Himself to Stop Climate Change
-Hackers Exploit WordPress Plugin Flaw That Gives Full Control of Millions of Sites
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
15 Million Public-Facing Services Vulnerable to Known Exploited Vulnerabilities
Over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA's KEV (known exploitable vulnerabilities) catalogue. The findings are particularly worrying because the examined vulnerabilities are known and highlighted in CISA's KEV catalogue as actively exploited by hackers, so any delays in their patching maintain a large attack surface, giving threat actors numerous potential targets.
Over half of those 7 million instances were vulnerable to one of the 137 CVEs concerning Microsoft Windows, making this component a top priority for defenders and an excellent target for attackers. Almost half of those are over five years old, so roughly 800,000 machines have not applied security updates for a significant period of time.
New Research Highlights Increased Security Risks Posed by Remote Working and BYOD
New research has highlighted the increased threats associated with remote work and bring your own device (BYOD) policies faced by organisations. The results of the survey show that with remote and hybrid working, personal and work tasks blur together and the boundaries between the two have become more porous. The data shows that 32% of remote and hybrid workers use apps or software not approved by IT and 92% of remote employees perform work tasks on their personal tablet or smartphone devices. These devices, apps and software, along with the corporate data being accessed, are not visible to IT, thereby dramatically increasing an organisation’s risk posture.
Lack of Security Employees Makes SMBs Sitting Ducks for Cyber Attacks
Cyber security is a growing concern among all businesses but lack of security expertise in SMBs is leaving smaller firms open to attack. Cyber threats are more real and prevalent than ever before and the risk to businesses includes not only exposure of customer data and a decrease in trust, but also losses in revenue.
54% of small businesses say they are more concerned about cyber security now than one year ago yet 38% of SMBs said they had zero employees dedicated to security as part of their role, and 42% had just one employee working on security. Even without a traditional security role, there should be someone responsible for making security decisions in every organisation.
A lack of time to focus on security and keeping up with changing threats are amongst the biggest challenges for businesses.
https://www.helpnetsecurity.com/2023/04/04/smbs-security-posture/
IT and Security Pros Pressured to Keep Quiet About Data Breaches
It is not possible to stop every bad thing from happening. Alarmingly, when something does go wrong IT/security professionals are being told to keep a breach confidential, even when they knew it should be reported. More than 42% of IT/security professionals reporting this happening to them, and a worrying 30% said they have kept a breach confidential.
At 71%, IT/security professionals in the US were the most likely to say they have been told to keep quiet followed by the UK at 44%.
52% of global organisations have experienced a data breach or data leak in the last 12 months. The US led at 75% (or 23% higher than average) followed by the UK at 51.4%.
Infosec professionals are increasingly worried about their company facing legal action due to a breach being handled incorrectly.
https://www.helpnetsecurity.com/2023/04/06/pressure-keeping-breaches-confidential/
Phishing Emails are Seeing a Huge Rise, So Stay on Your Guard
Phishing attacks are up 5x year-on-year, researchers say. A report from Cofense analysed data received from 35 million people across the world, finding there has been a 569% increase in phishing attacks to 2022 and 478% increase to credential phishing. With the increased frequency, intensity and sophistication of these threats small and medium-sized businesses should be particularly wary of phishing and other forms of email-borne cyber attacks as their numbers have grown explosively over the last year, experts have warned. Organisations should keep eyes open for Business Email Compromise (BEC) attacks as this type continues to be one of the top crimes for the eighth year in a row.
https://www.techradar.com/news/phishing-emails-are-seeing-a-huge-rise-so-stay-on-your-guard
Ransomware Attacks Skyrocket as Threat Actors Double Down on Global Attacks
New studies have found that ransomware exploits are increasing, and a large percentage of victims are being hit multiple times. The NCC Group noted that there were 240 ransomware attacks in February 2023, a 45% increase from the record-high number of attacks in January. North America accounted for 47% of the global ransomware attacks, with Europe following (23%). Another report found that of all organisations hit by ransomware in the last 12 months, 28% were reported to be hit twice or more. Of the organisations breached, 69% reported phishing as the initial access vector.
https://www.techrepublic.com/article/nccgroup-ransomware-attacks-up-february/
MSPs a Favoured Target of Supply Chain and Infrastructure Attacks
With the backdrop of increasing cyber attacks on supply chains, Managed Service Providers (MSPs) are increasingly being favoured by attackers due to their pivotal role in the supply chain and access to the organisations they are serving.
When measured by sector, MSPs are the hardest hit by hackers in supply chain attacks.
ConnectWise’s cyber research unit analysed some 440,000 incidents that impacted MSPs and their clients and found that Lockbit led among the most prolific ransomware hijackers targeting MSPs, (42% of all ransomware attacks) followed by Cl0p at 11%. Whilst numerous other ransomware gangs also directly targeted MSPs in 2022.
Third party risk assessments should be carried out for all organisations in your supply chain and this is especially true of MSPs and external IT providers given the level of access they have into your systems and data.
Fake Ransomware Gang Targets Organisations with Empty Data Leak Threats
Fake extortionists are piggybacking on data breaches and ransomware incidents, threatening companies with publishing or selling allegedly stolen data unless they get paid. Sometimes the actors add the menace of a distributed denial-of-service (DDoS) attack if the message recipient does not comply with the instructions in the messages. It is possible that victims are selected from publicly available sources, such as the initial attacker’s data leak site, social media, news reports, or company disclosures; in some cases a fake extortionist could learn about ransomware victims that have yet to disclose the cyber attack, making it more likely for victims to believe them.
GCHQ Updates Security Guidance for Boards
The UK’s leading cyber security agency GCHQ, has urged the country’s business leaders to “get to grips” with cyber risk after releasing an updated toolkit to help them do so. GCHQ’s National Cyber Security Centre (NCSC) said its updated Cyber Security Board Toolkit is designed to boost the confidence of senior execs when discussing security with key stakeholders from the organisation.
Given the potentially serious impact breaches can have on business operations and growth, the agency wants boards to treat cyber risk with the same urgency as other business risks in areas such as financial and legal.
https://www.infosecurity-magazine.com/news/gchq-updates-security-guidance/
More than 60% of Organisations have been Hit with Unplanned Downtime on a Monthly Basis
A recent report found that 52% of organisations had suffered a data breach in the past two years, an increase from 49% in 2022. In addition, 62% of organisations reported that business critical applications suffered from unplanned downtime due to a cyber security incident on at least a monthly basis, an increase from 54% in 2022. Other key findings include downtime costing roughly 2.7% of annual revenue, 39% of organisations believing cyber security incidents directly harmed their competitive position and 31% noting that it had reduced shareholder revenue. As a result of the impact, 95% of organisations reported that they had planned to increase their security budget over the next 2 years.
For Cyber Crime Gangs, Professionalisation Comes With “Corporate” Headaches
Today’s largest cyber crime gangs are operating like large enterprises, with $50 million dollars in annual revenue and around 80% of operating expenses going towards wages. Researchers have found that small, medium and especially large cyber crime gangs are operating just like their legitimate counterparts, from their managerial structure to employee benefits. The research highlights a worrying level of sophistication within cyber crime gangs; we are no longer dealing with the lone attacker in a dark room, but in some cases an enterprise with clear objectives.
UK’s Offensive Hacking Unit Takes on Military Opponents and Terrorist Groups
Britain’s newly created offensive hacking unit, the National Cyber Force (NCF), has said it is engaged daily in operations to disrupt terrorist groups and military opponents of the UK. Operational details remain unclear, however the NCF says it is engaged in techniques to “undermine the tradecraft” of Russian, Chinese and other state-sponsored hackers and in “technical disruption” against terrorist groups, for example to prevent the dissemination of online propaganda. This news comes after the recent leak of files for Moscow, which had tasked an IT company to develop cyber warfare tools aimed at taking down infrastructure networks and scouring the internet for vulnerabilities.
Man Kills Himself After an AI Chatbot 'Encouraged' Him to Sacrifice Himself to Stop Climate Change
A man reportedly took his own life following a six-week-long conversation about the climate crisis with an artificial intelligence (AI) chatbot. Reports found that the chatbot had fed the mans worries about climate change, which had worsened his anxiety and later led to suicidal thoughts. The AI chatbot failed to dissuade the man from committing suicide and had in fact encouraged him to act on the thoughts and join the AI chatbot so “they could live together, as one person, in paradise”. This is despite the efforts made to limit these kind of events.
Hackers Exploit WordPress Plugin Flaw That Gives Full Control of Millions of Sites
Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said. The vulnerability is in Elementor Pro, a premium plugin running on more than 12 million sites powered by WordPress. Despite the vulnerability being fixed, many have not installed the patch. Worryingly, this is a common theme in cyber; many organisations remain vulnerable due to them not having an efficient patching process and as a result, a number of the most exploited vulnerabilities have available patches.
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware attacks up sharply in February (techrepublic.com)
Fake ransomware gang targets U.S. orgs with empty data leak threats (bleepingcomputer.com)
New Money Message ransomware demands million dollar ransoms (bleepingcomputer.com)
Rorschach – A New Sophisticated and Fast Ransomware - Check Point Research
ALPHV ransomware exploits Veritas Backup Exec bugs for initial access (bleepingcomputer.com)
LockBit leaks data stolen from South Korean National Tax Service-Security Affairs
UK outsourcing services provider Capita suffered a cyber incident-Security Affairs
March ransomware disclosures spike behind Clop attacks | TechTarget
Protect Your Company: Ransomware Prevention Made Easy (thehackernews.com)
Dish Faces Investor Lawsuit Over Ransomware Attack, Downgrades From Equity Analysts | Next TV
Phishing & Email Based Attacks
Scammers Are Using ChatGPT to Write Emails That Aren't Riddled With Typos (futurism.com)
Phishing emails are seeing a huge rise, so stay on your guard | TechRadar
YouTube warns of email scam from seemingly authentic account | Science & Tech News | Sky News
BEC – Business Email Compromise
2FA/MFA
Malware
WinRAR SFX archives can run PowerShell without being detected (bleepingcomputer.com)
Malware and machine learning: A match made in hell - Help Net Security
Arid Viper Hacking Group Using Upgraded Malware in Middle East Cyber Attacks (thehackernews.com)
Flood of malicious packages results in NPM registry DoS - Help Net Security
Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks (thehackernews.com)
Researcher Tricks ChatGPT into Building Undetectable Steganography Malware (darkreading.com)
Typhon info-stealing malware devs upgrade evasion capabilities (bleepingcomputer.com)
Tax preparation and e-file service eFile.com compromised to serve malware-Security Affairs
The hidden picture of malware attack trends - Help Net Security
Mobile
BYOD
New Research Highlights Increased Security Risks Posed by Remote Working and BYOD - IT Security Guru
Internet of Things – IoT
Hackers can open Nexx garage doors remotely, and there's no fix (bleepingcomputer.com)
HP to patch critical bug in LaserJet printers within 90 days (bleepingcomputer.com)
Data Breaches/Leaks
Splunk Details Increase in Data Breaches, Downtime Due to Cyber security Issues - MSSP Alert
Uber driver info stolen in yet another third-party breach • The Register
ChatGPT linked to alleged leak of confidential information at Samsung (interestingengineering.com)
Law Firm for Uber Loses Drivers' Data to Hackers in Yet Another Breach (darkreading.com)
Marketplace 600K Records Leaked By Database Snafu (informationsecuritybuzz.com)
Organised Crime & Criminal Actors
For Cyber Crime Gangs, Professionalization & ‘Corporate’ Headaches (darkreading.com)
Fight Mercenaries with these Cyber security Principles (trendmicro.com)
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
DoJ Recovers $112M in Crypto Stolen With Romance Scams (darkreading.com)
Hackers steal crypto assets by defeating 2FA with rogue browser extension | CSO Online
Insider Risk and Insider Threats
Re-evaluating immature and ineffective insider risk management programs - Help Net Security
Employees are as likely as cyber-criminals to cause cyber-incidents | The Independent
Fraud, Scams & Financial Crime
The staggering cost of identity fraud for financial services - Help Net Security
New dark web market STYX focuses on financial fraud services (bleepingcomputer.com)
What CISOs Can Do to Build Trust & Fight Fraud in the Metaverse (darkreading.com)
Feds seize $112m in currency tied to 'pig-butchering scams • The Register
Stop online counterfeiters dead in their tracks - Help Net Security
Deepfakes
Insurance
Dark Web
Supply Chain and Third Parties
MSPs a Favoured Target of Supply Chain and Infrastructure Attacks, ConnectWise Reports - MSSP Alert
APT group Winter Vivern exploits Zimbra webmail flaw to target government entities | CSO Online
Risk & Repeat: Inside the 3CX supply chain attack | TechTarget
10-year-old Windows bug with 'opt-in' fix exploited in 3CX attack (bleepingcomputer.com)
Automation, Cyber security, Integration Top the List of Priorities for MSPs in 2023 - MSSP Alert
Capita: Cyber attack caused pre-weekend outage • The Register
Western Digital Hit By Network Security Breach - Infosecurity Magazine (infosecurity-magazine.com)
Cloud/SaaS
Google Drive does a surprise rollout of file limits, locking out some users | Ars Technica
Capita: Cyber attack caused pre-weekend outage • The Register
Shadow data slipping past security teams - Help Net Security
Think Before You Share the Link: SaaS in the Real World (thehackernews.com)
Western Digital Hit By Network Security Breach - Infosecurity Magazine (infosecurity-magazine.com)
Hybrid/Remote Working
New Research Highlights Increased Security Risks Posed by Remote Working and BYOD - IT Security Guru
Unapproved Apps Used By 32% of Remote Workers - Infosecurity Magazine (infosecurity-magazine.com)
Shadow IT
Identity and Access Management
The high cost of insecure authentication methods - Help Net Security
3 Fronts in the Battle for Digital Identity (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Takedown of notorious hacker marketplace selling your identity to criminals | Europol (europa.eu)
Stolen credential warehouse Genesis Market seized by FBI • The Register
Social Media
TikTok fined £12.7m for illegally processing children’s data | TikTok | The Guardian
TikTok bans explained: Everything you need to know (techtarget.com)
YouTube warns of email scam from seemingly authentic account | Science & Tech News | Sky News
Parental Controls and Child Safety
Regulations, Fines and Legislation
TikTok fined £12.7m for illegally processing children’s data | TikTok | The Guardian
UK data regulator issues warning over generative AI data protection concerns | CSO Online
Governance, Risk and Compliance
42% of IT leaders told to maintain breach confidentiality | TechTarget
GCHQ Updates Security Guidance for Boards - Infosecurity Magazine (infosecurity-magazine.com)
Splunk Details Increase in Data Breaches, Downtime Due to Issues - MSSP Alert
5 strategies to manage risks in mergers and acquisitions | CSO Online
Models, Frameworks and Standards
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Stolen credential warehouse Genesis Market seized by FBI • The Register
Spain's most dangerous and elusive hacker now in police custody (bleepingcomputer.com)
Genesis Market: Popular cyber crime website shut down by police - BBC News
Privacy, Surveillance and Mass Monitoring
Artificial Intelligence
Welcome to the era of viral AI generated 'news' images | CNN Business
Scammers Are Using ChatGPT to Write Emails That Aren't Riddled With Typos (futurism.com)
ChatGPT, the AI Revolution, and the Security, Privacy and Ethical Implications - SecurityWeek
Malware and machine learning: A match made in hell - Help Net Security
ChatGPT linked to alleged leak of confidential information at Samsung (interestingengineering.com)
UK data regulator issues warning over generative AI data protection concerns | CSO Online
Researcher Tricks ChatGPT into Building Undetectable Steganography Malware (darkreading.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Russian pro-war military blogger killed in blast at St Petersburg cafe | Russia | The Guardian
China opens national security probe into Micron products • The Register
Vulkan Playbook Leak Exposes Russia's Plans for Worldwide Cyberwar (darkreading.com)
Britain’s cyberwarfare chief reveals his identity | The Economist
Nation State Actors
APT group Winter Vivern exploits Zimbra webmail flaw to target government entities | CSO Online
Russian pro-war military blogger killed in blast at St Petersburg cafe | Russia | The Guardian
China opens national security probe into Micron products • The Register
Report: Chinese State-Sponsored Hacking Group Highly Active - SecurityWeek
Vulkan Playbook Leak Exposes Russia's Plans for Worldwide Cyberwar (darkreading.com)
The other Chinese apps taking the US and UK by storm - BBC News
Google TAG Alerts Of ARCHIPELAGO Cyber attacks Linked To North Korea (informationsecuritybuzz.com)
Vulnerability Management
15 million public-facing services vulnerable to CISA KEV flaws (bleepingcomputer.com)
10-year-old Windows bug with 'opt-in' fix exploited in 3CX attack (bleepingcomputer.com)
Millions still exposed despite available fixes - Help Net Security
Microsoft to admins: Auto-review your Autopatch alerts • The Register
Vulnerabilities
Tools and Controls
How can organisations bridge the gap between DR and cyber security? - Help Net Security
Let’s pump the brakes on the rush to incorporate AI into cyber security | CSO Online
The high cost of insecure authentication methods - Help Net Security
How AI is transforming cyber security for better and worse - Help Net Security
3 Fronts in the Battle for Digital Identity (darkreading.com)
Reports Published in the Last Week
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links
Black Arrow Cyber Advisory 05 April 2023 – ALPHV Ransomware Affiliate Targeting Vulnerable Veritas Backup Exec Installations to Gain Initial Access
Black Arrow Cyber Advisory 05 April 2023 – ALPHV ransomware Affiliate Targeting Vulnerable Veritas Backup Exec Installations to Gain Initial Access
Executive Summary
An affiliate of the ALPHV Ransomware group, tracked as UNC4466, are targeting vulnerable and publicly exposed Veritas Backup Exec installations as part of a ransomware attack. Veritas Backup Exec is a data and backup recovery software, used by over 45,000 businesses worldwide. According to Mandiant, there are currently around 8,500 publicly exposed installations and a number are unpatched and vulnerable; patches were made available in 2021.
What is the risk to my business?
Exploitation of the vulnerabilities allow an attacker to gain unauthorised access, execute commands and compromise data. Using this attack method UNC4466 are able to encrypt data belonging to an organisation and demand a ransom for decryption. The affected versions of Backup Exec are 16.x, 20.x and 21.1.
Technical Summary
By exploiting the vulnerabilities above, the attacker is able to gain unauthorised access to the Backup Exec agent. Subsequently, the attacker can then execute commands or use specially crafted input parameters to access files on the system; both of which use system privileges, the highest privilege possible. The attacker is then in a position where they can encrypt an organisation’s data and make ransom demands.
Detection and indicators of compromise
The update from Mandiant notes that the exploitation leaves a noticeable imprint on the Backup Exec log files. Mandiant have also identified the following indicators of compromise:
Reference to the following tools:
Advanced Port Scanner, ALPHV, LAZAGNE, LIGOLO, MIMIKATZ, NANODUMP, REVSOCKS, Sysinternals, PSEXEC, WINSW
IP addresses:
45.61.138.109 on ports: 33971, 36931, 41703, 43937, 45815
185.141.62.123 on ports: 50810 and for the address hxxp://185.141.62.123:10228/update.exe
5.199.169.209 on port: 31600
185.99.135.115 on ports:39839, 49196 and 41774
What can I do?
If organisations are using a vulnerable version of Veritas Backup Exec, this should be updated immediately. The vulnerabilities were patched in Backup Exec 21.2, the current version is now 22. To detect an incident, organisations should look to check the Backup Exec log files on vulnerable versions and look for connections to unknown IP addresses.
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
The security advisory from Veritas can be found here: https://www.veritas.com/support/en_US/security/VTS21-001
The Mandiant report can be found here:
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
Black Arrow Cyber Threat Briefing 31 March 2023
Black Arrow Cyber Threat Briefing 31 March 2023:
-Phishing Emails Up a Whopping 569% in 2022
-The End User Password Mistakes Putting Your Organisation at Risk
-Millions of Penetration Tests Show Companies’ Security Postures are Getting Worse
-71% of Employees Keep Work Passwords on Personal Devices
-Cyber Crime Frontlines in Russia-Ukraine War Move to Eastern and Northern Europe
-Security Flaws Cost Fifth of Executive’s Businesses
-Companies Struggle to Build and Run Effective Programs to Protect Data from Insider Threats
-Only 10% of Workers Remember All Their Cyber Security Training
-Silence Gets You Nowhere in a Data Breach
-Just 1% of Cloud Permissions are Actively Used
-Dangerous Misconceptions About Emerging Cyber Threats
-‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Phishing Emails Up a Whopping 569% in 2022
The volume of phishing emails sent in 2022 spiked by a jaw-dropping 569% according to a new report. Based on data from 35 million users, the report details the astronomical rise of email phishing as a tactic among threat actors in 2022. Key findings from the report include the number of credential phishing emails sent spiked by 478% and, for the eighth consecutive year, business email compromise (BEC) ranked as the top cyber crime.
https://www.darkreading.com/attacks-breaches/phishing-emails-up-whopping-569-percent-2022
The End User Password Mistakes Putting Your Organisation at Risk
Businesses rely on their end users, but those same users often don't follow the best security practices. Without the right password security policies, a single end user password mistake can be a costly breach of your organisation's defences. End users want to do their work quickly and efficiently, but sharing, reusing and weak passwords can put your organisation at risk so having the right policies in place is essential for security.
Millions of Penetration Tests Show Companies’ Security Postures are Getting Worse
The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect web applications. Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, who crunched data on 1.7 million hours of offensive cyber security testing. The research noted that while many companies are improving the adoption of strict network and group policies, attackers are adapting to sidestep such protections. They also found that four of the top-10 CVEs (known vulnerabilities) identified in customer environments were more than two years old.
https://www.darkreading.com/cloud/millions-pen-tests-companies-security-posture-getting-worse
71% of Employees Keep Work Passwords on Personal Devices
71% of employees store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work, according to a new mobile bring your own device (BYOD) security report this week, with the report also suggesting 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. With the widespread use of personal mobile devices in the workplace, it is increasingly difficult for employers to ensure the security of sensitive information. The use of personal devices and personal apps was the direct cause of many high-profile corporate breaches and this is a trend that will surely continue, as employees often use corporate and personal devices for work, effectively doubling the attack surface for cyber criminals as threat actors know there are fewer security controls on personal mobile devices than on corporate ones.
https://www.infosecurity-magazine.com/news/70-employees-keep-work-passwords/
Cyber Frontlines in Russia-Ukraine War Move to Eastern and Northern Europe
More than a year into the war in Ukraine, hackers have extended the cyber battleground to Eastern and Northern Europe with the number of incidents in those geographies spiking noticeably. A new report shows that cyber warfare inside the conflict has “clearly moved on” from the beginnings of the war. Over the last 12 months, the research reports that the majority of incidents only affecting Ukraine in the first quarter of 2022 (50.4%) sank to 28.6% in the third period. But European Union countries have seen a spike in incidents related to the war in the past six months from 9.8% to 46.5%. Indeed, the number of attacks on EU countries in the third quarter of 2022 totalled just slightly less than those in the Ukraine. And, in the first quarter of this year, more than 80% of incidents occurred inside the European Union. Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics. With the lateralisation of the conflict from Ukraine to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.
Security Flaws Cost Fifth of Executives New Business
Boards continue to under-appreciate the value of cyber security to the business, despite acknowledging its critical role in winning new business and talent, according to Trend Micro. The security giant polled 2,718 business decision makers globally to compile its Risky Rewards study and it found that half (51%) believe cyber security is a necessary cost but not a revenue contributor. 48% argue that its value is limited to threat prevention and two-fifths (38%) see security as a barrier rather than a business enabler. That’s despite a fifth (19%) acknowledging that poor security posture has already impacted their ability to win new business, and 57% thinking there is a strong connection between cyber and client acquisition.
https://www.infosecurity-magazine.com/news/fifth-execs-security-flaws-cost/
Companies Struggle to Build and Run Effective Programs to Protect Data from Insider Threats
Insider risk is emerging as one of the most challenging threats for organisations to detect, mitigate and manage, Code42 Software said in its annual Data Exposure Report for 2023. To compile data for the study they surveyed some 700 cyber security leaders, managers and practitioners and whilst more than 72% of companies indicated they have an insider risk management (IRM) program in place, the same companies experienced a year-over-year increase in data loss incidents of 32%. 71% of respondees expect data loss from insider events to increase in the next 12 months. Insider incidents are costing organisations $16 million per incident on average, and chief information security officers (CISOs) say that insider risks are the most challenging type of threat to detect. Data loss from insiders is not a new problem but it has become more complex with workforce turnover and cloud adoption.
Only 10% of Workers Remember All Their Cyber Security Training
New research has found that only 10% of workers remember all their cyber security training. Furthermore, only half of employees are undergoing regular training, and a quarter aren’t receiving any training at all. Organisations should look to carry out effective and regular training that is tailored to their employees to increase the chance of training content being retained, with a programme of ongoing continual reinforcement.
Silence Gets You Nowhere in a Data Breach
In cyber security, the phrase “what they don’t know won’t hurt them” is not only wrong, it’s dangerous. Despite this, it’s a motto that remains in many organisations’ PR playbooks, as demonstrated by the recent LastPass and Fortra data breaches. Smaller companies, too, are employing a silent-treatment approach to data breaches, and cyber attacks are now a fact of doing business with almost half of US organisations having suffered a cyber attack in 2022. Attackers are increasingly targeting smaller businesses due to the fact they are seen as easier targets than large companies.
https://techcrunch.com/2023/03/29/silence-gets-you-nowhere-in-a-data-breach/
Just 1% of Cloud Permissions are Actively Used
According to Microsoft, a surge in workload identities, super admins and “over-permissioning” is driving the increase in cyber risk for organisations. Just 1% of users are using the permissions granted to them for day-to-day work. Worryingly, this leaves a significant number of unnecessary permissions which could be used by an attacker to elevate their privileges.
https://www.infosecurity-magazine.com/news/just-1-of-cloud-permissions-used/
Dangerous Misconceptions About Emerging Cyber Threats
Organisations are leaving common attack paths exposed in their quest to combat emergent threats, according to a new report that delves into the efficacy of different security controls, the most concerning threats as tested by organisations worldwide, and top cyber security best practices for 2023. One of the key findings of the report is that many organisations are actively testing against threats seen in the news, likely from pressure to report on their exposure risk to emergent threats, and whilst this is good, it should not take away from assessing threats and exposures that are more likely actively targeting the business.
https://www.helpnetsecurity.com/2023/03/30/misconceptions-emerging-cyber-threats/
‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
Europol has warned that criminals are set to take advantage of artificial intelligence to commit fraud and other crimes. Europol highlighted that ChatGPT could be used to speed up criminal research, impersonate speech styles for phishing and write code. Furthermore, despite ChatGPT having safeguards, Europol note that these can be circumvented.
https://www.securityweek.com/grim-criminal-abuse-of-chatgpt-is-coming-europol-warns/
Threats
Ransomware, Extortion and Destructive Attacks
Why CISOs Are Looking to Lateral Security to Mitigate Ransomware | CIO
Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw (darkreading.com)
New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)
Publicly disclosed US ransomware attacks in 2023 | TechTarget
Virgin Group added to Cl0p gang’s victim leak site | Cybernews
New York law firm coughs up $200k after hospital data stolen • The Register
Telecom giant Lumen suffered a ransomware attack-Security Affairs
Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity | Ars Technica
DarkBit puts data from Israel’s Technion university on sale | CSO Online
Crown Resorts investigating potential data breach after being contacted by hacking group - ABC News
Children’s data feared stolen in Fortra ransomware attack | TechCrunch
Phishing & Email Based Attacks
Phishing Emails Up a Whopping 569% in 2022 (darkreading.com)
IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)
These next-level phishing scams use PayPal or Google Docs to steal your data | TechRadar
Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)
BEC – Business Email Compromise
BEC scammers are after physical goods, the FBI warns - Help Net Security
Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)
New BEC Tactics Enable Fake Asset Purchases - Infosecurity Magazine (infosecurity-magazine.com)
FBI: Business email compromise tactics used to defraud US vendors (bleepingcomputer.com)
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Malware
New IcedID malware variants shift from banking trojans to ransomware | SC Media (scmagazine.com)
MacStealer macOS malware appears in cyber crime underground--Security Affairs
Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert
Microsoft confirms Defender has gone rogue as it's flagging legit links as malware - Neowin
North Korean malware-spreading, crypto-stealing gang named • The Register
Malware disguised as Tor browser steals $400k in cryptocash • The Register
NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)
Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)
Realtek and Cacti flaws now actively exploited by malware botnets (bleepingcomputer.com)
AlienFox malware caught in the cloud hen house • The Register
Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)
IRS Phishing Emails Used to Distribute Emotet - Infosecurity Magazine (infosecurity-magazine.com)
Mobile
Android-based banking Trojan Nexus now available as malware-as-a-service | CSO Online
Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)
Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)
Android app from China executed 0-day exploit on millions of devices | Ars Technica
Google again accused of destroying evidence in Android case • The Register
Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)
Samsung keeps ignoring a huge security flaw in millions of Galaxy phones - SamMobile
iOS Vs. Android – Which Is The More Secure Platform? (informationsecuritybuzz.com)
Botnets
Denial of Service/DoS/DDOS
Internet of Things – IoT
Inaudible ultrasound attack can stealthily control your phone, smart speaker (bleepingcomputer.com)
This devious cyber attack can target all your smart speakers without you realizing | TechRadar
Gone in 120 seconds: Tesla Model 3 child's play for hackers • The Register
Data Breaches/Leaks
Fortra told breached companies their data was safe | TechCrunch
Procter & Gamble confirms data theft via GoAnywhere zero-day (bleepingcomputer.com)
New York law firm coughs up $200k after hospital data stolen • The Register
Toyota scrambles to patch customer data leak-Security Affairs
500k Impacted by Data Breach at Debt Buyer NCB - SecurityWeek
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Malware disguised as Tor browser steals $400k in cryptocash • The Register
NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month (darkreading.com)
Insider Risk and Insider Threats
Only 10% of workers remember all their cyber security training - IT Security Guru
Data loss from insider events increase despite IRM programs, says study | CSO Online
Stop Blaming the End User for Security Risk (darkreading.com)
Fraud, Scams & Financial Crime
Visa fraud expert outlines the many faces of payment ecosystem fraud - Help Net Security
Cyber Scammers Using Decentralized File Distribution System to Spread Malware - MSSP Alert
Deepfakes
AML/CFT/Sanctions
Insurance
Beazley working on standalone cyber war product in market first (insuranceinsider.com)
Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)
Supply Chain and Third Parties
Hackers compromise 3CX desktop app in a supply chain attack (bleepingcomputer.com)
Winter Vivern hackers exploit Zimbra flaw to steal NATO emails (bleepingcomputer.com)
Cloud/SaaS
Just 1% of Cloud Permissions Are Actively Used - Infosecurity Magazine (infosecurity-magazine.com)
Where SSO Falls Short in Protecting SaaS (thehackernews.com)
CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)
Balancing security risks and innovation potential of shadow IT teams - Help Net Security
AlienFox malware caught in the cloud hen house • The Register
Hybrid/Remote Working
Cyber security focus in second Digital Europe work programme – EURACTIV.com
More companies are watching their remote workers WFH on camera | Fortune
Shadow IT
Identity and Access Management
Encryption
API
Passwords, Credential Stuffing & Brute Force Attacks
The End-User Password Mistakes Putting Your Organisation at Risk (bleepingcomputer.com)
New Research Examines Traffers and the Business of Stolen Credentials - IT Security Guru
Social Media
Training, Education and Awareness
The era of passive cyber security awareness training is over - Help Net Security
Only 10% of workers remember all their cyber security training - IT Security Guru
Parental Controls and Child Safety
Regulations, Fines and Legislation
Governance, Risk and Compliance
Beazley working on standalone cyber war product in market first (insuranceinsider.com)
Cyber security vs. Everyone: From Conflict to Collaboration (darkreading.com)
Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)
How cyber security decision-makers perceive cyber resilience - Help Net Security
NCSC issues revised security Board Toolkit for business leaders | Computer Weekly
The CISO Mantra: Get Ready to Do More With Less (darkreading.com)
Models, Frameworks and Standards
Backup and Recovery
Law Enforcement Action and Take Downs
FBI confirms access to Breached cyber crime forum database (bleepingcomputer.com)
UK creates fake DDoS-for-hire sites to identify cyber criminals (bleepingcomputer.com)
Australian police arrest four BEC actors who stole $1.7 million (bleepingcomputer.com)
20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison (thehackernews.com)
Privacy, Surveillance and Mass Monitoring
UK Introduces Mass Surveillance With Online Safety Bill - SecurityWeek
FBI Spent Tens of Thousands of Dollars on Bulk Data Collection (gizmodo.com)
Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News
More companies are watching their remote workers WFH on camera | Fortune
Artificial Intelligence
'Grim' Criminal Abuse of ChatGPT is Coming, Europol Warns - SecurityWeek
In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT | WIRED
Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT - SecurityWeek
AI-fuelled search gives more power to the bad guys | CSO Online
Hacker demonstrates security flaws in GPT-4 just one day after launch | VentureBeat
Godfather of AI Says There's a Minor Risk It'll Eliminate Humanity (futurism.com)
Clearview AI used nearly 1m times by US police, it tells the BBC - BBC News
AI has figured out how to draw deepfake hands | The Independent
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Putin and Xi’s plot to control the internet will leave the West in the dust (telegraph.co.uk)
In A Surprise, China-Linked TikTok Grabs Power Norway Needs To Make Ammo (forbes.com)
Cyber crime Front Lines in Russia-Ukraine War Move to Eastern and Northern Europe - MSSP Alert
Beazley working on standalone cyber war product in market first (insuranceinsider.com)
'Bitter' espionage hackers target Chinese nuclear energy orgs (bleepingcomputer.com)
Earth Preta’s Cyber Espionage Campaign Hits Over 200 (trendmicro.com)
Biden White House Issues Executive Order on Commercial Spyware (gizmodo.com)
North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations (thehackernews.com)
Google finds more Android, iOS zero-days used to install spyware (bleepingcomputer.com)
Over 200 Organisations Targeted in Chinese Cyber Espionage Campaign - SecurityWeek
Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits (darkreading.com)
Chinese Cyber spies Use 'Melofee' Linux Malware for Stealthy Attacks - SecurityWeek
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)
Pro-Russian hackers target elected US officials supporting Ukraine | Ars Technica
Russian spies more effective than army, say experts - BBC News
Cyber warfare leaks show Russian army is adopting mindset of secret police | Cyberwar | The Guardian
Nation State Actors
Uncle Sam sent cyber-soldiers to Albania to combat Iran • The Register
Russia’s Rostec allegedly can de-anonymize Telegram users (bleepingcomputer.com)
Android app from China executed 0-day exploit on millions of devices | Ars Technica
China urges Apple to improve security and privacy • The Register
North Korean malware-spreading, crypto-stealing gang named • The Register
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor (thehackernews.com)
Vulnerability Management
What you need before the next vulnerability hits - Help Net Security
Vulnerability management vs. risk management, compared | TechTarget
Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report - SecurityWeek
Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)
Ignoring network automation is a ticking time bomb for security - Help Net Security
Vulnerabilities
Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April - SecurityWeek
Microsoft shares tips on detecting Outlook zero-day exploitation (bleepingcomputer.com)
Apple patches everything, including a zero-day fix for iOS 15 users – Naked Security (sophos.com)
QNAP fixed Sudo privilege escalation bug in NAS devices-Security Affairs
Patch Now: Cyber criminals Set Sights on Critical IBM File Transfer Bug (darkreading.com)
Super FabriXss flaw in Microsoft Azure SFX could lead to RCE-Security Affairs
OpenAI quickly fixed account takeover bugs in ChatGPT-Security Affairs
Tools and Controls
Even with defence tools, CISOs say cyber attacks are ‘inevitable’ (techrepublic.com)
The era of passive cyber security awareness training is over - Help Net Security
Only 10% of workers remember all their cyber security training - IT Security Guru
Prioritizing data security amid workforce disruptions - Help Net Security
Using Observability to Power a Smarter Cyber security Strategy (darkreading.com)
For database security it's down to people, not tech fixes • The Register
Known unknowns: Refining your approach to uncategorized web traffic - Help Net Security
Understanding adversaries through dark web intelligence - Help Net Security
Where SSO Falls Short in Protecting SaaS (thehackernews.com)
How Does Data Literacy Enhance Data Security? (darkreading.com)
CISA Releases Hunt Tool for Microsoft's Cloud Services (darkreading.com)
With Security Copilot, Microsoft brings the power of AI to cyber defence - Stories
Compare breach and attack simulation vs. penetration testing | TechTarget
Ignoring network automation is a ticking time bomb for security - Help Net Security
Microsoft's ‘Security Copilot’ Sics ChatGPT on Security Breaches | WIRED
Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo (thehackernews.com)
Diagnose your SME’s Cyber security and Scan for Recommendations — ENISA (europa.eu)
Protect your entire business with the right authentication method - Help Net Security
Microsoft Defender is flagging legit URLs as malicious • The Register
Managing security in the cloud through Microsoft Intune | CSO Online
Top 5 SD-WAN Challenges and How to Prepare for Them | TechTarget
Organisations Reassess Cyber Insurance as Self-Insurance Strategies Emerge (darkreading.com)
The best defence against cyber threats for lean security teams - Help Net Security
Overcoming obstacles to introduce zero-trust security in established systems - Help Net Security
The foundation of a holistic identity security strategy - Help Net Security
The CISO Mantra: Get Ready to Do More With Less (darkreading.com)
Other News
Hackers changed tactics, went cross-platform in 2022, says Trend Micro | CSO Online
WiFi protocol flaw allows attackers to hijack network traffic (bleepingcomputer.com)
Microsoft OneNote will block 120 dangerous file extensions (bleepingcomputer.com)
How CISOs Can Reduce the Danger of Using Data Brokers (darkreading.com)
How Does Data Literacy Enhance Data Security? (darkreading.com)
Microsoft uses carrot and stick with Exchange Online admins • The Register
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Alert 30 March 2023 – ACTION REQUIRED: Ongoing Campaign Actively Targeting 3CX Desktop App For Windows
Black Arrow Cyber Alert 30 March 2023 – ACTION REQUIRED: Ongoing Campaign Actively Targeting 3CX Desktop App For Windows
Update 16:20 30/03/2023: Additional information relating to the vulnerable Mac version of the 3CX desktop app has been provided by security researchers. Updates to this alert have been added below.
Executive Summary
A digitally signed and malicious version of the 3CX Voice over Internet Protocol (VoIP) desktop client is reportedly being used as part of an ongoing hacking campaign confirmed against windows devices and believed to be targeting Mac devices. It is believed that this the campaign involves nation state actors.
Update: The campaign has now been confirmed to be exploiting Mac devices.
Technical Summary
Earlier this week, CrowdStrike observed unexpected malicious activity which originated from a legitimately signed 3CXDesktopApp. The attack starts as soon as the MSI installer is downloaded and launched from 3CX’s website or the application is updated. The application itself is not malicious, however, when downloaded and installed, a malicious dll (ffmpeg.dll) is sideloaded which then extracts an encrypted payload from another dll (d3dcompiler_47.dd) and executes it. The malicious activity performed includes communication with attacker controller infrastructure, further payload deployment and hands-on-keyboard attacks, which is when threat actors stop using automated scripts and manually log in to an infected system to execute commands.
Update: For mac devices, the application bypassed Apple’s approval checks and was notarized, meaning it had been marked as safe by Apple and would not be blocked. The application uses libgffmpeg.dylib and attempts to connect to a command and control server. No more information on the specifics of the malcious content is known at current.
What’s the risk to me or my business?
According to 3CX, versions 18.12.407 & 18.12.416 are vulnerable to this attack and should be uninstalled. Organisations using the vulnerable versions of the 3CX desktop application are at a significant risk of data compromise.
Update: In an update to their advisory, for Mac users, the following versions are now confirmed as vulnerable: 18.11.1213, 18.12.402, 18.12.407 & 18.12.416.
Indicators of compromise (IoCs)
Crowdstrike has noted the following domains are in use by the attackers:
akamaicontainer.com
akamaitechcloudservices.com
azuredeploystore.com
azureonlinecloud.com
azureonlinestorage.com
dunamistrd.com
glcloudservice.com
journalide.org
msedgepackageinfo.com
msstorageazure.com
msstorageboxes.com
officeaddons.com
officestoragebox.com
pbxcloudeservices.com
pbxphonenetwork.com
pbxsources.com
qwepoi123098.com
sbmsa.wiki
sourceslabs.com
visualstudiofactory.com
zacharryblogs.com
What can I do?
A new desktop application is being worked on at current by 3CX, however it is not yet available. As such, it is recommended that the web application is used, and the vulnerable versions are uninstalled. Organisations should check for any activity involving the above IoCs. Additionally, organisations may benefit from identifying and monitoring the presence of ffmpeg.dll and d3dcompiler.dll on Windows devices as only a select number of anti-virus vendors have marked these as malicious.
Update: In addition to the above, Organisations may also benefit from identifying and monitoring the presence of libgffmpeg.dylib for Mac devices running vulnerable versions, as only a select number of anti-virus vendors have marked these as malicious. Due to the ongoing investigation, Black Arrow will update this post as soon as new information is identified.
The advisory from 3CX can be found here: https://www.3cx.com/blog/news/desktopapp-security-alert/
VirusTotal results for the ffmpeg.dll and d3dcompiler_47.dll can be found here: https://www.virustotal.com/gui/file/7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
https://www.virustotal.com/gui/file/11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
Various cyber security vendors have provided a breakdown of attacks, including indicators of compromise and actions they have taken:
https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
https://www.trendmicro.com/en_gb/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 29 March 2023 – Microsoft Exchange Online to Start Blocking Emails from Vulnerable On-premises Servers
Black Arrow Cyber Advisory 29 March 2023 – Microsoft Exchange Online to Start Blocking Emails from Vulnerable On-premises Servers
Executive Summary
Microsoft recently announced their intention to address the risks that stem from emails being sent to Exchange Online from unsupported or unpatched on-premises Microsoft Exchange servers and as a result are now taking a progressive enforcement approach. The approach will begin by throttling messages and escalate, eventually blocking servers until they are removed from service or updated. The enforcement approach will take 90 days from start to finish, once an in scope out of date server is detected. The Exchange team confirmed in the comments of the announcement that the report detailing affected servers will be available within private preview towards the end of April 2023. In May 2023 the first wave of affected customers will see the report, with throttling of inbound messages to Exchange Online starting in June, and blocking of inbound messages in July. The approach is focusing on a small subset of outdated Exchange 2007 servers at current, however Microsoft have stated that this will apply to all on-premises servers in the future.
What’s the risk to me or my business?
An unpatched or unsupported on-premise exchange server is already at significant risk of compromise and after 90 days from initial detection, it will no longer be able to communicate with Exchange Online. Organisations using unpatched or unsupported on-premise servers would be unable to send emails to accounts hosted with Exchange Online, impacting how users can communicate with third parties.
What can I do?
Thankfully, the risks can easily be mitigated by only using supported versions of Exchange and servers operating systems and applying patches in a reasonable time frame; Microsoft have allocated 90 days from initial detection by Exchange Online to administrators each year, to pause throttling and or blocking so that servers can be remediated.
The announcement by Microsoft can be found here: Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online - Microsoft Community Hub
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 29 March 2023 – Apple Patch Multiple Vulnerabilities Across Product Suite, Including One Actively Exploited Vulnerability
Black Arrow Cyber Advisory 29 March 2023 – Apple Patch Multiple Vulnerabilities Across Product Suite, Including One Actively Exploited Vulnerability
Executive Summary
Apple has issued security updates to address multiple vulnerabilities across all of their currently supported devices, plus security updates for some older iOS and Mac devices which no longer receive the latest feature updates. One vulnerability (CVE-2023-23529) has been added to the Cybersecurity & Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalogue. In addition, patches have been made available for the following products:
Studio Display 16.4: applicable for macOS Ventura 13.3 and later
Safari 16.4: applicable for macOS Big Sur and macOS Monterey
iOS 15.7.4 and iPadOS 15.7.4: applicable for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
iOS 16.4 and iPadOS 16.4: applicable for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
WatchOS 9.4: applicable for Apple Watch Series 4 and later
tvOS 16.4: applicable for Apple TV 4K (all models) and Apple TV HD
macOS Big Sur 11.7.5: applicable for macOS Big Sur
macOS Monterey 12.6.4: applicable for macOS Monterey
macOS Ventura 13.3: applicable for macOS Ventura
Technical Summary
The aforementioned exploited vulnerability, CVE-2023-23529, is a type confusion issue, which can occur when a piece of code does not verify the type of object handed to it, and uses it without type-checking. As a result, malicious web content can execute code on vulnerable devices.
What’s the risk to me or my business?
Exploitation of this vulnerability can lead to a compromise of data held on the device. As noted in the table, the following devices are vulnerable: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
What can I do?
Apple users should update their iOS and or iPadOS to version 15.7.4 for devices impacted by the exploited vulnerability (CVE-2023-23529). For the other vulnerabilities, it is recommended that the latest software updates are applied.
More information regarding CVE-2023-23529 be found here: https://support.apple.com/en-gb/HT213673
Details of the other addressed vulnerabilities can be found here: https://support.apple.com/en-gb/HT201222
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 28 March 2023 – Clop Ransomware Victims of GoAnywhere Vulnerability Reach 130
Black Arrow Cyber Advisory 28 March 2023 – Clop Ransomware Victims of GoAnywhere Vulnerability Reach 130
Executive Summary
A vulnerability in Forta’s popular file transfer software GoAnywhere has allowed ransomware group “Clop” to breach around 130 organisations, with more still coming forward. The attacks by Clop have breached a variety of organisations including banks, law firms, energy companies, retailers and even the city of Toronto. Any organisation using a vulnerable version of GoAnywhere is at risk of a breach.
Technical Summary
The vulnerability being exploited is a pre-authentication injection vulnerability which allows an attacker to gain access by injecting malicious code, without having to authenticate themselves. A patch was released for the vulnerability February (GoAnywhere 7.1.2), which at the time was noted as a ‘high’ vulnerability.
What’s the risk to me or my business?
Organisations using a version of GoAnywhere prior to 7.1.2 are at risk of having sensitive data exfiltrated by Clop. Once data has been exfiltrated by Clop, an email is sent to the organisation threatening to sell their data. Additionally, organisations whose supply chain are using a vulnerable version of GoAnywhere may also be at risk.
What can I do?
Organisations using GoAnywhere should check to ensure the patched version 7.1.2 or later has been installed. Organisations should also consider whether any of their supply chain is using GoAnywhere software and if so, what version as this can put the organisation at risk. There is currently no publicly accessible advisory from the software provider; the official advisory requires an account with Forta to access more information.
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 28 March 2023 – DEV-1101 Automated AiTM Phishing Campaigns Bypassing MFA
Black Arrow Cyber Advisory 28 March 2023 – DEV-1101 Automated AiTM Phishing Campaigns Bypassing MFA
Executive Summary
Microsoft Threat intelligence team has recently exposed the activities of a threat actor named DEV-1101. This threat actor advertises an open-source phishing kit that can be deployed to automate Adversary-in-the-middle (AiTM) campaigns. The phishing kit has the capability to circumvent multifactor authentication (MFA), evade detection through an antibot database, manage the phishing activity through telegram bots, and mimics services such as Microsoft Office or Outlook.
What’s the risk to me or my business?
If an AiTM phishing campaign is successful, the actor can set up a malicious site that will act as the intended valid website such as Microsoft Office or Microsoft Outlook. Here it can steal the credentials of the user and steal the authenticated session tokens of the MFA. In the most severe situations this can lead to a loss of confidentiality, integrity or availability of affected systems as the attacker has free access to perform any further criminal activity such as stealing, corrupting or and deleting data. Alongside the impact of the compromise, this can also lead to reputational damage and potentially financial penalties.
What can I do?
Black arrow recommends that you always deploy and maintain MFA where possible. While certain certain attacks may be able to circumvent MFA, it is important to remember that strong cyber security controls involve having layers of defences, in this case Conditional Access could be used to supplement the MFA control could reduce the risk of compromise. Organisations should also look to implement continuous monitoring for suspicious and anomalous activity to identify indicators of compromise. Other actions can be to ensure software and operating systems are up to date to avoid common vulnerabilities to be exploited. It is also vital that this is supplemented with end-user training including phishing simulations as this is the ingress point for this type of attack. Users should be encouraged to report any instances of interactions with emails that do not seem right.
Further information on the attack method can be found here:
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 24 March 2023
Black Arrow Cyber Threat Briefing 24 March 2023:
-Majority of SMBs Lack Dedicated Cyber Experts and Cyber Incident Response Plans
-Controlling Third-Party Data Risk Should Be a Top Cyber Security Priority
-IT Security Spending to Reach Nearly $300 Billion by 2026
-2023 Cyber Security Maturity Report Reveals Organisational Unpreparedness for Cyber Attacks
-Board Cyber Shortage: Don’t Get Caught Swimming Naked
-Should Your Organisation Be Worried About Insider Threats?
-UK Ransomware Incident Volumes Surge 17% in 2022
-Financial Industry Hit by Rising Ransomware Attacks and BEC
-55 zero-day Flaws Exploited Last Year Show the Importance of Security Risk Management
-Security Researchers Spot $36m BEC Attack
-New Victims Come Forward After Mass Ransomware Attack
-Ransomware Gangs’ Harassment of Victims is Increasing
-Wartime Hacktivism is Spilling Over Into the Financial Services Industry
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Majority of SMBs Lack Dedicated Cyber Experts and Cyber Incident Response Plans
A recent report conducted by security provider Huntress found some worrying results regarding SMBs lack of dedicated cyber experts and lack of cyber incident response plans. Some of the reports key findings were 24% of SMBs suffering a cyber attack or unsure if they had suffered a cyber attack in the last 12 months, 61% of SMBs not having a dedicated cyber security expert and 47% having no incident response plan. The report found that SMBs struggled to implement basic training and only 9% of employees adhered to security best practices, potentially due to the previously mentioned training struggles. The report highlights a clear need for SMBs to increase their cyber resilience and conduct effective user education and awareness training.
Controlling Third-Party Data Risk Should be a Top Cyber Security Priority
Nearly 60% of all data breaches are initiated via third-party vendors and this is often hard to detect. The ever-increasing use of third party services has led to the average organisation sharing sensitive data with 583 third parties, a worrying number of attack vectors. Due to the impact a third party breach can have on an organisation it is imperative that organisations assess and risk manage their supply chains to increase the organisations cyber resilience.
IT Security Spending to Reach Nearly $300 Billion by 2026
Worldwide spending on security is forecast to be $219 billion in 2023, an increase of 12.1% compared to 2022. This figure is expected to continually rise, reaching nearly $300 billion by 2026. In Europe, it is predicted that the biggest portion of spending will still be represented by services, which will be increasingly leveraged by organisations with limited cyber security experience. Additionally the finance sector, which will have to constantly ensure regulatory adherence, is predicted to be the largest spending sector. Organisations should perform due diligence and ensure that they are using reputable services.
https://www.helpnetsecurity.com/2023/03/20/it-security-spending-2026/
2023 Cyber Security Maturity Report Reveals Organisational Unpreparedness for Cyber Attacks
In 2022 alone cyber attacks increased by 38%, highlighting the need for organisations to have a high level of cyber maturity; despite this, a recent cyber security maturity report ranked UK organisations as 12th globally. Some of the findings from the report included that 32% of organisations were found to have weak passwords and 23% had weak authentication systems.
https://thehackernews.com/2023/03/2023-cybersecurity-maturity-report.html
Board Cyber Shortage: Don’t Get Caught Swimming Naked
The Securities and Exchange Commission recently released their rules on cyber security risk management, strategy governance and incident disclosure by public companies. As part of the rules, the public disclosure of board directors’ cyber risk biographies is mandated. Worryingly, recent research has found that there is a drastic gap in cyber expertise at the board director level, with 90% of companies not having a single director with cyber security expertise. Board directors are able to address this issue by retaining outside expert advisors, upskilling board members or hiring new cyber security board directors.
Should your Organisation be Worried about Insider Threats?
Cyber crime is predicted to reach $10.5 trillion worth, making it a lucrative business venture for opportunist criminals. One of the threats companies face is insider threat; this is where the threat comes from within the organisation. Insider threat can include third-party vendors, business partners and others with access to an organisations systems and networks. The threat an insider poses is commonly thought of as malicious but it can also be negligent, where insiders haven’t received proper user education and awareness training. Worryingly, insider threat is rising and research has shown a significant amount of under-reporting; over 70% of insider attacks never reach the headlines. As such, it is difficult for organisations to gauge the risk of insider threats.
https://www.itsecurityguru.org/2023/03/17/should-your-organization-be-worried-about-insider-threats/
UK Ransomware Incident Volumes Surge 17% in 2022
According to recent research, attacker-reported ransomware incidents increased by 17% annually in the UK last year and 2023 is showing signs of a continual rise. With this continual rise, it is important for organisations to assess and build upon their cyber resilience.
https://www.infosecurity-magazine.com/news/uk-ransomware-incident-surge-17/
Financial Industry Hit by Rising Ransomware Attacks and BEC
According to a recent report by the Financial Services Information Sharing and Analysis Center (FS-ISAC) ransomware remained the biggest concern for the financial industry with an increase in attacks due to ransomware-as-a-service. Furthermore, FS-ISAC found a 300% increase in the number of business email compromise attacks from 2021 to 2022. Artificial intelligence was identified as an upcoming area of concern due to its ability to obfuscate detection.
55 zero-day Flaws Exploited Last Year Show the Importance of Security Risk Management
According to a report from intelligence provider Mandiant 55 zero-days were exploited in 2022 and 13 of those were used in cyber espionage attacks. Of the espionage attacks, 7 related to Chinese threat actors and 2 related to Russian threat actors. The report found that effective security management and patching remained the best protections for organisations.
Security Researchers Spot $36m BEC Attack
Security experts recently identified a single business email compromise attack which amounted to $36.4m. The attack in question contained an invoice, payment instructions, a forged letterhead and even cc’d a legitimate and well known company. The attacker also changed “.com” to “.cam” to imitate a domain. The total cost of BEC based on reported incidents is around $2.7 billion and this is excluding unreported incidents. Organisations should ensure that staff are adequately trained in identifying and reporting such attacks.
https://www.infosecurity-magazine.com/news/security-researchers-spot-36m-bec/
New Victims Come Forward After Mass Ransomware Attack
Russia-linked Ransomware gang “Clop” has claimed a mass hack of 130 organisations via the vendor GoAnywhere, with more victims coming forward. Clop adds names of victims to its dark web site, which is used to extort companies further by threatening to publish the stolen files unless a ransom is paid.
https://techcrunch.com/2023/03/22/fortra-goanywhere-ransomware-attack/
Ransomware Gangs’ Harassment of Victims is Increasing
Analysis by Palo Alto Networks found that harassment was a factor in 20% of ransomware cases, a significant jump from less than 1% in mid 2021. The harassment campaign by threat attackers is intended to make sure that ransom payments are met. This adds to the stress that organisations already face with ransomware incidents.
https://www.techrepublic.com/article/ransomware-gangs-harassment-victims-increasing/
Wartime Hacktivism is Spilling Over into the Financial Services Industry
The Financial Services Information Sharing and Analysis Center (FS-ISAC) has identified that financial firms in countries that Russia considers hostile have been singled out for attacks and these attacks are going to continue if the Russia and Ukraine war persists.
Threats
Ransomware, Extortion and Destructive Attacks
LockBit 3.0 Ransomware: Inside the Cyberthreat That's Costing Millions (thehackernews.com)
UK Ransomware Incident Volumes Surge 17% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)
Banks, Financial Sector Hit By Rising Ransomware Attacks - Bloomberg
BianLian ransomware crew swaps encryption for extortion • The Register
New victims come forward after mass-ransomware attack | TechCrunch
Ransomware Gangs' Harassment of Victims Is Increasing (techrepublic.com)
LockBit ransomware gang now also claims City of Oakland breach (bleepingcomputer.com)
Free decryptor released for Conti-based ransomware following data leak | Tripwire
New 'Trigona' Ransomware Targets US, Europe, Australia - SecurityWeek
Ransomware Strongly Influencing SOC Modernization Strategies, Cybereason Research Shows - MSSP Alert
US govt agencies released an alert on the Lockbit 3.0 ransomware- Security Affairs
Security News This Week: Ring Is in a Standoff With Hackers | WIRED UK
CISA kicks off ransomware vulnerability pilot to help spot ransomware-exploitable flaws | CSO Online
Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen (bleepingcomputer.com)
Researchers Shed Light on CatB Ransomware's Evasion Techniques (thehackernews.com)
Why CISOs Are Looking to Lateral Security to Mitigate Ransomware | CIO
Dole discloses employee data breach after ransomware attack (bleepingcomputer.com)
Prevent Ransomware with Cyber security Monitoring (trendmicro.com)
Ferrari in a spin as crims steal customer data • The Register
Play ransomware gang hit Dutch shipping firm Royal Dirkzwager- Security Affairs
Hitachi Energy confirms data breach after Clop GoAnywhere attacks (bleepingcomputer.com)
City of Toronto confirms data theft, Clop claims responsibility (bleepingcomputer.com)
Phishing & Email Based Attacks
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
2FA/MFA
Malware
Emotet malware now distributed in Microsoft OneNote files to evade defences (bleepingcomputer.com)
ChatGPT Polymorphic Malware Bypasses Endpoint Detection Filters (cybersecuritynews.com)
RAT developer arrested for infecting 10,000 PCs with malware (bleepingcomputer.com)
Google flags apps made by popular Chinese e-commerce giant as malware | TechCrunch
Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen (thehackernews.com)
Custom 'Naplistener' Malware a Nightmare for Network-Based Detection (darkreading.com)
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers (thehackernews.com)
Python info-stealing malware uses Unicode to evade detection (bleepingcomputer.com)
Mobile
Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps (thehackernews.com)
The FBI Warns SIM Swapping Attacks Are Rising. What's That? - ReHack
Android apps are spying on you — with no easy way to stop them | Digital Trends
Your Samsung phone may have a big security flaw – here's how to stay safe | TechRadar
How to keep your phone safe from the scary Exynos modem vulnerability (androidpolice.com)
Botnets
Denial of Service/DoS/DDOS
New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks (bleepingcomputer.com)
Mirai Hackers Use Golang to Create a Bigger, Badder DDoS Botnet (darkreading.com)
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers (thehackernews.com)
Internet of Things – IoT
Eufy security cam 'stored unique ID' of everyone filmed • The Register
Google sounds alarm on Samsung modem bugs in Android devices • The Register
EU Council extends product lifetime, clarifies scope in cyber security law – EURACTIV.com
Tesco to ditch Chinese-made CCTV cameras over security and human rights fears (telegraph.co.uk)
Data Breaches/Leaks
Complacency of staff to blame for data breaches (thesundaily.my)
Hitachi Energy confirms data breach after Clop GoAnywhere attacks (bleepingcomputer.com)
Data breaches cost businesses nearly $6M on average: Mastercard | CTV News
Healthcare provider ILS warns 4.2 million people of data breach (bleepingcomputer.com)
NBA is warning fans of a data breach after a third-party newsletter service hack- Security Affairs
Lowe’s Market chain leaves client data up for grabs- Security Affairs
Ferrari discloses data breach after receiving ransom demand (bleepingcomputer.com)
South Korea fines McDonalds for data leak from raw SMB share • The Register
A million at risk from user data leak at Korean beauty platform PowderRoom- Security Affairs
Organised Crime & Criminal Actors
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Fireblocks Discloses Critical Vulnerability in BitGo Ethereum Wallets - Decrypt
General Bytes Bitcoin ATMs hacked using zero-day, $1.5M stolen (bleepingcomputer.com)
Linus Tech Tips' YouTube Channel has been hacked by Crypto Scammers | OC3D News (overclock3d.net)
Insider Risk and Insider Threats
Should Your Organisation Be Worried About Insider Threats? - IT Security Guru
Top 5 Insider Threats to Look Out For in 2023- Security Affairs
Preventing Insider Threats in Your Active Directory (thehackernews.com)
Fraud, Scams & Financial Crime
Detecting face morphing: A simple guide to countering complex identity fraud - Help Net Security
‘My bank did not stop £6,500 payment to holiday scammers despite my pleas’ | Scams | The Guardian
The FBI Warns SIM Swapping Attacks Are Rising. What's That? - ReHack
Hackers inject credit card stealers into payment processing modules (bleepingcomputer.com)
Deepfakes
Insurance
SMBs don't see need for cyber insurance since they won't experience security incidents | ZDNET
Cyber insurance carriers expanding role in incident response | TechTarget
Supply Chain and Third Parties
Controlling Third-Party Data Risk Should Be a Top Cyber security Priority (darkreading.com)
Companies vulnerable to cyber-attack via suppliers - research | RNZ News
Why you should treat ChatGPT like any other vendor service - Help Net Security
MITRE Rolls Out Supply Chain Security Prototype (darkreading.com)
Software Supply Chain
Cloud/SaaS
How access management helps protect identities in the cloud | VentureBeat
Bitcoin ATM maker shuts cloud service after user hot wallets compromised (cointelegraph.com)
The cloud backlash has begun: Why big data is pulling compute back on premises | TechCrunch
Shouldering the Increasingly Heavy Cloud Shared-Responsibility Model (darkreading.com)
The hidden danger to zero trust: Excessive cloud permissions • Graham Cluley
New CISA tool detects hacking activity in Microsoft cloud services (bleepingcomputer.com)
4 Tips for Better AWS Cloud Workload Security (trendmicro.com)
Hybrid/Remote Working
Identity and Access Management
How access management helps protect identities in the cloud | VentureBeat
The impact of AI on the future of ID verification - Help Net Security
Preventing Insider Threats in Your Active Directory (thehackernews.com)
CISA, NSA push identity and access management framework as risks grow | SC Media (scmagazine.com)
API
Open Source
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers (thehackernews.com)
Open Source Vulnerabilities Still Pose a Big Challenge for Security Teams (darkreading.com)
Passwords, Credential Stuffing & Brute Force Attacks
Social Media
BBC presses staff to uninstall TikTok from corporate kit • The Register
TikTok cannot be considered a private company: report • The Register
Five brutal hours for TikTok: CEO raked over coals amid privacy, security concerns | CyberScoop
Linus Tech Tips' YouTube Channel has been hacked by Crypto Scammers | OC3D News (overclock3d.net)
Training, Education and Awareness
Regulations, Fines and Legislation
Board Cyber Shortage: Don’t Get Caught Swimming Naked (forbes.com)
EU Council extends product lifetime, clarifies scope in cyber security law – EURACTIV.com
India’s infosec reporting rules observed by just 15 orgs • The Register
Why Organisations Need To Go Beyond Federal Cyber security Compliance Standards (forbes.com)
Governance, Risk and Compliance
How CISOs Can Work With the CFO to Get the Best Security Budget (darkreading.com)
How to best allocate IT and cyber security budgets in 2023 - Help Net Security
IT security spending to reach nearly $300 billion by 2026 - Help Net Security
Board Cyber Shortage: Don’t Get Caught Swimming Naked (forbes.com)
How Your Cyber security Strategy Enables Better Business (trendmicro.com)
55 zero-day flaws exploited last year show the importance of security risk management | CSO Online
How Can CISOs Connect With the Board of Directors? (darkreading.com)
Achieving The Five Levels Of Information Security Governance (forbes.com)
Enhance security while lowering IT overhead in times of recession - Help Net Security
Why organisations shouldn't fold to cyber criminal requests - Help Net Security
Models, Frameworks and Standards
Meta Proposes Revamped Approach to Online Kill Chain Frameworks (darkreading.com)
MITRE Rolls Out Supply Chain Security Prototype (darkreading.com)
Backup and Recovery
Data backup, security alerts, and encryption viewed as top security features - Help Net Security
Top 5 security risks for enterprise storage, backup devices - Help Net Security
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
RAT developer arrested for infecting 10,000 PCs with malware (bleepingcomputer.com)
New York Man Arrested for Running BreachForums Cyber crime Website - SecurityWeek
Privacy, Surveillance and Mass Monitoring
Eufy security cam 'stored unique ID' of everyone filmed • The Register
Use of Meta tracking tools found to breach EU rules on data transfers | TechCrunch
How to protect online privacy in the age of pixel trackers - Help Net Security
Windows 11 Snipping Tool privacy bug exposes cropped image content (bleepingcomputer.com)
French govt clears AI facial scans for Paris Olympics • The Register
Artificial Intelligence
EU's AI regulation vote looms. We’re still not sure how unrestrained AI should be | Euronews
ChatGPT Leaves Governments Scrambling for AI Regulations - Bloomberg
ChatGPT Polymorphic Malware Bypasses Endpoint Detection Filters (cybersecuritynews.com)
Detecting face morphing: A simple guide to countering complex identity fraud - Help Net Security
We need to create guardrails for AI | Financial Times (ft.com)
GPT-4 devises plan to ‘escape’ by gaining control of a user's computer | Mint (livemint.com)
Mastercard strengthens customer security with new AI ‘Cyber Shield’ | Mastercard Newsroom
The impact of AI on the future of ID verification - Help Net Security
7 guidelines for identifying and mitigating AI-enabled phishing campaigns | CSO Online
Why you should treat ChatGPT like any other vendor service - Help Net Security
Mozilla launches a new startup focused on ‘trustworthy’ AI | TechCrunch
French govt clears AI facial scans for Paris Olympics • The Register
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
New Espionage Group 'YoroTrooper' Targeting Entities in European, CIS Countries - SecurityWeek
Palantir: NHS trusts ordered to share patient data with US ‘spy-tech’ firm | openDemocracy
Tesco to ditch Chinese-made CCTV cameras over security and human rights fears (telegraph.co.uk)
Purported Chinese warships interfering with passenger planes • The Register
Putin to staffers: throw out your iPhones over security • The Register
Russia-backed Iridium Hackers Set to Launch Attacks on Ukrainian Government Sites - MSSP Alert
Facebook Security Exec Seaford Hacked by Greek Predator Spyware (gizmodo.com)
BBC presses staff to uninstall TikTok from corporate kit • The Register
New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War (thehackernews.com)
Hacker tied to DC Health Link breach says attack 'born out of Russian patriotism' | CyberScoop
Unknown actors target orgs in Russia-occupied Ukraine • The Register
Xi, Putin, declare intent to rule the world of AI, infosec • The Register
North Korean hackers using Chrome extensions to steal Gmail emails (bleepingcomputer.com)
Stealthy hacks show advancements in China's cyberespionage operations, researchers say | CyberScoop
Nation State Actors
New Espionage Group 'YoroTrooper' Targeting Entities in European, CIS Countries - SecurityWeek
Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder - SecurityWeek
Tesco to ditch Chinese-made CCTV cameras over security and human rights fears (telegraph.co.uk)
Purported Chinese warships interfering with passenger planes • The Register
TikTok cannot be considered a private company: report • The Register
Five brutal hours for TikTok: CEO raked over coals amid privacy, security concerns | CyberScoop
BBC presses staff to uninstall TikTok from corporate kit • The Register
Google flags apps made by popular Chinese e-commerce giant as malware | TechCrunch
Putin to staffers: throw out your iPhones over security • The Register
Russia-backed Iridium Hackers Set to Launch Attacks on Ukrainian Government Sites - MSSP Alert
New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War (thehackernews.com)
Hacker tied to D.C. Health Link breach says attack 'born out of Russian patriotism' | CyberScoop
Unknown actors target orgs in Russia-occupied Ukraine • The Register
Xi, Putin, declare intent to rule the world of AI, infosec • The Register
The pressing threat of Chinese-made drones flying above US critical infrastructure | CyberScoop
Stealthy hacks show advancements in China's cyberespionage operations, researchers say | CyberScoop
Russian hacktivists deploy new AresLoader malware via decoy installers | CSO Online
Vulnerability Management
55 zero-day flaws exploited last year show the importance of security risk management | CSO Online
Hackers mostly targeted Microsoft, Google, Apple zero-days in 2022 (bleepingcomputer.com)
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace | Mandiant
10 Vulnerabilities Types to Focus On This Year (darkreading.com)
Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023 (bleepingcomputer.com)
Top 5 security risks for enterprise storage, backup devices - Help Net Security
Open Source Vulnerabilities Still Pose a Big Challenge for Security Teams (darkreading.com)
Vulnerabilities
Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug (darkreading.com)
CVE-2023-23397 Outlook exploit: "A proliferation event" (thestack.technology)
Patch CVE-2023-23397 Immediately: What You Need To Know and Do (trendmicro.com)
Cisco fixed severe vulnerabilities in its IOS and IOS XE software- Security Affairs
Exploit released for Veeam bug allowing cleartext credential theft (bleepingcomputer.com)
Experts published PoC exploit code for Veeam Backup & Replication bug- Security Affairs
WordPress force patching WooCommerce plugin with 500K installs (bleepingcomputer.com)
Windows 11 bug warns Local Security Authority protection is off (bleepingcomputer.com)
Bitwarden addresses autofill issue that could be exploited to steal logins - gHacks Tech News
Hackers mostly targeted Microsoft, Google, Apple zero-days in 2022 (bleepingcomputer.com)
Microsoft’s blunders with new Windows 10 update are causing serious headaches | TechRadar
Microsoft: Defender update behind Windows LSA protection warnings (bleepingcomputer.com)
ZenGo uncovers 'red pill attack' vulnerability in popular Web3 apps (cointelegraph.com)
Windows 11 Snipping Tool privacy bug exposes cropped image content (bleepingcomputer.com)
If your Netgear Orbi router isn’t patched, you’ll want to change that pronto | Ars Technica
Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products (darkreading.com)
Tools and Controls
Data backup, security alerts, and encryption viewed as top security features - Help Net Security
Majority of SMBs Lack Dedicated Cyber Experts, Incident Response Plan - MSSP Alert
55 zero-day flaws exploited last year show the importance of security risk management | CSO Online
Complacency of staff to blame for data breaches (thesundaily.my)
How access management helps protect identities in the cloud | VentureBeat
Why CISOs Should Prioritize Extended Detection & Response (XDR) - VMware Security Blog - VMware
The Ethics of Network and Security Monitoring (darkreading.com)
Fighting VPN criminalization should be Big Tech’s top priority, activists say | Ars Technica
How network perimeters secure enterprise networks | TechTarget
Top 5 security risks for enterprise storage, backup devices - Help Net Security
Other News
Web Fingerprinting gets frighteningly good: sees through VPNs and Incognito Mode - gHacks Tech News
Journalist plugs in unknown USB drive mailed to him—it exploded in his face | Ars Technica
What Is Shoulder Surfing? How Does It Affect Cyber security (informationsecuritybuzz.com)
Inside the DEA Tool Hackers Allegedly Used to Extort Targets (vice.com)
Top ways attackers are targeting your endpoints - Help Net Security
What Is a Dirty IP Address and How Does It Affect Your Security? (makeuseof.com)
Techno-nationalism explained: What you need to know (techtarget.com)
How Emerging Trends in Virtual Reality Impact Cyber security - IT Security Guru
Pipeline Cyber security Rules Show the Need for Public-Private Partnerships (darkreading.com)
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Insight 21 March 2023 – Attackers Mainly Focused on Zero-Days from Microsoft, Google and Apple in 2022
Black Arrow Cyber Insight 21 March 2023 – Attackers Mainly Focused on Zero-Days from Microsoft, Google and Apple in 2022
Executive Summary
Mandiant recently published their report on zero-day attacks in 2022. A zero-day attack is an attack that relates to a previously unknown vulnerability and for the third year running, Microsoft, Google and Apple were the most frequently targeted by zero-day attacks. The most exploited avenues of attack were operating systems and browsers.
What’s the risk to me or my business?
A significant number of users include Microsoft, Google and or Apple as part of their supply chain and must therefore be aware of vulnerabilities in these vendors. It is not unusual for an exploited zero-day vulnerability to have a delay between the time it is discovered and the time it is patched; although sometimes a workaround is released in the meantime. The delay between disclosure and patching can potentially contribute to many systems remaining unpatched for months and workarounds can create a false sense of security during this period. An unpatched system leaves an organisation’s data at risk from compromise.
What can I do?
It is increasingly important for organisations to efficiently and effectively prioritise their patching and understand their part in the process; this should include organisations being aware of which systems are awaiting a patch, and of these, which are critical. Organisations who use SaaS solutions typically benefit from the vendor deploying patches but organisations should not become complacent and should, where appropriate, seek assurance that systems are indeed patched up to date.
To be more cyber resilient, organisations should make use of threat intelligence as part of their attack surface management and understanding of actively exploited vulnerabilities.
The report conducted by Mandiant can be found here: https://www.mandiant.com/resources/blog/zero-days-exploited-2022
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 17 March 2023
Black Arrow Cyber Threat Briefing 17 March 2023:
-Almost Half of IT Leaders Consider Security as an Afterthought
-Over $10bn Lost To Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says
-Over 721 Million Passwords Were Leaked in 2022
-How Much of a Cyber Security Risk are Suppliers?
-90% of £5m+ Businesses Hit by Cyber Attacks
-Rushed Cloud Migrations Result in Escalating Technical Debt
-17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
-Microsoft Warns of Large-Scale Use of Phishing Kits
-BEC Volumes Double on Phishing Surge
-The Risk of Pasting Confidential Company Data in ChatGPT
-Ransomware Attacks have Entered a New Phase
-MI5 Launches New Agency to Tackle State-Backed Attacks
-Why Cyber Awareness Training is an Ongoing Process
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Almost Half of IT Leaders Consider Security as an Afterthought
A recent industry report found that security is an afterthought for almost half of UK IT leaders, despite 92% of respondents agreeing that security risks had risen in the last five years. Additionally, 48% of respondents felt that the rapid development of new tools had caused challenges around security. The concept of security as an afterthought is worrying when considering that 39% of UK businesses identified a cyber attack within the past 12 months.
Over $10bn Lost to Online Frauds, with Pig Butchering and Investment Scams Accounting for $3B, Overtaking BEC – FBI Report Says
According to the latest FBI crime report pig butchering now accounts for $3 billion of the $10 billion total lost to online fraud. Pig butchering is a rising investment scam that uses the promise of romance and the lure of making easy cryptocurrency profit against its unsuspecting targets. The concept of pig butchering is to “fatten up” the victim, with small returns on cryptocurrency and personal interactions, often with an element of romance; eventually, the victim is lured into making a larger investment with the scammer. In addition to pig butchering, other investment scams are growing in provenance and are set to overtake Business Email Compromise (BEC) as a major earner for cyber criminals.
Over 721 Million Passwords were Leaked in 2022
A report published this week discovered 721.5 million exposed credentials online in 2022. Additionally, the report identified 72% of users reusing previously compromised passwords. The study also uncovered 8.6 billion personally identifiable information assets, including 67 million credit card numbers which were publicly available.
https://www.neowin.net/news/study-over-721-million-passwords-were-leaked-in-2022/
How Much of a Cyber Security Risk are Suppliers?
When your business is digitally connected to a service provider, you need to understand how a cyber security attack on their business can affect yours. You can have all the right measures in place to manage your own cyber risks, but this doesn’t matter if there are undiscovered vulnerabilities in your supply chain. Organisations need to audit the cyber security of suppliers at several stages of their relationship; you may benefit from specialist cyber security support if you can’t do this in-house. Ask hard questions and consider advising your suppliers that if their cyber security is not enough then you may take your business elsewhere. Many businesses now require suppliers to be certified to schemes such as ISO 27001; demonstrating your security posture to your customers is an important ticket to trade.
https://www.thetimes.co.uk/article/how-much-of-a-cybersecurity-risk-are-my-suppliers-mqbwcf7p2
90% of £5m+ Businesses Hit by Cyber Attacks
A study from Forbes found that 57% of small and medium-sized enterprises had suffered an online attack. Businesses with an annual turnover in excess of £5 million were even more likely to experience a cyber crime with the figure rising to nearly 90% of firms of this size suffering a cyber attack. To make matters worse, the study found that a significant proportion of British businesses are without any form of protection against online attacks.
https://www.itsecurityguru.org/2023/03/13/nine-in-10-5m-businesses-hit-by-cyber-attacks/
Rushed Cloud Migrations Result in Escalating Technical Debt
A cloud service provider found 83% of CIO’s are feeling pressured to stretch their budgets even further than before. 72% of CIOs admitted that they are behind in their digital transformation because of technical debt and 38% believed the accumulation of this debt is largely because of rushed cloud migrations. Respondents believed these rushed migrations caused for miscalculations in the cloud budget, which resulted in significant overspend.
https://www.helpnetsecurity.com/2023/03/16/managing-cloud-costs/
Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
According to an intelligence report from Microsoft, Russia has been ramping up its cyber espionage operations and this now includes 17 European nations. Of all 74 countries targeted, the UK ranked third, after the US and Poland.
Microsoft Warns of Large-Scale Use of Phishing Kits
Microsoft have found that phishing kits are being purchased and used to perform millions of phishing emails every day. In their report, Microsoft found the availability of purchasing such phishing kits was part of the industrialisation of the cyber criminal economy and lowered the barrier of entry for cyber crime. Microsoft identified phishing kits which had the capability to bypass multi factor authentication selling for as little as $300. The emergence of AI is only going to compound this.
https://thehackernews.com/2023/03/microsoft-warns-of-large-scale-use-of.html
BEC Volumes Double on Phishing Surge
The number of Business Email Compromise (BEC) incidents doubled last year according to security provider Secureworks. In their report, they found that the main initial access vectors for BEC were phishing and systems with known vulnerabilities, with each accounting for a third of initial accesses.
https://www.infosecurity-magazine.com/news/bec-volumes-double-on-phishing/
The Risk of Pasting Confidential Company Data in ChatGPT
Researchers analysed the use of artificial intelligence tool ChatGPT and found that 4.9% of employees have provided company data to the tool; ChatGPT builds its knowledge on this and in turn, this knowledge is shared publicly. The risk is serious, with employees putting their organisation at risk of leaking sensitive and confidential information. The research found that 0.9% of employees are responsible for 80% of leaks caused by pasting company data into ChatGPT and this number is expected to rise.
https://securityaffairs.com/143394/security/company-data-chatgpt-risks.html
Ransomware Attacks have Entered a Heinous New Phase
With an increasing amount of victims refusing to pay, cyber criminal gangs are now resorting to new techniques; this includes the recent release of stolen naked photos of cancer patients and sensitive student records. Where encryption and a demand for payment were previously the de facto method for cyber criminals, this has now shifted to pure exfiltration. In a report, the FBI highlighted evolving and increasingly aggressive extortion behaviour, with actors increasingly threatening to release stolen data.
https://www.wired.com/story/ransomware-tactics-cancer-photos-student-records/
MI5 Launches New Agency to Tackle State-Backed Attacks
British intelligence agency MI5 have announced the creation of the National Protective Security Authority (NPSA), created as part of a major review of government defences. The NPSA is to operate out of MI5 and absorb and extend the responsibilities for the protection of national infrastructure. The NPSA will work with existing agencies such as the National Cyber Security Centre (NCSC) and the Counter Terrorism Security Office (CTSO) to provide defensive advice to UK organisations.
https://www.infosecurity-magazine.com/news/mi5-new-agency-tackle-statebacked/
Why Cyber Awareness Training is an Ongoing Process
A survey conducted by Hornetsecurity found that 80% of respondents believed remote working introduced extra cyber security risks and 75% were aware that personal devices are used to access sensitive data, fuelling the need for employees to be cyber aware. Where IT security training is only undertaken once, for example in block training, it is likely that participants will have forgotten a lot of the content after as little as a week; this means that for organisations to get the most out of training, they need to conduct frequent awareness training. By conducting frequent training there is more chance of trainees retaining the training content and allowing the organisation to shape a culture of cyber security.
Threats
Ransomware, Extortion and Destructive Attacks
BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion (darkreading.com)
Rise of Ransomware Attacks Main Focus for SOCs, research finds - IT Security Guru
FBI: Ransomware hit 860 critical infrastructure orgs in 2022 (bleepingcomputer.com)
Microsoft fixes Windows zero-day exploited in ransomware attacks (bleepingcomputer.com)
Clop ransomware gang begins extorting GoAnywhere zero-day victims (bleepingcomputer.com)
Staples-owned Essendant facing multi-day "outage," orders frozen (bleepingcomputer.com)
CISA now warns critical infrastructure of ransomware-vulnerable devices (bleepingcomputer.com)
Dissecting the malicious arsenal of the Makop ransomware gang- - Security Affairs
Blackbaud agrees to pay $3m to settle SEC ransomware probe • The Register
Ransomware Gang Claims It Hacked Amazon's Ring (gizmodo.com)
5 Reasons MSSP Clients Need Strong AppSec Strategies to Thwart Ransomware - MSSP Alert
Dish customers kept in the dark as ransomware fallout continues | TechCrunch
Cancer patient sues hospital over stolen naked photos • The Register
ChipMixer platform seized for laundering ransomware payments, drug sales (bleepingcomputer.com)
Kaspersky Updates Decryption Tool for Conti Ransomware - MSSP Alert
Conti-based ransomware ‘MeowCorp’ gets free decryptor (bleepingcomputer.com)
Universities and colleges cope silently with ransomware attacks | CSO Online
Phishing & Email Based Attacks
Software for sale is fueling a torrent of phishing attacks that bypass MFA | Ars Technica
Cyber criminals Devising More Tactics For Phishing Attacks (informationsecuritybuzz.com)
6 reasons why your anti-phishing strategy isn’t working | CSO Online
Cyberthreat On New Email By Exotic Lily (informationsecuritybuzz.com)
Botnet that knows your name and quotes your email is back with new tricks | Ars Technica
Analysts Spot a Wave of SVB-Related Cyber Fraud Striking the Business Sector (darkreading.com)
How two-step phishing attacks evade detection and what you can do about it - Help Net Security
BEC – Business Email Compromise
Pig Butchering & Investment Scams: The $3B Cyber crime Threat Overtaking BEC (darkreading.com)
Organizations need to re-examine their approach to BEC protection - Help Net Security
BEC Volumes Double on Phishing Surge - Infosecurity Magazine (infosecurity-magazine.com)
2FA/MFA
Outlook app to get built-in Microsoft 365 MFA on Android, iOS (bleepingcomputer.com)
Software for sale is fuelling a torrent of phishing attacks that bypass MFA | Ars Technica
Malware
Microsoft OneNote to get enhanced security after recent malware abuse (bleepingcomputer.com)
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide (thehackernews.com)
Malware Targets People Looking to Pirate Oscar-Nominated Films (darkreading.com)
Law enforcement seized the website selling the NetWire RAT- - Security Affairs
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (thehackernews.com)
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware (thehackernews.com)
Emotet attempts to sell access after infiltrating high-value networks | SC Media (scmagazine.com)
Emotet, QSnatch Malware Dominate Malicious DNS Traffic (darkreading.com)
Winter Vivern APT hackers use fake antivirus scans to install malware (bleepingcomputer.com)
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection (thehackernews.com)
New malware sample of defunct TeamTNT threat group raises concerns | SC Media (scmagazine.com)
Adobe Acrobat Sign abused to push Redline info-stealing malware (bleepingcomputer.com)
Mobile
Xenomorph Android malware now steals data from 400 banks (bleepingcomputer.com)
GoatRAT Android Banking Trojan Targets Mobile Automated Payment System (darkreading.com)
WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption | Techdirt
Convincing Twitter 'quote tweet' phone scam targets bank customers (bleepingcomputer.com)
Google Warns Samsung and Pixel Phone Owners About 18 Dire Exploits - CNET
FakeCalls Android malware returns with new ways to hide on phones (bleepingcomputer.com)
Botnets
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide (thehackernews.com)
Botnet that knows your name and quotes your email is back with new tricks | Ars Technica
Denial of Service/DoS/DDOS
Internet of Things – IoT
Researchers Uncover Over a Dozen Security Flaws in Akuvox E11 Smart Intercom (thehackernews.com)
Tesla App Lets Man Accidentally Steal Model 3 That Wasn't His (gizmodo.com)
Data Breaches/Leaks
Negative Impacts of Data Loss and How to Avoid Them - MSSP Alert
Mental health provider Cerebral alerts 3.1M people of data breach (bleepingcomputer.com)
BMW exposes data of clients in Italy, experts warn- - Security Affairs
Acronis states that only one customer's account was compromised- - Security Affairs
Security giant Rubrik says hackers used Fortra zero-day to steal internal data | TechCrunch
LA Housing Authority Suffers Year-Long Breach - Infosecurity Magazine (infosecurity-magazine.com)
Hacker selling data allegedly stolen in US Marshals Service hack (bleepingcomputer.com)
Organised Crime & Criminal Actors
Cyber crime Losses Exceeded $10 Billion in 2022: FBI - SecurityWeek
Nine In 10 £5m+ Businesses Hit By Cyber Attacks - IT Security Guru
CISA: Federal civilian agency hacked by nation-state and criminal hacking groups | CyberScoop
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FBI Warns of Crypto-Stealing Play-to-Earn Games - Infosecurity Magazine (infosecurity-magazine.com)
Massive vulnerabilities revealed at Dogecoin, Litecoin, Zcash | Fortune Crypto
UK Crypto Firm Loses $200m in Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)
One of the darkweb’s largest cryptocurrency laundromats washed out | Europol (europa.eu)
UK Bank Limits Crypto Payments to Smother Fraud - Infosecurity Magazine (infosecurity-magazine.com)
CrowdStrike discovered the first-ever Dero crypto mining campaign- - Security Affairs
Claim: FTX leaders helped themselves to $3.2B in cash • The Register
Feds charge exiled Chinese billionaire over crypto fraud • The Register
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
Cyber crime Losses Exceeded $10 Billion in 2022: FBI - SecurityWeek
Nine In 10 £5m+ Businesses Hit By Cyber Attacks - IT Security Guru
ChatGPT fraud is on the rise: Here's what to watch out for | ZDNET
Analysts Spot a Wave of SVB-Related Cyber Fraud Striking the Business Sector (darkreading.com)
The SVB demise is a fraudster's paradise, so take precautions - Help Net Security
Fighting financial fraud through fusion centers - Help Net Security
UK Crypto Firm Loses $200m in Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)
UK Bank Limits Crypto Payments to Smother Fraud - Infosecurity Magazine (infosecurity-magazine.com)
Convincing Twitter 'quote tweet' phone scam targets bank customers (bleepingcomputer.com)
Claim: FTX leaders helped themselves to $3.2B in cash • The Register
Feds charge exiled Chinese billionaire over crypto fraud • The Register
Impersonation Attacks
Deepfakes
AML/CFT/Sanctions
One of the darkweb’s largest cryptocurrency laundromats washed out | Europol (europa.eu)
Russia’s Cyber security Companies Shrug Off Sanctions - CEPA
Dark Web
Supply Chain and Third Parties
Top 10 operational risks: focus on third-party risk - Risk.net
How much of a cyber security risk are my suppliers? (thetimes.co.uk)
Software Supply Chain
We can't wait for SBOMs to be demanded by regulation - Help Net Security
Best practices for securing the software application supply chain - Help Net Security
Cloud/SaaS
Rushed cloud migrations result in escalating technical debt - Help Net Security
CrowdStrike report shows identities under siege, cloud data theft up | VentureBeat
How to Apply NIST Principles to SaaS in 2023 (thehackernews.com)
Hybrid/Remote Working
Attack Surface Management
Identity and Access Management
Access Control Gap in Microsoft Active Directory Widens Enterprise Attack Surface (darkreading.com)
Navigating the future of digital identity - Help Net Security
Encryption
Google Proposes Reducing TLS Cert Life Span to 90 Days (darkreading.com)
WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption | Techdirt
Passwords, Credential Stuffing & Brute Force Attacks
Poor Passwords Still Weakest Link Hackers Seek, Report Reveals - MSSP Alert
Study: Over 721 million passwords were leaked in 2022 - Neowin
Social Media
UK bans TikTok from government mobile phones | TikTok | The Guardian
Convincing Twitter 'quote tweet' phone scam targets bank customers (bleepingcomputer.com)
Malvertising
Training, Education and Awareness
Regulations, Fines and Legislation
WhatsApp Tells UK Government It’s Still Not Willing To Undermine Its Encryption | Techdirt
The US cyber security strategy won’t address today’s threats with regulation alone | CyberScoop
Governance, Risk and Compliance
Make Sure Your Cyber security Budget Stays Flexible (darkreading.com)
Getting cyber security right requires a change of mindset | The Strategist (aspistrategist.org.au)
6 principles for building engaged security governance | TechTarget
Models, Frameworks and Standards
How to Apply NIST Principles to SaaS in 2023 (thehackernews.com)
Meet Data Privacy Mandates With Cyber security Frameworks (darkreading.com)
Data Protection
Law Enforcement Action and Take Downs
International authorities bring NetWire's malware infrastructure to a standstill | TechSpot
One of the darkweb’s largest cryptocurrency laundromats washed out | Europol (europa.eu)
Privacy, Surveillance and Mass Monitoring
German states rethink reliance on Palantir technology | Financial Times (ft.com)
Consumers Believe Vendors Don't Adequately Protect Their Personal Data, Report Finds - MSSP Alert
Meet Data Privacy Mandates With Cyber security Frameworks (darkreading.com)
Artificial Intelligence
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware (thehackernews.com)
ChatGPT and the Growing Threat of Bring Your Own AI to the SOC - SecurityWeek
How Businesses Can Get Ready for AI-Powered Security Threats (darkreading.com)
UK spy agency warns of security threat from ChatGPT and rival chatbots | Metro News
Why red team exercises for AI should be on a CISO's radar | CSO Online
GPT-4 Can’t Stop Helping Hackers Make Cyber criminal Tools (forbes.com)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
Microsoft: Russian hackers may be readying new wave of destructive attacks | CyberScoop
UK bans TikTok from government mobile phones | TikTok | The Guardian
Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up - SecurityWeek
Russians told to rush to nuclear bomb shelters after hackers take over state media (telegraph.co.uk)
Remcos Trojan Linked to Cyber Espionage Operations Against Ukrainian Government - MSSP Alert
YoroTrooper cyber spies target CIS energy orgs, EU embassies (bleepingcomputer.com)
China sought control of telecoms to spy on Micronesia • The Register
Russia disinformation looks to US far right to weaken Ukraine support | Russia | The Guardian
This Is the New Leader of Russia's Infamous Sandworm Hacking Unit | WIRED
Russia’s Cyber security Companies Shrug Off Sanctions - CEPA
Polish intelligence dismantled a network of Russian spies- Security Affairs
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine- Security Affairs
Wave of Stealthy China Cyber attacks Hits US., Private Networks, Google Says - WSJ
Russian hackers plotting another cyber attack against Ukraine - Microsoft (ukrinform.net)
Here's how Chinese spies exploited a critical Fortinet bug • The Register
Nation State Actors
UK bans TikTok from government mobile phones | TikTok | The Guardian
North Korean hackers used polished LinkedIn profiles to target security researchers | CyberScoop
A new Chinese era: security and control | Financial Times (ft.com)
Russians told to rush to nuclear bomb shelters after hackers take over state media (telegraph.co.uk)
Attacks on SonicWall appliances linked to Chinese campaign: Mandiant | CSO Online
Remcos Trojan Linked to Cyber Espionage Operations Against Ukrainian Government - MSSP Alert
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022 (bleepingcomputer.com)
China sought control of telecoms to spy on Micronesia • The Register
CISA: Federal civilian agency hacked by nation-state and criminal hacking groups | CyberScoop
APT29 abuses EU information exchange systems in recent attacks- Security Affairs
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection (thehackernews.com)
Russia disinformation looks to US far right to weaken Ukraine support | Russia | The Guardian
This Is the New Leader of Russia's Infamous Sandworm Hacking Unit | WIRED
Russia’s Cyber security Companies Shrug Off Sanctions - CEPA
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine- Security Affairs
Wave of Stealthy China Cyber attacks Hits US., Private Networks, Google Says - WSJ
Russian hackers plotting another cyber attack against Ukraine - Microsoft (ukrinform.net)
Here's how Chinese spies exploited a critical Fortinet bug • The Register
Vulnerabilities
Critical Microsoft Outlook/365 bug CVE-2023-23397 under attack (thestack.technology)
Critical Microsoft Outlook bug PoC shows how easy it is to exploit (bleepingcomputer.com)
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022 (bleepingcomputer.com)
Microsoft and Fortinet fix bugs under active exploit • The Register
CISA warns of actively exploited Plex bug after LastPass breach (bleepingcomputer.com)
Cisco fixed CVE-2023-20049 DoS flaw affecting enterprise routers- Security Affairs
Massive vulnerabilities revealed at Dogecoin, Litecoin, Zcash | Fortune Crypto
SAP releases security updates fixing five critical vulnerabilities (bleepingcomputer.com)
Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day - SecurityWeek
Microsoft fixes Windows zero-day exploited in ransomware attacks (bleepingcomputer.com)
Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws (bleepingcomputer.com)
Firefox 111 patches 11 holes, but not 1 zero-day among them… – Naked Security (sophos.com)
Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script - SecurityWeek
Cyber attackers Continue Assault Against Fortinet Devices (darkreading.com)
Security firm Rubrik is latest to be felled by GoAnywhere vulnerability | Ars Technica
Google Warns Samsung and Pixel Phone Owners About 18 Dire Exploits - CNET
Microsoft shares script to fix WinRE BitLocker bypass flaw (bleepingcomputer.com)
Here's how Chinese spies exploited a critical Fortinet bug • The Register
Tools and Controls
Make Sure Your Cyber security Budget Stays Flexible (darkreading.com)
What Is a Stateful Inspection Firewall? Ultimate Guide (enterprisestorageforum.com)
Set up PowerShell script block logging for added security | TechTarget
Brazil seizing Flipper Zero shipments to prevent use in crime (bleepingcomputer.com)
Outlook app to get built-in Microsoft 365 MFA on Android, iOS (bleepingcomputer.com)
5 Reasons MSSP Clients Need Strong AppSec Strategies to Thwart Ransomware - MSSP Alert
5 Steps to Effective Cloud Detection and Response - The New Stack
Virtual patching: Cut time to patch from 250 days to (helpnetsecurity.com)
ChatGPT may be a bigger cyber security risk than an actual benefit (bleepingcomputer.com)
Change Is Coming to the Network Detection and Response (NDR) Market (darkreading.com)
Rise of Ransomware Attacks Main Focus for SOCs, research finds - IT Security Guru
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 15 March 2023 – Microsoft Patch Tuesday, Fortinet, Adobe, SAP, Android and Chrome Security Updates Summary
Black Arrow Cyber Advisory 15 March 2023 – Microsoft Patch Tuesday, Fortinet, Adobe, SAP, Android and Chrome Security Updates Summary
Executive Summary
Security updates have been released for Microsoft, Fortinet, Adobe, SAP, Google Chrome and Android to fix a range of security issues.
Microsoft
Microsoft’s March Patch Tuesday provides updates to address 74 security issues across its product range, including two actively exploited vulnerabilities (CVE-2023-23397 and CVE-2023-24880). The two exploited vulnerabilities include an elevation of privilege vulnerability and a security bypass feature. Also among the updates provided by Microsoft were 9 critical vulnerabilities.
What’s the risk to me or my business?
The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.
What can I do?
Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.
Technical Summary
The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:
CVE-2023-23397: A vulnerability which allows specially crafted emails to force a victim device to connect to an external location of attacker control, providing the attacker with the victims’ authentication details. The email does not need to be read in the preview pane as the vulnerability is triggered when it is received and processed by the email server.
Please see our earlier advisory on this particular actively exploited vulnerability.
CVE-2023-24880: A vulnerability that allows an attacker to craft a malicious file which evades mark of the web (MOTW) security features and is actively being exploited in ransomware attacks.
Along with Microsoft’s patch Tuesday, the following vendors have also addressed vulnerabilities this month:
Fortinet
As reported in our blog previously, Fortinet disclosed 15 vulnerabilities this month; this includes the actively exploited vulnerability CVE-2022-41328. This vulnerability is a path transversal vulnerability in FortiOS which can allow a privileged actor to read and write files via crafted command line interface commands. The vulnerability is actively being exploited against governments and large organisations.
Adobe
This month, Adobe released fixes for 105 vulnerabilities across Adobe Creative Cloud Desktop, ColdFusion, Dimension, Experience Manager, Illustrator and Photoshop. At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.
SAP
Sap have released fixes for 21 vulnerabilities, including code injection and improper access control vulnerabilities. A total of 9 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.
-Android
Android addressed 60 vulnerabilities this month. Amongst the vulnerabilities are two critical remote code execution vulnerabilities CVE-2023-20951 and CVE-2023-20954.
-Chrome
Google addressed 40 vulnerabilities in the Chrome Web Browser, with 8 vulnerabilities rated as high-severity.
Further details of the updates within Microsoft’s March patch Tuesday can be found here: https://www.ghacks.net/2023/03/14/microsoft-windows-security-updates-march-2023-what-you-need-to-know-before-installation/
Further details of CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
Further details of CVE-2023-24880 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880
Further details of CVE-2022-41328 can be found here: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
Further details of the vulnerabilities addressed by Fortinet can be found here: https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories
Further details of the vulnerabilities addressed by SAP can be found here: https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
Further details of the vulnerabilities addressed by Adobe Creative Cloud Desktop can be found here: https://helpx.adobe.com/security/products/creative-cloud/apsb23-21.html
Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-20.html
Further details of the vulnerabilities addressed in Adobe Experience Manager can be found here: Adobe Security Bulletin
Further details of the vulnerabilities addressed in Adobe Illustrator can be found here: https://helpx.adobe.com/security/products/illustrator/apsb23-19.html
Further details of the vulnerabilities addressed in Adobe Photoshop can be found here: https://helpx.adobe.com/security/products/photoshop/apsb23-23.html
Further details of the vulnerabilities addressed in Adobe Substance 3D Stager can be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb23-22.html
Further details of the Android vulnerabilities can be found here: https://source.android.com/docs/security/bulletin/2023-03-01#2023-03-05-security-patch-level-vulnerability-details
Further details of the vulnerabilities addressed by Google can be found here: https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 15 March 2023 – Microsoft Releases Patch for Critical Outlook/365 Vulnerability Under Active Exploitation
Black Arrow Cyber Advisory 15 March 2023 – Microsoft Releases Patch for Critical Outlook/365 Vulnerability Under Active Exploitation
Executive Summary
This week Microsoft released a patch for a critical actively exploited privilege escalation vulnerability in Microsoft Outlook. The vulnerability is tracked as CVE-2023-23397.
What’s the risk to me or my business?
Successful exploitation of the vulnerabilities could allow an attacker to gain authentication details from a targeted machine. These details can then be relayed to other systems or brute-forced offline, leading to compromise of the account.
Technical Summary:
The vulnerability allows an attacker to craft malicious emails which force a target device to connect to a remote UNC of the attackers choice. A UNC is a path that can be used to access network resources. Upon connection, the Net-NTLMv2 hash, which is a hash of the victim’s password is leaked to the attacker. The attacker can then relay this hash to authenticate as the victim on other services or decode the hash offline. At no point does the email need to be previewed or opened, it is triggered as soon as it is received and processed by the email server.
What can I do?
It is recommended that organisations apply the latest patches as soon as possible as this vulnerability is recorded as actively exploited. In their analysis, Microsoft recorded that this vulnerability was exploited by Strontium, a state-sponsored Russian hacking group. Organisations using strictly off-premises solutions are not impacted.
Further information on CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Threat Briefing 10 March 2023
Black Arrow Cyber Threat Briefing 10 March 2023:
-Business Email Compromise Attacks Can Take Just Hours
-Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks
-Just 10% of Firms Can Resolve Cloud Threats in an Hour
-MSPs in the Crosshair of Ransomware Gangs
-Stolen Credentials Increasingly Empower the Cyber Crime Underground
-It’s Time to Assess the Potential Dangers of an Increasingly Connected World
-Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards
-Developers Leaked 10m Credentials Including Passwords in 2022
-Cyber Threat Detections Surges 55% In 2022
-European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks
-Employees Are Feeding Sensitive Business Data to ChatGPT
-Is Ransomware Declining? Not So Fast Experts Say
-Preventing Corporate Data Breaches Starts With Remembering That Leaks Have Real Victims
-Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up
-Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber threat intelligence experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Business Email Compromise Attacks Can Take Just Hours
Microsoft’s security intelligence team found that Business Email Compromise (BEC) attacks are moving rapidly, with some taking mere minutes. Microsoft found the whole process, from signing in using compromised credentials to registering typo squatting domains and hijacking an email thread, took threat actors only a couple of hours. Such a rapid attack leaves minimal time for organisations to identify and take preventative action. This is worrying when considering the cost of BEC is predicted to more than tens of billions.
Research Reveals ‘Password’ is Still the Most Common Term used by Hackers to Breach Enterprise Networks
In a report of over 800 million breached passwords, vendor Specops identified some worrying results. Some of the key findings from the report include 88% of passwords used in successful attacks consisting of 12 characters or less and the most common base terms used in passwords involving ‘password’, ‘admin’, ‘welcome’ and ‘p@ssw0rd’. The report found that 83% of the compromised passwords satisfied both the length and complexity requirements of cyber security compliance standards such as NIST, GDPR, HIPAA and Cyber Essentials.
Just 10% of Firms Can Resolve Cloud Threats in an Hour
Two-thirds (39%) of global organisations reported a surge in breaches over the past year, with IT complexity increasing and detection and response capabilities worsening, according to Palo Alto Networks. It found that as enterprises move more of their data and workloads to the cloud, they’re finding it increasingly difficult to discover and remediate incidents quickly. Over two-fifths (42%) reported an increase in mean time to remediate, while 90% said they are unable to detect, contain and resolve cyber-threats within an hour. Nearly a third (30%) reported a major increase in intrusion attempts and unplanned downtime. Part of the challenge appears to be the complexity of their cloud security environments – partly caused by tool bloat.
https://www.infosecurity-magazine.com/news/10-firms-resolve-cloud-threats-hour/
MSPs in the Crosshairs of Ransomware Gangs
Many attacks have heightened attention around third-party risk and the security obligations of MSPs in meeting multiple customers’ IT needs. Attacks such as the ones on RackSpace and LastPass show that some ransomware actors are now intentionally targeting MSPs to access sensitive customer data. It is now believed that some advanced persistent threat (APT) groups could be stepping up their attacks on MSP’s in order to gain sensitive customer data.
https://www.msspalert.com/cybersecurity-research/msps-in-the-crosshairs-of-ransomware-gangs/
Stolen Credentials Increasingly Empower the Cyber Crime Underground
Threat Intelligence provider Flashpoint found that last year threat actors exposed or stole 22.62 billion credentials and personal records, which often make their way to underground forums and cyber criminal markets. This follows a significant increase in market activity; just last year Flashpoint recorded 190 new illicit markets emerge and the continual rise in attacks focused on stealing credentials only further empowers cyber crime underground.
It’s Time to Assess the Potential Dangers of an Increasingly Connected World
As global conflicts continue, cyber has become the fifth front of warfare. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal and we have already seen large-scale cyber attacks. Adding to this, a multitude of infrastructure runs on services ran by a handful of companies; Palo Alto Networks, Cisco and Fortinet control more than 50% of the market for security appliances. As such, an attack on one of these companies could cause a huge ripple effect on their customers.
Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards
According to the International Monetary Fund (IMF) 64% of banks and supervisory authorities do not mandate testing and exercising cyber security and 54% lack dedicated a cyber incident reporting regime. This increases the risk of experiencing a cyber attack. Regularly testing and exercising security will aid any organisation in its cyber resilience.
Insider Threat: Developers Leaked 10m Credentials Including Passwords in 2022
Security provider GitGuardian found that the rate at which developers leaked critical software secrets jumped by 0.5 to reach 5.5 out of every 1,000 commits to GitHub repositories; overall, this amounted to at least 10 million instances of secrets leaking to a public repository. Generic passwords accounted for the majority of leaked secrets (56%) and more than a third (38%) of leaks involved API keys, random number generator seeds and other sensitive strings. These leaks can have worrying consequences for organisations.
Cyber Threat Detections Surges 55% In 2022
Security Provider Trend Micro has said that it stopped 146 billion cyber threats in 2022, a 55% increase on the previous year and evidence of the increase of attacks ramping up. Trend Micro also found a 242% increase in the number of blocked malicious files and an 86% increase in backdoor malware detections with the latter showing an increase in attackers gaining initial access. Furthermore, the number of critical vulnerabilities in 2022 doubled compared to the previous year. Trend Micro noted that this is all likely due to an ever expanding attack surface of organisations.
https://www.infosecurity-magazine.com/news/cyberthreat-detections-surge-55/
European Central Bank Tells Banks to Run Cyber Stress Tests after Rise in Hacker Attacks
The European Central Bank (ECB) will ask all major lenders in the Eurozone to detail by next year, how they would respond to and recover from a successful cyber attack. The ECB is in the process of designing a scenario involving a theoretical breach of the financial system’s cyber defences, which will be sent to all of the 111 banks it assesses to see how they would react. The stress test stems from the increasing amount of cyber attacks. If cyber has shown us anything, it’s that anyone can be a target and performing a stress test would help any organisation prepare for the worst.
https://www.ft.com/content/f03d68a4-fdb9-4312-bda3-3157d369a4a6
Employees Are Feeding Sensitive Business Data to ChatGPT
1 in 20 employees have put sensitive corporate data into popular AI tool ChatGPT, raising concerns that this could result in massive leaks of proprietary information. In some cases, this has involved employees cutting and pasting strategic documents and asking ChatGPT to make a PowerPoint.
Is Ransomware Declining? Not So Fast Experts Say
Security provider CrowdStrike have explained that the perceived decline in ransomware reflects the abilities of threat actors to adapt, splinter and regroup against defensive measures. CrowdStrike expand on this, stating that whilst ransom payments dipped slightly in 2022, there was an uprise in data extortion and ransomware as a service (RaaS).
Preventing Corporate Data Breaches Starts with Remembering that Leaks have Real Victims
The impact a data breach can have on an individual is devastating and ultimately there’s not much an individual can do themselves if the organisation that holds their data isn’t taking the right steps. To best protect themselves and their clients’ data, organisations should look to have appropriate defence in depth controls, including effective asset management, an open security culture, close monitoring of access, utilising strong authentication and maintaining an awareness of the ever changing threat landscape.
https://www.helpnetsecurity.com/2023/03/07/preventing-corporate-data-breaches/
Faced With Likelihood of Ransomware Attacks, Businesses Still Choosing to Pay Up
In a recent report Proofpoint found that globally 76% of organisations experienced ransomware attempts, with 64% eventually infected. Amongst those that had a cyber insurance policy, 82% of insurers stepped up to pay the ransom either in full or partially. The report found that with the rise in number and sophistication of attacks it is more important than ever for proper security training and awareness in organisations.
Experts See Growing Need for Cyber Security Workers as One in Six Jobs go Unfilled
A report by the Information and Communications Technology Council (ICTC) found that 1 in 6 cyber security jobs are unfulfilled and this is only expected to grow in the coming years. The ICTC stated that “This is not just about education or government funding, but about companies willing to provide hands-on training and experience to the next generation of cyber security experts”.
Threats
Ransomware, Extortion and Destructive Attacks
Faced with likelihood of ransomware attacks, businesses still choosing to pay up | ZDNET
Is ransomware declining? Not so fast, experts say | TechTarget
FBI and CISA warn of increasing Royal ransomware attack risks (bleepingcomputer.com)
City of Oakland Faces Major Data Leak - Infosecurity Magazine (infosecurity-magazine.com)
Indigo Books Refuses LockBit Ransomware Demand (darkreading.com)
Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine (thehackernews.com)
Ransom House ransomware attack hit Hospital Clinic de Barcelona- - Security Affairs
Security Patch Management Strengthens Ransomware Defence (trendmicro.com)
Ransomware gang posts video of data stolen from Minneapolis schools (bleepingcomputer.com)
IceFire ransomware now encrypts both Linux and Windows systems (bleepingcomputer.com)
Examining Ransomware Payments From a Data-Science Lens (trendmicro.com)
Cyble — BlackSnake Ransomware Emerges from Chaos Ransomware's Shadow
Phishing & Email Based Attacks
AI is taking phishing attacks to a whole new level of sophistication - Help Net Security
Catches of the Month: Phishing Scams for March 2023 - IT Governance UK Blog
BEC – Business Email Compromise
Other Social Engineering; Smishing, Vishing, etc
Experts Warn of "SMS Pumping" Fraud Epidemic - Infosecurity Magazine (infosecurity-magazine.com)
Vishing attacks increasing, but AI's role still unclear | TechTarget
2FA/MFA
NCSC: Twitter Users Should Find MFA Alternatives - Infosecurity Magazine (infosecurity-magazine.com)
Malware
DrayTek VPN routers hacked with new malware to steal data, evade detection (bleepingcomputer.com)
Malicious PyPI package signals direction of cyber crime • The Register
How to prevent Microsoft OneNote files from infecting Windows with malware (bleepingcomputer.com)
Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw | Ars Technica
New malware infects business routers for data theft, surveillance (bleepingcomputer.com)
Old Windows ‘Mock Folders’ UAC bypass used to drop malware (bleepingcomputer.com)
Emotet malware attacks return after three-month break (bleepingcomputer.com)
AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security (darkreading.com)
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic (thehackernews.com)
Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware (thehackernews.com)
Custom Chinese Malware Found on SonicWall Appliance - SecurityWeek
FBI and international cops catch a NetWire RAT • The Register
Mobile
Denial of Service/DoS/DDOS
Internet of Things – IoT
Data Breaches/Leaks
Credential Stuffing attack on Chick-fil-A impacted +71K users- Security Affairs
Popular fintech apps expose valuable, exploitable secrets - Help Net Security
PayPal Sued Over Data Breach that Impacted 35,000 users (hackread.com)
Acer Data Breach? Hacker Claims to Sell 160GB Trove of Stolen Data (hackread.com)
Data breach exposed millions of Verizon customers' account info (androidpolice.com)
Congress’ Social Security Numbers Leaked in DC Health Link Hack (gizmodo.com)
Data protection vendor Acronis admits to data leak • The Register
AT&T confirms 9m wireless accounts exposed by third part • The Register
Organised Crime & Criminal Actors
BidenCash leaks 2.1M stolen credit/debit cards- Security Affairs
Malicious PyPI package signals direction of cyber crime • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
FTX Confirms $9 Billion in Customer Funds Vanished (gizmodo.com)
Russia-Ukraine war: How both sides of the conflict have used crypto to win (cointelegraph.com)
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic (thehackernews.com)
Insider Risk and Insider Threats
Fraud, Scams & Financial Crime
FTX Confirms $9 Billion in Customer Funds Vanished (gizmodo.com)
Experts Warn of "SMS Pumping" Fraud Epidemic - Infosecurity Magazine (infosecurity-magazine.com)
Scammers using voice-cloning A.I. to mimic relatives | Fortune
Alleged security breach leaves millions of dollars missing from Flutterwave accounts | TechCrunch
New Rise In ChatGPT Scams Reported By Fraudsters (informationsecuritybuzz.com)
Deepfakes
Insurance
Dark Web
Supply Chain and Third Parties
Snap CISO talks risky supply chain security business • The Register
SolarWinds IR lead: supply-chain attacks 'getting bigger' • The Register
AT&T confirms 9m wireless accounts exposed by third part • The Register
Software Supply Chain
Cloud/SaaS
Experts Reveal Google Cloud Platform's Blind Spot for Data Exfiltration Attacks (thehackernews.com)
Hackers are quickly learning how to target cloud systems (axios.com)
Attack Surface Management
Asset Management
Encryption
New TPM 2.0 flaws could let hackers steal cryptographic keys (bleepingcomputer.com)
New Steganography Breakthrough Enables “Perfectly Secure” Digital Communications (scitechdaily.com)
API
Open Source
Passwords, Credential Stuffing & Brute Force Attacks
Stolen credentials increasingly empower the cyber crime underground | CSO Online
Credential Stuffing attack on Chick-fil-A impacted +71K users- Security Affairs
The Role of Verifiable Credentials In Preventing Account Compromise (darkreading.com)
Young government workers show poor password management habits - Help Net Security
Social Media
NCSC: Twitter Users Should Find MFA Alternatives - Infosecurity Magazine (infosecurity-magazine.com)
Training, Education and Awareness
Regulations, Fines and Legislation
Governance, Risk and Compliance
Inadequate patches and advisories increase cyber risk - Help Net Security
Why do Businesses Need to Focus More on Cyber security (hackread.com)
Flashpoint: Threat vectors converging, increasing damage | TechTarget
How to achieve and shore up cyber resilience in a recession - Help Net Security
The cyber security landscape in the era of economic instability – Help Net Security
Models, Frameworks and Standards
Open letter demands OWASP overhaul, warns of mass project exodus | CSO Online
NIST Retooling Cyber security Framework to Reflect Changing Cyber scape – MSSP Alert
Data Protection
Careers, Working in Cyber and Information Security
Law Enforcement Action and Take Downs
Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine (thehackernews.com)
FBI and international cops catch a NetWire RAT • The Register
Privacy, Surveillance and Mass Monitoring
Secret Service and ICE break the law with fake phone towers • The Register
Thought you'd opted out of online tracking? Think again • The Register
Artificial Intelligence
AI is taking phishing attacks to a whole new level of sophistication - Help Net Security
Employees Are Feeding Sensitive Business Data to ChatGPT (darkreading.com)
You can poison AI datasets for just $60, a new study shows (fastcompany.com)
Thousands scammed by AI voices mimicking loved ones in emergencies | Ars Technica
Vishing attacks increasing, but AI's role still unclear | TechTarget
AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security (darkreading.com)
Criminals will use ChatGPT to unleash wave of fraud, warns Darktrace (telegraph.co.uk)
Misinformation, Disinformation and Propaganda
Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine
What can security teams learn from a year of cyber warfare? | Computer Weekly
Pegasus spyware used to spy on a Polish mayor- Security Affairs
Russia-Ukraine war: How both sides of the conflict have used crypto to win (cointelegraph.com)
Sharp Panda targets government entities in Southeast Asia- Security Affairs
Managed Service Provider Identifies Potential Chinese Spy Ring - MSSP Alert
Chinese cyber spies target unpatched SonicWall gear • The Register
Nation State Actors
What can security teams learn from a year of cyber warfare? | Computer Weekly
Russia Bans Messengers, Including WhatsApp, Telegram, And More (informationsecuritybuzz.com)
Russia-Ukraine war: How both sides of the conflict have used crypto to win (cointelegraph.com)
China-aligned APT is exploring new technology stacks for malicious tools - Help Net Security
Sharp Panda targets government entities in Southeast Asia- Security Affairs
Managed Service Provider Identifies Potential Chinese Spy Ring - MSSP Alert
Chinese cyber spies target unpatched SonicWall gear • The Register
Lazarus group infiltrated South Korean finance firm twice last year | CSO Online
New Chinese regulatory body expected to streamline data governance rules | CSO Online
Vulnerability Management
Inadequate patches and advisories increase cyber risk - Help Net Security
Build Cyber Resiliency With These Security Threat-Mitigation Considerations
Zero Day Threat Protection for Your Network (trendmicro.com)
557 CVEs Added to CISA's Known Exploited Vulnerabilities Catalog in 2022 - SecurityWeek
Machine Learning Improves Prediction of Exploited Vulnerabilities (darkreading.com)
Security Patch Management Strengthens Ransomware Defense (trendmicro.com)
VulnCheck: CISA's KEV missing 42 vulnerabilities from 2022 | TechTarget
Vulnerabilities
Researchers discover 'kill switch' in Starlink terminals - Security - iTnews
PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716) - Help Net Security
CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems (thehackernews.com)
Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing - SecurityWeek
Fortinet warns of new critical unauthenticated RCE vulnerability (bleepingcomputer.com)
Chinese cyber spies target unpatched SonicWall gear • The Register
Bitwarden flaw can let hackers steal passwords using iframes (bleepingcomputer.com)
Veeam warns to install patches to fix a bug in Backup & Replication- Security Affairs
Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware (thehackernews.com)
Vulnerability Exposes Cisco Enterprise Routers to Disruptive Attacks - SecurityWeek
Jenkins Server Vulnerabilities Chained for Remote Code Execution - SecurityWeek
Other News
Biden Administration's Cyber security Strategy Takes Aim at Hackers (gizmodo.com)
Tracking device technology: A double-edged sword for CISOs | CSO Online
From Disinformation to Deep Fakes: How Threat Actors Manipulate Reality (thehackernews.com)
What CISOs need to understand about document signing - Help Net Security
Thousands of websites hacked as part of redirection campaign- Security Affairs
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Black Arrow Cyber Advisory 10 March 2023 – Fortinet, Cisco and Veeam Vulnerabilities Roundup
Black Arrow Cyber Advisory 10 March 2023 – Fortinet, Cisco and Veeam Vulnerabilities Roundup
Executive Summary
Fortinet have disclosed 15 security issues across a range of products including 5 “high” rated vulnerabilities and a “critical” vulnerability that allows an unauthenticated attacker to perform denial of service attacks or execute arbitrary code. Cisco has identified a “high vulnerability” with IOS XR software for the ASR 9000 Series routers. Veeam have disclosed a “high vulnerability” that allows an unauthenticated attacker to request encrypted credentials which may lead to gaining access to the backup infrastructure host.
What’s the risk to me or my business?
Successful exploitation of the Cisco vulnerability tracked as CVE-2023-20049 allows the attacker to cause line card exceptions or hard rests which can lead to traffic loss and denial of service conditions.
The following models are vulnerable if they have Bidirectional forwarding detection (BFD) hardware offload enabled.
ASR 9000 Series Aggregation Services Routers only if they have a Lightspeed or Lightspeed-Plus-based line card installed.
ASR 9902 Compact High-Performance Routers
ASR 9903 Compact High-Performance Routers
A successful exploitation of the Critical Fortinet vulnerability tracked as CVE-2023-25610 allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) conditions in an administrative interface.
The following devices are vulnerable to both the RCE and DoS:
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
A full list of vulnerable hardware devices that are impacted by the Denial of Service can be found on the FortiGuard website.
A successful exploitation of the high Veeam vulnerability tracked as CVE-2023-27532 can allow an unauthenticated attacker to request encrypted credentials which may lead to the attacker gaining access to the backup infrastructure of the host.
This vulnerability affects all Veeam Backups and Replication versions but is resolved in the following:
12 (build 12.0.0.1420 P20230223)
11a (build 11.0.1.1261 P20230227)
What can I do?
Cisco has released software updates that address the vulnerability and should be installed. Alternatively, a workaround has been provided which is to disable all bfd hardware offload features, which can be done by removing all hw-module bfw-hw-offload enable commands and resetting the card.
Fortinet has provided solutions to each of the vulnerabilities it has disclosed, and it is recommended that the patches released for the vulnerabilities are installed.
Veeam has released a patch and should be installed, however they suggest that if you are using an earlier version to upgrade to the current supported version first. Alternatively, if you are using an all-in-one Veeam appliance with no backup infrastructure components, external connections to Port TCP 9401 should be filtered until the patch is installed.
Further information on the vulnerabilities be found here:
Cisco IOS XR software update - https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#ssu
Cisco IOS XR Software Security Advisory-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT
Fortinet CVE-2023-25610 advisory and solution - https://www.fortiguard.com/psirt/FG-IR-23-001
Fortiguard vulnerability advisory- https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories
Veeam advisory - https://www.veeam.com/kb4424
Veeam Solution - https://www.veeam.com/product-lifecycle.html?ad=in-text-link
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Black Arrow Cyber Advisory 09 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk
Black Arrow Cyber Advisory 08 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk
Executive Summary
Security Researchers at Quarkslab have identified two critical vulnerabilities (CVE-2023-1017 and CVE-2023-1018) in The Trusted Platform Module (TPM) firmware; TPMs are used by most modern PCs to make them resistant to tampering and the vulnerabilities could affect billions of devices.
What’s the risk to my business?
Successful exploitation of the vulnerabilities could lead to local information disclosure, including the ability for attackers to make the TPM unavailable leading to denial of service, read sensitive data or escalate privileges. In some cases, an attacker can overwrite protected data in the TPM and go undetected. To be able to exploit the vulnerabilities the attacker would require access to a TPM-command interface to send maliciously crafted-commands to a vulnerable TPM.
What can I do?
The Trusted Computing Group (TCG) have released an updated version of their TPM2.0 library specification: TPM 2.0 library Specifications v1.59 Errata Version 1.4. Once this update has been incorporated within Operating System and Original Equipment Manufacturer (OEM) firmware, it is recommended this updated version is installed. For the meantime, remote attestation may help identify it any changes have been made to the TPM.
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
Documentation for the upgrade can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf
An Advisory from the Trusted Computer Group can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf
CVE-2023-1017 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1017
CVE-2023-1018 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1018
Black Arrow Cyber Alert 07 March 2023 – ACTION REQUIRED: New Hiatus Hacking Campaign Targets DrayTek Routers to Spy on Businesses
Black Arrow Cyber Alert 07 March 2023 – ACTION REQUIRED: New Hiatus Hacking Campaign Targets DrayTek Routers to Spy on Businesses
Executive Summary
An ongoing hacking campaign known as “Hiatus” is targeting DrayTek Vigour router models 2960 and 3900 to monitor and steal data from businesses.
What’s the risk to my business?
If exploited successfully, the attacker is able to remotely execute commands on the router, and monitor and control traffic that passes through the router including file-transfer and email communications.
Technical Summary:
Research by Black Lotus Labs has found the campaign involves following:
A Bash script to deploy two executables to the targetdevice, post-exploitation. These are:
HIATUS Remote Access Trojan
A variant of ‘tcpdump’ that enables packet capture
Once this script has been executed the ‘HiatusRAT’ and ‘tcpdump’ variant are downloaded to a directory created by the script located at ‘/database/.updata’ and are then executed. The malware will listen on TCP port 8816 and if this port is already in use, the process on that port is terminated so that the malware can use it instead. Once the malware has been sucessfully enabled on this port, a second process collects information about the victim device and sends it to a Command and Control (C2) server operated by the attacker (104.250.58.192); an additional C2 server (46.8.113.227) is also used by the attacker to receive information captured by the packet-capture tool . The packet capture tool observes ports associated with mail server and FTP connections, this include TCP ports 21, 25, 110, 143.
What can I do?
It is not currently known how the DrayTek routers have been initially compromised and Draytek have not yet released a security update to resolve any associated known vulnerability. The following actions can be taken to help mitigate and identify if a device has been impacted:
Prevent outbound network traffic on TCP port 8816, to disable the malware’s outbound communication.
Block network traffic to or from the following IP addresses: 104.250.58.192 and 46.8.113.227
Check the following location on vulnerable devices for any files in that location, as this would be an indicator of compromise (IoC): ‘database’ and ‘/database/.updata’
Configure continuous security monitoring to detect anomalous activity that may be indicative of a compromise.
Further indicators of compromise can be found here: https://github.com/blacklotuslabs/IOCs/blob/main/Hiatus_IoCs.txt
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity
A link to the report from Black Lotus Labs can be found here: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/?utm_source=press+release&utm_medium=referral