Executive summary

This week, Cisco and VMware have addressed vulnerabilities in their products. A high-severity vulnerability exploit has been released in the wild for the Cisco AnyConnect VPN, this could allow an authenticated attacker to escalate privileges to SYSTEM level with no user interaction. VMware have addressed multiple high-severity flaws in vCenter server, these vulnerabilities can let an attacker to gain code execution and bypass authentication on unpatched systems. Both Cisco and VMware have applied patches and can found below.

 Cisco AnyConnect

CVE-2023-20178 – This vulnerability, if exploited allows an authenticated attacker to execute code with SYSTEM privileges.

The Impacted versions include:

• Cisco AnyConnect Secure Mobility Client Software for Windows

• Cisco Secure Client Software for Windows (version 5.0). For releases earlier than 5.0, this is known as Cisco AnyConnect Secure Mobility Client for Windows.

What can I do?

Since a proof-of-concept exploit code is publically available it is advised that patches are applied immediately. Patches are available in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2 should be applied. No workarounds are available.

VMware vCenter

CVE-2023-20892 and CVE-2023-20893 – These vulnerabilities, if exploited allow an unauthenticated attacker with network access to gain code execution.

CVE-2023-20895 – This vulnerability, if exploited allows an attacker to bypass authentication on unpatched vCenter Server appliances.

The impacted versions include:

• vCenter Server version 8.0 – patched in version 8.0 U1b

• vCenter Server version 7.0 – patched in version 7.0 U3m

• Cloud Foundation (vCenter Server) version 5.x – patched in version 8.0U1b

• Cloud Foundation (vCenter Server) version 4.x – patched in version 7.0 U3m

What can I do?

VMware have released patches for the impacted, it is advised that patches are applied immediately. There are no workarounds available for these flaws.

Further details on the Cisco vulnerability can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0014.html

Executive Summary

Open Sources Intelligence (OSINT) conducted by Black Arrow Cyber have identified a number of threats against the Apple ecosystem, with some threats reported to have nation state involvement. It is important to highlight that any internet-abled product can be a target for attackers, therefore appropriate protective controls should always be considered for all devices, especially those that are used to directly access sensitive information.

MacOS “Migraine” Vulnerability

Recently, Microsoft revealed a new macOS vulnerability dubbed “Migraine” (CVE-2023-3269) which impacts vulnerable apple devices which run macOS. The vulnerability allows an attacker with root access, which is the highest level of permissions to bypass the built in security protections, gaining remote code execution and the ability to create undeletable malware, tamper with the integrity of systems and expand the attack to the rest of the network. Apple has released a security patch which addresses this vulnerability, further details can be found at the bottom of this post.

iOS “Operation Triangulation”

Reports have identified a new mobile state-sponsored advanced persistent threat group that has been targeting iOS devices as part of an attack campaign labelled “Operation Triangulation”. the campaign is carried out using an invisible iMessage with a malicious attachment, which when executed on a device installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers; this includes microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device. This trojan is targeting middle and upper management staff with the only workaround currently being a complete reset of the device.

Complex toolkit with files allowing backdoor capabilities targeting macOS

Bitdefender researchers have recently discovered a set of malicious files that are part of a sophisticated toolkit targeting Apple macOS systems. This malicious attack allows an attacker to gather system information, run commands, download and execute files on the victim’s machine, and to terminate the exploit script. The malicious files predominantly target macOS Monterey (version 12) and newer.

Growing Malware Threats to macOS

In addition to this, additional growing threats to macOS have been recorded in the wild. This includes:

- Threat actor groups Lazarus and BlueNoroff have been using malware dubbed “RustBucket” in financially motivated attacks to target users and steal victim’s data.  

- Reports identifying ransomware gangs, including the infamous Lockbit, developing encryption that targets macOs, specifically their M1 chips. There is no current working version of this malware.

- A rise in the use of XCSSET malware, which exploits multiple zero-days found in the Apple safari browser to download a developer version of the app on the target’s device giving it access to data from other apps such as Skype, Telegram, notes, and screen recorders.

-  An increase in the use of malware-as-a-service (MaaS), such as Atomic macOS Stealer which is capable of stealing passwords, credentials, cookies, browser data, auto-fills, and other important information and MacStealer, which extracts information from compromised systems.

- The well known 3CX attack in which the state-sponsored APT’s had altered the MacOS version of the 3CX desktop client to deliver further malware, and exfiltrate it.

Mac Vulnerabilities

Looking at the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue, there have been 36 actively recorded exploits relating to devices running macOS devices since 2021.  

What’s the risk to me or my business?

An organisation which excludes the security of any asset, relying on reputation or built-in protections alone, is leaving themselves open to potential compromise of the confidentiality, integrity and availability of the data which is held on the asset and is accessed through the asset, which includes Apple devices. Such assets include devices that are purchased by the organisation to be used as corporate devices and those that are personally owned by employees being used as part of Bring Your Own Device schemes.

What can I do?

Endpoint Protective Technologies and Security Hardening including anti-malware, Firewalls and detective solutions should be considered for all endpoints, including those that run Windows, macOS, Linux, Android and iOS.

Organisation should ensure that their asset registers are up to date and include all assets which hold or access organisational information. The better view an organisations has of its attack surface, the greater their cyber resilience will be. This should be supplemented with an effective threat intelligence programme, allowing organisations to keep up to date with emerging threats.

Further information can be found here:

macOs “Migraine” Vulnerability: https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Lockbit Encryptors found targeting macOS: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/

iOS Operation Triangulation: https://usa.kaspersky.com/blog/triangulation-attack-on-ios/28444/

6 Growing Malware Threats to macOS: https://www.darkreading.com/endpoint/top-macos-malware-threats-proliferate

Malicious Files with Backdoor targeting macOS attack: https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

• iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

• macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

• watchOS 9.5.2 - Apple Watch Series 4 and later

• watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

• Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Hacker Gang Clop Deploys Extortion Tactics Against Global Companies

The Russian-speaking gang of hackers that compromised UK groups such as British Airways and the BBC has claimed it has siphoned off sensitive data from more institutions including US-based investment firms, European manufacturers and US universities. Eight other companies this week made it onto Clop’s list on the dark web. That adds to the news last week that UK groups, including Walgreens-owned Boots, informed employees that their data had been compromised. The issue also targeted customers of Zellis, a UK-based payroll provider that about half of the companies on the FTSE 100 use.

The hacking group is pushing for contact with the companies on the list, according to a post on Clop’s dark web site, as the gang demands a ransom that cyber security experts and negotiators said could be as much as several million dollars.

https://www.ft.com/content/c1db9c5c-cdf1-48bc-8e6b-2c2444b66dc9

• Social Engineering Drives BEC Losses to $50B Globally

Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing businesses worldwide more than $50 billion in the last 10 years - a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.

Security professionals attribute BEC's continued dominance in the cyber threat landscape to several reasons. A key one is that attackers have become increasingly savvy in how to socially-engineer messages so that they appear authentic to users, which is the key to being successful at this scam. And with the increase in availability of artificial intelligence, the continued success of BEC means these attacks are here to stay. Organisations will be forced to respond with even stronger security measures, security experts say.

https://www.darkreading.com/threat-intelligence/social-engineering-drives-bec-losses-to-50b-globally

• Creating A Cyber Conscious Culture—It Must Be Driven from the Top

Businesses are facing more frequent and sophisticated cyber threats and they must continuously learn new ways to protect their revenues, reputation and maintain regulatory compliance. With hybrid and remote working blurring traditional security perimeters and expanding the attack surface, the high volumes of sensitive information held by organisations are at increased risk of cyber attacks.

The increase had led to cyber elevating to the board level; after all the board is responsible for cyber security. It doesn’t stop there however, as everyone in an organisation has responsibility for upholding cyber security. The board must aim to create a cyber-conscious culture, where users are aware of their role in cyber security. One important way such a culture can be achieved is through providing regular education and training to all users.

https://www.forbes.com/sites/forbestechcouncil/2023/06/12/creating-a-cyber-conscious-culture-it-must-be-driven-from-the-top/sh=6a0bb36426cc

• Artificial Intelligence is Coming to Windows: Are Your Security Policy Settings Ready?

What’s in your Windows security policy? Do you review your settings on an annual basis or more often? Do you provide education and training regarding the topics in the policy? Does it get revised when the impact of an incident showcases that an internal policy violation led to the root cause of the issue? And, importantly, do you have a security policy that includes your firm’s overall policies around the increasing race towards artificial intelligence, which is seemingly in nearly every application released these days?

From word processing documents to the upcoming enhancements to Windows 11, which will include AI prompting in the Explorer platform, organisations should review how they want their employees to treat customer data or other confidential information when using AI platforms. Many will want to build limits and guidelines into their security plans that specify what is allowed to be entered into platforms and websites that may store or share the information online. However, confidential information should not be included in any application that doesn’t have clearly defined protections around the handling of such data. The bottom line is that AI is coming to your network and your desktop sooner than you think. Build your policies now and review your processes to determine if you are ready for it today.

https://www.csoonline.com/article/3698517/artificial-intelligence-is-coming-to-windows-are-your-security-policy-settings-ready.html

• Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs

Cyber criminals are increasingly targeting an organisation’s employees, figuring to trick an untrained staffer to click on a malicious link that starts a malware attack, Fortinet said in a newly released study of security awareness and training.

More than 80% of organisations faced malware, phishing and password attacks last year, which were mainly targeted at users. This underscores that employees can be an organisation’s weakest point or one of its most powerful defences.

Fortinet’s research revealed that more than 90% of the survey’s respondents believe that increased employee cyber security awareness would help decrease the occurrence of cyber attacks. As organisations face increasing cyber risks, employees serving as an organisation’s first line of defence in protecting their organisation from cyber crime becomes of paramount importance.

https://www.msspalert.com/cybersecurity-research/cyber-crooks-targeting-employees-organizations-fight-back-with-training-programs/

• Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands

A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry, Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face and others.

A recent report found the campaign relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones. The campaign had a significant activity spike between January and February 2023, adding 300 new fake sites monthly. The domain names follow a pattern of using the brand name together with a city or country, followed by a generic TLD such as ".com." Additionally, any details entered on the checkout pages, most notably the credit card details, may be stored by the website operators and resold to cyber criminals.

https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-uses-6-000-sites-to-impersonate-100-brands/

• Over One in Ten Brits are Willing to Engage in ‘Illegal or Illicit’ Online Behaviour

A recent study found that 11% of Brits were tempted to engage in ‘illegal or illicit online behaviour’ in order to help manage the fallout from the cost of living crisis. This statistic becomes even more concerning when focused on younger people, with almost a quarter of 25–35 year old respondents (23%) willing to consider illegal or illicit online activity. Of those willing to engage in this kind of behaviour, 56% suggested it was because they are desperate and struggling to get by, and need to find alternative means of supporting their families.

Nearly half (47%) of UK business leaders believe their organisation has been at a greater risk of attack since the start of the cost-of-living crisis. Against this backdrop, many SME business leaders are understandably worried about the impact on employees. Of those who think their organisation is more exposed to attack, 38% believe it’s due to malicious insiders and 35% to overworked and distracted staff making mistakes. Organisations not doing so already, should look to incorporate insider threat into their security plans. Insider threat should focus on areas such as regular education and monitoring and detection.

The report found that 44% of respondents have also noticed an uptick in online scams hitting their inboxes since the cost of living crisis began in late 2021/early 2022. Another worrying finding is that this uptick is proving devastatingly effective for scammers: over one in ten (13%) of UK respondents have already been scammed since the cost of living crisis began. This rises to a quarter (26%) of respondents in the 18-25 age range, reflecting a hyper-online lifestyle and culture that scammers can work to exploit effectively.

https://www.itsecurityguru.org/2023/06/15/it-security-guru-study-shows-over-one-in-ten-brits-are-willing-to-engage-in-illegal-or-illicit-online-behaviour-as-the-cost-of-living-crisis-worsens 

https://www.infosecurity-magazine.com/news/costofliving-crisis-drives-insider/

• Microsoft Office 365 Phishing Reveals Signs of Much Larger BEC Campaign

Recently, Microsoft discovered multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attacks against banking and financial services organisations. The attackers are successfully phishing employees’ accounts with fake Office 365 domains. This allows them to bypass authentication, exfiltrate data and send further phishing emails against other employees and several targeted external organisations. In some cases, threat actors have registered their own device to the employee’s account, to evade MFA defences and achieve persistent access.

https://securityaffairs.com/147327/hacking/aitm-bec-attacks.html

https://thehackernews.com/2023/06/adversary-in-middle-attack-campaign.html

https://www.csoonline.com/article/3699122/microsoft-office-365-aitm-phishing-reveals-signs-of-much-larger-bec-campaign.html

• Europol Warns of Metaverse and AI Terror Threat

New and emerging technologies like conversational AI, deepfakes and the metaverse could be utilised by terrorists and extremists to radicalise and recruit converts to their cause, Europol has warned. The report stated that the online environment lowers the bar for entering the world of terrorism and extremism, broadens the range of people that can become exposed to radicalisation and increases the unpredictability of terrorism and extremism.

Europol also pointed to the potential use of deepfakes, augmented reality and conversational AI to enhance the efficiency of terrorist propaganda. Both these technologies and internet of things (IoT) tools can also be deployed in more practical tasks such as the remote operation of vehicles and weapons used in attacks or setting up virtual training camps. Digital currencies are also playing a role in helping to finance such groups while maintaining the anonymity of those contributing the funding, Europol said.

https://www.infosecurity-magazine.com/news/europol-warns-metaverse-and-ai/

• What is AI, and is it Dangerous?

Recently, we saw the release of the first piece of EU regulation on AI. This comes after a significant rise in the usage of tools such as ChatGPT. Such tools allow for even those with limited technical ability to perform sophisticated actions. In fact, usage has risen 44% over the last three months alone, according to a report.

Rather worryingly, there is a lack of governance on the usage of AI, and this extends to how AI is used within your own organisation. Whilst the usage can greatly improve actions performed within an organisation, the report found that 6% of employees using AI had pasted sensitive company data into an AI tool. Would your organisation know if this happened, and how damaging could it be to your organisation if this data was to be leaked? Continuous monitoring, risk analysis and real-time governance can help aid an organisation in having an overview of the usage of AI.

https://www.bbc.co.uk/news/technology-65855333

https://thehackernews.com/2023/06/new-research-6-of-employees-paste.html

• Cyber Liability Insurance Vs. Data Breach Insurance: What's the Difference?

With an ever-increasing number of cyber security threats and attacks, companies are becoming motivated to protect their businesses and customer data both technically and financially. Finding the right insurance has become a key part of the security equation.

Companies looking to protect themselves have most likely heard the terms “cyber liability insurance” and “data breach insurance.” Put simply, cyber liability insurance refers to coverage for third-party claims asserted against a company stemming from a network security event or data breach. Data breach insurance, on the other hand, refers to coverage for first-party losses incurred by the insured organisation that has suffered a loss of data.

https://www.csoonline.com/article/3698297/cyber-liability-insurance-vs-data-breach-insurance-whats-the-difference.html

• Exploring the Dark Web: Hitmen for Hire and the Realities of Online Activities

The dark web makes up a significant portion of the internet. Access can be gained through special browser, TOR, also known as the onion Router. The service bounces around IP addresses, constantly changing to protect the anonymity of the user.

This dark web contains an array of activities and sites, which include hitmen for hire, drugs for sale, and stolen credit card databases amongst others. Sometimes these aren’t real however, and are actually a trap to steal money from users on the basis that these users are unlikely to report it to law enforcement when the victim was trying to break the law in the first place. What we do know however, is that the dark web contains a plethora of information, and this could include data from your organisation.

https://news.clearancejobs.com/2023/06/07/exploring-the-dark-web-hitman-for-hire-and-the-realities-of-online-activities/

Governance, Risk and Compliance

• Creating A Cyber-Conscious Culture—It Must Be Driven From The Top (forbes.com)

• Most businesses vulnerable to attacks on the cyber battlefield - The Globe and Mail

• 10 Important Security Tasks You Shouldn't Skip (darkreading.com)

• Just 14% of CISOs possess desired traits for cyber security-expert board positions: Report  | VentureBeat

• Enhancing security team capabilities in tough economic times - Help Net Security

• Ignoring digital transformation is more dangerous than a recession - Help Net Security

• Ransomware Insurance: Security Strategies to Obtain Coverage (trendmicro.com)

• How the modern CIO grapples with legacy IT | CIO

• Cyber debt levels reach tipping point - Help Net Security

• Over Half of Security Leaders Lack Confidence in Protecting App Secrets, Study Reveals (thehackernews.com)

• Lax security measures, sophisticated hackers reason for rise in cyber breaches (ewn.co.za)

• Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert

• Cyber liability insurance vs. data breach insurance: What's the difference? | CSO Online

• Red teaming can be the ground truth for CISOs and execs - Help Net Security

Threats

Ransomware, Extortion and Destructive Attacks

• CL0P Ransomware Gang Hits Multiple Governments, Businesses in Wide-Scale Attack - MSSP Alert

• Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities | TechCrunch

• Cyber extortion hits all-time high - Help Net Security

• How Continuous Monitoring and Threat Intel Can Help Prevent Ransomware (darkreading.com)

• Researchers Report First Instance of Automated SaaS Ransomware Extortion (darkreading.com)

• Why Critical Infrastructure Remains a Ransomware Target (darkreading.com)

• Ransomware Insurance: Security Strategies to Obtain Coverage (trendmicro.com)

• CISA: LockBit ransomware extorted $91 million in 1,700 US attacks (bleepingcomputer.com)

• Microsoft links data wiping attacks to new Russian GRU hacking group (bleepingcomputer.com)

• Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent (thehackernews.com)

• To Fight Cyber Extortion and Ransomware, Shift Left (trendmicro.com)

• Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency (thehackernews.com)

• Russian ransomware hacker extorted tens of millions, says DOJ (cnbc.com)

• Ransomware review: June 2023 (malwarebytes.com)

Ransomware Victims

• Ofcom, Minnesota Dept of Ed among latest MOVEit victims • The Register

• Confidential data downloaded from UK regulator Ofcom in cyber attack (therecord.media)

• Oil and gas giant Shell confirms it was impacted by Clop ransomware attacks (therecord.media)TfL warns 13,000 staff that it was raided by Russian hackers (telegraph.co.uk)

• Russian hackers steal data on thousands of Ulez drivers (telegraph.co.uk)

• JBS’s cyber security was poor prior to 2021 ransomware attack, homeland security records show | Successful Farming (agriculture.com)

• An Illinois hospital links closure to ransomware attack (nbcnews.com)

• US energy department, other agencies hit in global hacking spree | Reuters

• iTWire - Financial services firm FIIG hit by cyber attack, ALPHV claims credit

• The University of Manchester hit by cyber security breach after detecting 'unauthorised activity' - Manchester Evening News

• Xplain data breach also impacted national Swiss railway FSS - Security Affairs

• Rhysida ransomware leaks documents stolen from Chilean Army (bleepingcomputer.com)

Phishing & Email Based Attacks

• Microsoft Office 365 AitM phishing reveals signs of much larger BEC campaign | CSO Online

• Adversary-in-the-Middle Attack Campaign Hits Dozens of Global Organisations (thehackernews.com)

• Younger, more extroverted, and more agreeable individuals are more vulnerable to email phishing scams (psypost.org)

• Log4J exploits may rise further as Microsoft continues war on phishing | ITPro

• Popular Apparel, Clothing Brands Being Used in Massive Phishing Scam (darkreading.com)

• Massive phishing campaign uses 6,000 sites to impersonate 100 brands (bleepingcomputer.com)

BEC – Business Email Compromise

• Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants (thehackernews.com)

• Microsoft warns of multi-stage AiTM phishing and BEC attacks - Security Affairs

• Analysis: Social Engineering Drives BEC Losses to $50B Globally (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• Analysis: Social Engineering Drives BEC Losses to $50B Globally (darkreading.com)

Artificial Intelligence

• New Research: 6% of Employees Paste Sensitive Data into GenAI tools as ChatGPT (thehackernews.com)

• Artificial intelligence is coming to Windows: Are your security policy settings ready? | CSO Online

• Europol Warns of Metaverse and AI Terror Threat - Infosecurity Magazine (infosecurity-magazine.com)

• How Europe is Leading the World in the Push to Regulate AI - SecurityWeek

• AI is moving too fast to regulate, security minister warns (telegraph.co.uk)

• AI to render humans 'second most intelligent creations' | ITWeb

• LLM meets Malware: Starting the Era of Autonomous Threat - Security Affairs

• What is AI, is it dangerous and what jobs are at risk? - BBC News

• The perils of open-source AI | Financial Times (ft.com)

• Calculations Suggest It'll Be Impossible to Control a Super-Intelligent AI : ScienceAlert

2FA/MFA

• Multi-Factor Authentication Usage Nearly Doubles Since 2020, New Okta Report Finds - MSSP Alert

• Small organisations outpace large enterprises in MFA adoption - Help Net Security

Malware

• New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies (thehackernews.com)

• Cyber criminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable (thehackernews.com)

• New Loader Delivering Spyware via Image Steals Cryptocurrency Info (darkreading.com)

• Pirated Windows 10 ISOs install clipper malware via EFI partitions (bleepingcomputer.com)

• Chinese hackers use DNS-over-HTTPS for Linux malware communication (bleepingcomputer.com)

• Fake zero-day PoC exploits on GitHub push Windows, Linux malware (bleepingcomputer.com)

• Gozi banking malware “IT chief” finally jailed after more than 10 years – Naked Security (sophos.com)

• LLM meets Malware: Starting the Era of Autonomous Threat - Security Affairs

• New ‘Shampoo’ Chromeloader malware pushed via fake warez sites (bleepingcomputer.com)

• Russian hackers use PowerShell USB malware to drop backdoors (bleepingcomputer.com)

• Fake Security Researcher Accounts Pushing Malware Disguised as Zero-Day Exploits - SecurityWeek

• Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities (thehackernews.com)

Mobile

• How Popular Messaging Tools Instill a False Sense of Security (darkreading.com)

Denial of Service/DoS/DDOS

• Microsoft’s Azure portal down following new claims of DDoS attacks (bleepingcomputer.com)

• DOS Attacks Dominate, but System Intrusions Cause Most Pain (darkreading.com)

• Swiss government warns of ongoing DDoS attacks, data leak (bleepingcomputer.com)

• IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia (hackread.com)

• 10 Different Types of DDoS Attacks and How to Prevent Them (geekflare.com)

• Exclusive: Inside FXStreet's DDoS Attack (financemagnates.com)

Internet of Things – IoT

• Why attackers love to target IoT devices | VentureBeat

• IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia (hackread.com)

• How secure is your vehicle with digital key technology? - Help Net Security

• Flipper Zero “Smoking” A Smart Meter Is A Bad Look For Hardware Hackers | Hackaday

Data Breaches/Leaks

• Another huge US medical data breach confirmed after Fortra mass-hack | TechCrunch

• HSE hit by second 'international scale criminal' cyber attack as they monitor dark web for stolen data - Irish Mirror Online

• New Research: 6% of Employees Paste Sensitive Data into GenAI tools as ChatGPT (thehackernews.com)

• Top 10 cyber security findings from Verizon's 2023 data breach report | VentureBeat

• Xplain data breach also impacted national Swiss railway FSS - Security Affairs

• Examining the long-term effects of data privacy violations - Help Net Security

• A Massive Vaccine Database Leak Exposes IDs of Millions of Indians | WIRED

• Swiss Fear Government Data Stolen in Cyber attack - SecurityWeek

• Ofcom, Minnesota Dept of Ed among latest MOVEit victims • The Register

• Have I Been Pwned warns of new Zacks data breach impacting 8 million (bleepingcomputer.com)

Organised Crime & Criminal Actors

• The Complexities of Hacking: Exploring the thin line between cyber crime and ethical hacking | Euronews

• When It Comes to Cyber crime, the Medium Makes Us Vulnerable - Centre for International Governance Innovation (cigionline.org)

• Cyber criminals return to business as usual in a post-pandemic world - Help Net Security

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Hackers steal $3 million by impersonating crypto news journalists (bleepingcomputer.com)

• Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme (thehackernews.com)

• New Loader Delivering Spyware via Image Steals Cryptocurrency Info (darkreading.com)

• Cryptocurrency Attacks Quadrupled as Cyber criminals Cash In (darkreading.com)

• Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency (thehackernews.com)

Insider Risk and Insider Threats

• Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert

• Top 10 Risky Behaviours of Employees - IT Security Guru

• Insider Threat Vs Outsider Threat: Which Is Worse? (informationsecuritybuzz.com)

• Study shows over one in ten Brits are willing to engage in ‘illegal or illicit’ online behaviour as the Cost of Living crisis worsens - IT Security Guru

Fraud, Scams & Financial Crime

• Yet more direct calling fiends fined by UK's data watchdog • The Register

• Cost-of-Living Crisis Drives Insider Threat Concerns - Infosecurity Magazine (infosecurity-magazine.com)

Impersonation Attacks

• New Study Takes a Deep Dive Into Lookalike Attacks - Infosecurity Magazine (infosecurity-magazine.com)

Insurance

• After Important Cyber Insurance Victory for Policyholders, Focus Turns to Insurers' Proposed Changes to War Exclusions | HUB | K&L Gates (klgates.com)

• Ransomware Insurance: Security Strategies to Obtain Coverage (trendmicro.com)

• The insurance industry cyber crime report: recent attacks on insurance businesses | Insurance Business America (insurancebusinessmag.com)

• Cyber liability insurance vs. data breach insurance: What's the difference? | CSO Online

Dark Web

• Exploring the Dark Web: Hitman for Hire and the Realities of Online Activities - ClearanceJobs

Supply Chain and Third Parties

• New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries (thehackernews.com)

Cloud/SaaS

• SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint - SecurityWeek

• New MOVEit Transfer critical flaws found after security audit, patch now (bleepingcomputer.com)

• Seven steps for using zero trust to protect your multicloud • The Register

• New cloud security guidance: it's all about the config - NCSC.GOV.UK

• Microsoft keeps quiet on talk of possible Azure DDoS attack • The Register

• New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries (thehackernews.com)

Encryption

• Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away | Ars Technica

Open Source

• Chinese hackers use DNS-over-HTTPS for Linux malware communication (bleepingcomputer.com)

• Fake zero-day PoC exploits on GitHub push Windows, Linux malware (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Thoughts on scheduled password changes (don’t call them rotations!) – Naked Security (sophos.com)

• Microsoft misused our dark web data, says security vendor • The Register

• RDP honeypot targeted 3.5 million times in brute-force attacks (bleepingcomputer.com)

• Want to be hacked? Just make these password mistakes | Tom's Guide (tomsguide.com)

Training, Education and Awareness

• Top 10 Risky Behaviours of Employees - IT Security Guru

• Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert

Digital Transformation

• Ignoring digital transformation is more dangerous than a recession - Help Net Security

Regulations, Fines and Legislation

• AI is moving too fast to regulate, security minister warns (telegraph.co.uk)

• Ofcom, Minnesota Dept of Ed among latest MOVEit victims • The Register

• Confidential data downloaded from UK regulator Ofcom in cyber attack (therecord.media)

• Yet more direct calling fiends fined by UK's data watchdog • The Register

• How Europe is Leading the World in the Push to Regulate AI - SecurityWeek

• Feds extend deadline for software security attestations • The Register

Models, Frameworks and Standards

• 3 ways we've made the CIS Controls more automation-friendly - Help Net Security

• Use PCI DSS Checklist with Automation (trendmicro.com)

Data Protection

• UK and US Agree Deal to Facilitate Personal Data Flows - Infosecurity Magazine (infosecurity-magazine.com)

Careers, Working in Cyber and Information Security

• #InfosecurityEurope: Cyber Leaders’ Plea to Tackle the Industry’s Mental Health Crisis - Infosecurity Magazine (infosecurity-magazine.com)

Law Enforcement Action and Take Downs

• Gozi banking malware “IT chief” finally jailed after more than 10 years – Naked Security (sophos.com)

• LockBit Affiliate Arrested, as Extortion Totals Reach $91M Since 2020 (darkreading.com)

Privacy, Surveillance and Mass Monitoring

• Examining the long-term effects of data privacy violations - Help Net Security

• FBI: FISA Section 702 'absolutely critical' • The Register

• Strava heatmap feature can be abused to find home addresses (bleepingcomputer.com)

• US Intelligence Has Admitted Amassed Data on 'Nearly Everyone' (gizmodo.com)

• Feds Say Facial Recognition IDed Bosnian War Criminal Miljkovic (gizmodo.com)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Putin’s little cyber helpers turn their sights on the UK (telegraph.co.uk)

• Russia-Ukraine war sending shockwaves into cyber-ecosystem • The Register

• Ukrainian hackers take down service provider for Russian banks (bleepingcomputer.com)

• Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC - Security Affairs

• 'Stealth Soldier' Attacks Target Libyan Government Entities With Surveillance Malware (darkreading.com)

• RomCom Threat Actor Targets Ukrainian Politicians, US Healthcare (darkreading.com)

• Pro-Russian hackers step up attacks against Swiss targets, authorities say | Reuters

• Russian hackers steal data on thousands of Ulez drivers (telegraph.co.uk)

• Microsoft links data wiping attacks to new Russian GRU hacking group (bleepingcomputer.com)

• Russian hackers use PowerShell USB malware to drop backdoors (bleepingcomputer.com)

• Pro-Russian Hackers Target Website of Europe’s Largest Port in Rotterdam - Bloomberg

• Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine - Security Affairs

• Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent (thehackernews.com)

• New Report Reveals Shuckworm's Long-Running Intrusions on Ukrainian Organisations (thehackernews.com)

• Russia-backed hackers unleash new USB-based malware on Ukraine’s military | Ars Technica

• Microsoft Names Russian Threat Actor "Cadet Blizzard" - Infosecurity Magazine (infosecurity-magazine.com)

Nation State Actors

• Chinese hackers use DNS-over-HTTPS for Linux malware communication (bleepingcomputer.com)

• Iran's 'quantum processor' turned out to be a $600 dev board | PC Gamer

• China-based threat actors target UIDAI, AIIMS, ICMR: Govt advisory (moneycontrol.com)

• Subsea cables: how the US is pushing China out of the internet’s plumbing

• China's cyber now aimed at infrastructure, warns CISA boss

• Cyber security: Americans should prepare for cyber sabotage from Chinese hackers, US official warns - The Economic Times (indiatimes.com)

• Ukraine information sharing a model for countering China, top cyber official says | CyberScoop

• Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs (darkreading.com)

• North Korea created evil twin of South Korea's Naver.com • The Register

• Behind the Scenes Unveiling the Hidden Workings of Earth Preta (trendmicro.com)

• Gloucester: Russian hackers behind cyber-attack on council - BBC News

• Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT (darkreading.com)

• Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

• Russian ransomware hacker extorted tens of millions, says DOJ (cnbc.com)

Vulnerability Management

• Why Detecting Behaviors Beats Zero-Days | Blumira

Vulnerabilities

• Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack (thehackernews.com)

• Bitwarden update corrects password manager access vulnerability on Windows - gHacks Tech News

• Fortinet: Patched Critical Flaw May Have Been Exploited (darkreading.com)

• Bitwarden update corrects password manager access vulnerability on Windows - gHacks Tech News

• CISA orders federal agencies to secure Internet-exposed network devices (bleepingcomputer.com)

• Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs (bleepingcomputer.com)

• Log4J exploits may rise further as Microsoft continues war on phishing | ITPro

• Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry (thehackernews.com)

• New Critical Google Chrome Payments Security Issue Confirmed (forbes.com)

• Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin (thehackernews.com)

• VMware fixes critical flaws in Aria Operations for Networks (CVE-2023-20887) - Help Net Security

• Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

• US energy department, other agencies hit in global hacking spree | Reuters

Tools and Controls

• The Complexities of Hacking: Exploring the thin line between cyber crime and ethical hacking | Euronews

• Use of Multifactor Authentication (MFA) Nearly Doubles Since 2020, Okta Secure Sign-in Trends Reports Finds (darkreading.com)

• Ignoring digital transformation is more dangerous than a recession - Help Net Security

• Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs - MSSP Alert

• Cyber liability insurance vs. data breach insurance: What's the difference? | CSO Online

• Red teaming can be the ground truth for CISOs and execs - Help Net Security

• How Continuous Monitoring and Threat Intel Can Help Prevent Ransomware (darkreading.com)

• Secure Sign-in Trends Report | Okta

• What is Dark Web Monitoring and How Does It Work? | Trend Micro News

• New cloud security guidance: it's all about the config - NCSC.GOV.UK

• Why Now? The Rise of Attack Surface Management (thehackernews.com)

• Why Detecting Behaviours Beats Zero-Days | Blumira

• What Is Red Teaming and How Does It Work? (howtogeek.com)

• Exploring the All-Time Best Book for Ethical Hacking – Codelivly

• Beyond MFA: 3 steps to improve security and reduce customer authentication friction - Help Net Security

• Enhancing security team capabilities in tough economic times - Help Net Security

• Small organisations outpace large enterprises in MFA adoption - Help Net Security

• Cyber debt levels reach tipping point - Help Net Security

• MSSQL makes up 93% of all activity on honeypots tracking 10 databases | SC Media (scmagazine.com)

• Attack Surface Management Strategies (trendmicro.com)

• 5 best practices to ensure the security of third-party APIs | CSO Online

• Multi-Factor Authentication Usage Nearly Doubles Since 2020, New Okta Report Finds - MSSP Alert

Reports Published in the Last Week

• Secure Sign-in Trends Report | Okta

• Top 10 cyber security findings from Verizon's 2023 data breach report | VentureBeat

Other News

• #InfosecurityEurope: What TechUK's New Plan Means for Cyber security - Infosecurity Magazine (infosecurity-magazine.com)

• A Tech Plan to "Build a Better Britain" - IT Security Guru

• German National Security Strategy leaves out cyber counter-attacks – EURACTIV.com

• Moving the Cyber Industry Forward Requires a Novel Approach (darkreading.com)

• (ISC)² and CIISec Release Guide to Inclusive Language in Cyber security - Infosecurity Magazine (infosecurity-magazine.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive summary

Microsoft’s June Patch Tuesday provides updates to address 78 security issues across its product range, including 6 critical vulnerabilities. June’s patch Tuesday does not include any zero-day vulnerabilities or actively exploited bugs. The critical vulnerabilities include privilege escalation in Microsoft SharePoint, remote code execution in Microsoft Exchange Server, Windows PGM, .NET, .NET Framework and Visual Studio and finally, a denial of service in Windows Hyper-V.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited allow an attacker to gain system privileges, remotely execute code and cause a denial of service compromising the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible, especially those that have a critical severity rating.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/06/13/the-windows-june-2023-security-patches-are-here-and-address-these-issues/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive summary

A recent report has highlighted the most notable software vulnerabilities in the first half of 2023, which included 2 critical actively exploited vulnerabilities in PaperCut MF and NG and Fortinet FortiOS products. This comes as Fortinet have recently released a patch for a separate critical vulnerability in FortiOS.  All three vulnerabilities allow an attacker to remotely execute unauthorised code and compromise the confidentiality, integrity and availability of data.

Fortinet

CVE-2023-27997 – This recent critical vulnerability targets an secure socket layer virtual private network  (SSL-VPN) flaw which allows an unauthenticated attacker remote code execution and to interfere with VPN connections even if Mulit-Factor Authentication (MFA) is in place. SSL-VPN is used to allow users to establish a secure, encrypted connection between the public internet and the corporate network.

CVE-2022-41328 – This is a vulnerability in improper limitation of a pathname, allowing an attacker to access restricted files with read and write access. Exploitation allows the attacker to remotely install and execute malware.

What can I do?

Fortinet has released fixes that address the vulnerability CVE-2023-27997. Customers must immediately apply the firmware updates as a matter of urgency. The following versions of FortiOS include patches for the vulnerability: 7.2.5, 7.0.12, 6.4.13, 6.2.15. An advisory has not been publicly announced yet. Results from Shodan indicate around 250,000 publicly discoverable devices are vulnerable.

For CVE-2022-41328, customers are recommended to update the affected products immediately as this is being actively exploited.

Affected products include:

-          FortiOS version 7.2.0 through 7.2.3 (Patched in version 7.2.4 or above)

-          FortiOS version 7.0.0 through 7.0.9 (Patched in version 7.0.10 or above)

-          FortiOS version 6.4.0 through 6.4.11 (Patched in version 6.4.12 or above)

-          FortiOS version 6.2.0 through 6.2.13 (Patched in version 6.2.14 or above)

-          FortiOS 6.0 all versions (No longer supported)

PaperCut

CVE – 2023-27350 – This vulnerability allows an unauthenticated attacker to pull information about a user stored within PaperCut MF or NG. This data includes usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut created users only.

The following PaperCut MF and NG versions and components are affected by CVE-2023-27350 on all OS platforms:

-          version 8.0.0 to 19.2.7  

-          version 20.0.0 to 20.1.6

-          version 21.0.0 to 21.2.10

-          version 22.0.0 to 22.0.8

What can I do?

PaperCut has recommended that customers upgrade all application servers and site servers and to patch any of the affected products. This vulnerability has been addressed in Papercut MF and NG versions 20.1.7, 21.2.11, and 22.0.9 and later.

Further details on the Fortinet vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

Further details on the Fortinet CVE-2022-41328 vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-22-369

Further details on the PaperCut vulnerability can be found here:

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 74% of Breaches Involve Human Element- Make Employees Your Best Asset

Verizon’s recent data breach report analysed 16,312 security incidents and 5,199 breaches. A total of 74% of breaches involved a human element, highlighting the role of employees in achieving good cyber resilience. Organisations looking to improve their resilience should therefore consider how well and how frequently they train their users. In a recent report, Fortinet found that 90% of leaders believed that increasing their employee cyber security awareness would help decrease the occurrence of cyber attacks. Worryingly, despite 85% of leaders having an awareness and training programme in place, 50% believed their employees still lacked cyber security knowledge.

With an effective training programme, organisations can increase their employees’ cyber risk awareness and empower them in defending the organisation, laying the foundation for a strong cyber security culture.

https://www.helpnetsecurity.com/2023/06/06/verizon-data-breach-investigations-report-2023-dbir/

https://www.helpnetsecurity.com/2023/06/09/employees-cybersecurity-knowledge/

• Cyber Security Agency Urges Vigilance as MOVEit Attack Impacts Major Companies Including British Airways, Boots and the BBC

The recent cyber attacks on file transfer software MOVEit have impacted a number of major companies through their supply chain. The attack, which hit UK-based HR and payroll provider Zellis has had a huge knock-on effect, with major companies such as British Airways, Boots and the BBC suffering as a result of using Zellis in their supply chain. The UK’s National Cyber Security Centre (NCSC) has emphasised the need for organisations to exercise heightened vigilance.

Organisations must be aware of supply chain risks, and how an attack on a supplier or service provider can impact their own organisation. It is important for organisations to manage supply chain security, assess third party risks, communicate with suppliers and keep on top of emerging threats; it’s no simple task.

https://www.securityweek.com/several-major-organizations-confirm-being-impacted-by-moveit-attack/

https://www.ibtimes.co.uk/british-cybersecurity-agency-urges-vigilance-major-companies-fall-victim-software-hack-1716493

• CISOs and IT Lack Confidence in Executives’ Cyber Defence Knowledge as the Spotlight Falls on the Boardroom

Nearly three-quarters of data breaches include an element of human failure, and senior business leaders were particularly at risk, according to a recent report. Not only do business leaders possess the most sensitive information, but they are often the least protected, with many organisations making security protocol exemptions for them. Such factors have pushed the boardroom into the spotlight more.

In another report, it was found that only 28% of IT professionals were confident in their executives’ ability to recognise a phishing email. The report found that as many as 71% of executives were reusing compromised passwords from personal accounts inside the company. Technology alone won’t solve the problem: user awareness training is required and this includes the boardroom.

https://www.csoonline.com/article/3698708/cisos-it-lack-confidence-in-executives-cyber-defense-knowledge.html

https://www.computerweekly.com/news/366539293/Cyber-spotlight-falls-on-boardroom-privilege-as-incidents-soar

• Only 1 in 10 CISOs are Board-ready as Nearly Half of Boards Lack Cyber Expertise

A recent study has found that only 1 in 10 chief information security officers (CISOs) have all the key traits thought to be crucial for success on a corporate board, with many lacking governance skills and experience and other attributes needed for board readiness. Worryingly, nearly half of the 1,000 companies in the study lacked at least one director with cyber security expertise. This is concerning as good cyber security starts from the board: the board is responsible for understanding the business risks of a cyber incident and for endorsing whether the cyber controls in place have reduced those risks to a level that the board is happy with. Similarly, the board would not sign off financial risks without ensuring they had someone with financial experience and qualifications present. The Black Arrow vCISO service is ideal for organisations that need expertise in assessing and managing cyber risks, underpinned by governance reporting and metrics presented to enable the board to make educated and informed decisions.

https://www.csoonline.com/article/3698291/only-one-in-10-cisos-today-are-board-ready-study-says

• BEC Volumes and Ransomware Costs Double in a Year

The number of recorded business email compromise (BEC) attacks doubled over the past year, with the threat comprising nearly 60% of social engineering incidents studied by Verizon for its 2023 Data Breach Investigations Report. The report this year was based on analysis of 16,312 security incidents and 5,199 breaches over the past year.

Pretexting, which is commonly using in BEC attacks, is now more common than phishing in social engineering incidents, although the latter is still more prevalent in breaches, the report noted. The median amount stolen in pretexting attacks now stands at $50,000. The vast majority of attacks (97%) over the past year were motivated by financial gain rather than espionage.

https://www.infosecurity-magazine.com/news/bec-volumes-ransomware-costs/

• Hackers are Targeting C-Suite Executives Through Their Personal Email

As companies rely on chief financial officers (CFOs) to mitigate risk, cyber attacks and the costs associated with them are a major concern. Now there is also a growing trend of cyber criminals targeting C-suite executives in their personal lives, where it is easier to pull off a breach as there are fewer, if any, protections, instead of targeting them through their business accounts. Once attackers have access, they then try to use this to gain entry to the corporate systems. The report found that 42% of companies have experienced cyber criminal attacks on their senior-level corporate executives, which can compromise sensitive business data. The report found that 58% of respondents stated that cyber threat prevention for executives and their digital assets are not covered in their cyber, IT and physical securities strategies and budgets.

https://fortune.com/2023/06/08/hackers-targeting-c-suite-executives-personal-email-cybersecurity

• Proactive Detection is Crucial as Organisations Lack Effective Threat Research

In a recent study, it was found that CISOs are spending significantly less time on threat research and awareness, despite 58% having an increase in their budget for cyber security; the same number reported that their team is so busy, they may not detect an attack. In a different report, keeping up with threat intelligence was identified as one of the biggest challenges faced.

https://www.helpnetsecurity.com/2023/06/06/cisos-cybersecurity-spending/

• Number of Vulnerabilities Exploited Rose by 55%

A recent report from Palo Alto Networks’ Unit 42 found that the number of vulnerabilities that attackers are exploiting has grown by 55% compared to 2021, with most of the increase resulting from supply chain vulnerabilities; along with this was a 25% rise in the number of CVE’s, the term used for identified vulnerabilities. Worryingly ChatGPT scams saw a 910% increase in monthly domain registrations, pointing to an exponential growth in fraudulent activities taking advantage of the widespread usage and popularity of AI-powered chatbots.

Such growth puts further strain on cyber security staff, making it even harder for organisations to keep up. A strong threat management programme is needed, to help organisations prioritise threats and use organisational resources effectively to address said threats.

https://www.infosecurity-magazine.com/news/exploitation-vulnerabilities-grew/

https://www.infosecurity-magazine.com/news/cves-surge-25-2022-another-record/

• Ransomware Behind Most Cyber Attacks, with Record-breaking May

2022 saw ransomware account for nearly one in four (24%) cyber attacks, with 95% of events resulting in a loss costing upwards of $2.25 million during 2021-2022. Ransomware remains a significant threat as evidenced by a different report, which stated that May 2023 saw a 154% spike in ransomware compared to May 2022. Other key findings include unreported attacks being five times more likely than reported attacks.

https://www.msspalert.com/cybersecurity-research/ransomware-hit-new-attack-highs-in-may-2023-blackfog-report-says/

https://www.scmagazine.com/analysis/ransomware/ransomware-attacks-have-room-to-grow-verizon-data-breach-report-shows

• 4 Areas of Cyber Risk That Boards Need to Address

As technological innovations such as cloud computing, the Internet of Things, robotic process automation, and predictive analytics are integrated into organisations, it makes them increasingly susceptible to cyber threats. This means that governing and assessing cyber risks becomes a prerequisite for successful business performance. This need for transparency has been recognised by the regulators and facilitated by the new cyber security rules to ensure companies maintain adequate cyber security controls and appropriately disclose cyber-related risks and incidents.

To ensure they fulfil the requirements, organisations should focus on the following areas: position security as a strategic business enabler; continuously monitor the cyber risk capability performance; align cyber risk management with business needs through policies and standards; and proactively anticipate the changing threat landscape by utilising threat intelligence sources for emerging threats.

https://hbr.org/2023/06/4-areas-of-cyber-risk-that-boards-need-to-address

• North Korea Makes 50% of Income from Cyber Attacks

The North Korean regime makes around half of its income from cyber attacks on cryptocurrency and other targets. A 2019 UN estimate claimed North Korea had amassed as much as $2bn through historic attacks on crypto firms and traditional banks.

North Korean hackers have been blamed for some of the biggest ever heists of cryptocurrency, including the $620m stolen from Sky Mavis’ Ronin Network last year and the $281m taken from KuCoin in 2020 and $35m from Atomic Wallet just this last weekend.

They are using increasingly sophisticated techniques to get what they want. The 3CX supply chain attacks, in which backdoor malware was implanted into a legitimate-looking software update from the eponymous comms provider, is thought to have been a targeted attempt at hitting crypto exchanges.

https://www.infosecurity-magazine.com/news/north-korea-makes-50-income/

• Going Beyond “Next Generation” Network Security

Over a decade ago, the phrase “next generation” was used in the network security space to describe the introduction of application-layer controls with firewalls. It was a pivotal moment for the space, setting a new standard for how we protected the perimeter. A lot has happened in the last decade though, most notably, the rapid adoption of cloud and multicloud architectures and the loss of the “perimeter.” Today, 82% of IT leaders have adopted hybrid cloud architectures, and 58% of organisations use between two and three public Infrastructure as a Service (IaaS) clouds. On top of that, 95% of web traffic is encrypted which limits visibility. Applications are everywhere, access privileges are unstructured, increasing the attack surface, and businesses expect near-perfect availability and resilience. To make things more complicated, enterprises have tried to solve these challenges with disparate solutions, leading to vendor sprawl among security stacks and operational inefficiency. What was once considered “next-generation” network security no longer cuts it.

https://blogs.cisco.com/security/going-beyond-next-generation-network-security-cisco-platform-approach

• Worldwide 2022 Email Phishing Statistics and Examples

Remote and hybrid work environments have become the new norm. The fact that email has become increasingly integral to business operations, has led malicious actors to favour email as an attack vector. According to a report by security company Egress, 92% of organisations have fallen victim to phishing attacks in 2022, a 29% increase in phishing incidents from 2021. Phishing attacks aimed at stealing info and data, also known as credential phishing, saw a 4% growth in 2022, with nearly 7 million detections. Rather worryingly, there was a 35% increase in the number of detections that related to business email compromise (BEC); these attacks mostly impersonated executives or high-ranking management personnel. With the increase in AI tools, it is expected that cyber criminals will be better able to create and deploy more sophisticated phishing attacks.

https://www.trendmicro.com/en_us/ciso/23/e/worldwide-email-phishing-stats-examples-2023.html

Governance, Risk and Compliance

• Insurers Predict $33bn Bill for Catastrophic "Cyber Event" - Infosecurity Magazine (infosecurity-magazine.com)

• Verizon 2023 Data Breach Investigations Report: 74% of breaches involve human element - Help Net Security

• 4 Areas of Cyber Risk That Boards Need to Address (hbr.org)

• CISOs, IT lack confidence in executives’ cyber-defence knowledge | CSO Online

• Cyber spotlight falls on boardroom ‘privilege’ as incidents soar | Computer Weekly

• CISOs focus more on business strategy than threat research - Help Net Security

• With SEC Rule Changes on the Horizon, Research Reveals Only 14% of CISOs Have Traits Desired for Cyber Expert Board Positions (darkreading.com)

• Only one in 10 CISOs today are board-ready, study says | CSO Online

• Employee cyber security awareness takes centre stage in defence strategies - Help Net Security

• The Importance of Managing Your Data Security Posture (thehackernews.com)

• How CISOs Can Manage the Intersection of Security, Privacy, And Trust (darkreading.com)

• Why Companies Should Consider Developing A Chief Security Officer Position (forbes.com)

• Want Sustainable Security? Find Middle Ground Between Tech & Education (darkreading.com)

• VeeamON 2023: When Your Nightmare Comes True - The New Stack

• Make Your Employees Your Best Asset in Combating Cyber crime | CISO Collective (fortinet.com)

• UK Organisations lack clear path to achieve threat intelligence - IT Security Guru

• CIOs prioritize new technologies over tech stack optimization - Help Net Security

• Top factors driving enterprise demand for new cyber security technology - Help Net Security

• Why a proactive detection and incident response plan is crucial for your organisation | Microsoft Security Blog

• Factors influencing IT security spending - Help Net Security

• How to Boost Cyber Security Through Better Communication (securityintelligence.com)

• Generative AI's influence on data governance and compliance - Help Net Security

• Essential Cyber security Compliance Standards (trendmicro.com)

Threats

Ransomware, Extortion and Destructive Attacks

• Verizon DBIR: Social Engineering Gains Lead to Spiraling Breach Costs (darkreading.com)

• Ransomware Behind Most Cyber Attacks, Verizon Business Reports - MSSP Alert

• Ransomware Hit New Attack Highs in May 2023, BlackFog Report Says - MSSP Alert

• Hacking Spree Feared After Breach of File-Sharing Software - Bloomberg

• Clop ransomware likely testing MOVEit zero-day since 2021 (bleepingcomputer.com)

• Clop extortion gang gives MOVEit exploit victims one week to reach out | CSO Online

• New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal (thehackernews.com)

• Cyclops Ransomware group offers a multiplatform Info StealerSecurity Affairs

• 0mega ransomware gang changes tactics - Help Net Security

• Firms warned not to give in to blackmail threats after Russia-linked payroll data hack | Evening Standard

• Royal ransomware gang adds BlackSuit encryptor to their arsenal (bleepingcomputer.com)

• Cyber Extortionists Seek Out Fresh Victims in LatAm and Asia - Infosecurity Magazine (infosecurity-magazine.com)

Ransomware Victims

• BA, BBC and Boots staff data hit by Russia-linked cyber attack (telegraph.co.uk)

• Ransomware takes down multiple municipalities in May | TechTarget

• Several Major Organisations Confirm Being Impacted by MOVEit Attack - SecurityWeek

• Spanish Bank Globalcaja Hit By Ransomware Attack - Infosecurity Magazine (infosecurity-magazine.com)

• 2.5M Impacted by Enzo Biochem Data Leak After Ransomware Attack (darkreading.com)

• Burton Snowboards discloses data breach after February attack (bleepingcomputer.com)

• Pharmaceutical Giant Eisai Hit By Ransomware Incident - Infosecurity Magazine (infosecurity-magazine.com)

• City of Dallas Still Clawing Back Weeks After Cyber Incident (darkreading.com)

• Caribbean Island Suffers Cyber Attack, MSSP Expert Recommends Low-Code Automation - MSSP Alert

Phishing & Email Based Attacks

• Fixing email security: It's still a rocky road ahead - SiliconANGLE

• Worldwide 2022 Email Phishing Statistics and Examples (trendmicro.com)

• New Security Warning Issued For Google's 1.8 Billion Gmail Users (forbes.com)

• New Horabot campaign takes over victim's Gmail, Outlook accounts (bleepingcomputer.com)

• Chinese Phishing Gang "PostalFurious" Expands Campaign - Infosecurity Magazine (infosecurity-magazine.com)

• Phishing Attack Prevention Checklist - A Detailed Guide (gbhackers.com)

• Gmail spoofing vulnerability sparks Google ‘Priority 1’ probe | SC Media (scmagazine.com)

BEC – Business Email Compromise

• BEC Volumes and Ransomware Costs Double in a Year - Infosecurity Magazine (infosecurity-magazine.com)

Other Social Engineering; Smishing, Vishing, etc

• Verizon DBIR: Social Engineering Gains Lead to Spiraling Breach Costs (darkreading.com)

Artificial Intelligence

• AI poses national security threat, warns terror watchdog | Artificial intelligence (AI) | The Guardian

• ChatGPT creates mutating malware that evades detection by EDR | CSO Online

• The Growing Cyber Threats of Generative AI: Who's Accountable? (darkreading.com)

• Consumers overestimate their deepfake detection skills - Help Net Security

• Department of Defence AI principles have a place in the CISO’s playbook | CSO Online

• Generative AI's influence on data governance and compliance - Help Net Security

• Traditional malware increasingly takes advantage of ChatGPT for attacks | CSO Online

• AI drone 'kills' human operator during 'simulation' - which US Air Force says didn't take place | Science & Tech News | Sky News

• OWASP lists 10 most critical large language model vulnerabilities | CSO Online

• Japan privacy watchdog warns ChatGPT-maker OpenAI on user data | Reuters

• New ChatGPT Attack Technique Spreads Malicious Packages - Infosecurity Magazine (infosecurity-magazine.com)

• Sextortionists are making AI nudes from your social media images (bleepingcomputer.com)

• Cyber crooks Scrape OpenAI API Keys to Pirate GPT-4 (darkreading.com)

2FA/MFA

• PyPI's 2FA Requirements Don't Go Far Enough, Researchers Say (darkreading.com)

• How fraudsters undermine text passcodes - Help Net Security

Malware

• High-profile malware and targeted attacks in Q1 2023 | Securelist

• ChatGPT creates mutating malware that evades detection by EDR | CSO Online

• Malicious Chrome extensions with 75M installs removed from Web Store (bleepingcomputer.com)

• Qakbot: The trojan that just won't go away - Help Net Security

• Qbot malware adapts to live another day … and another … • The Register

• Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors (thehackernews.com)

• New ChatGPT Attack Technique Spreads Malicious Packages - Infosecurity Magazine (infosecurity-magazine.com)

• New PowerDrop Malware Targeting US Aerospace Industry (thehackernews.com)

• Dissecting the Dark Web Supply Chain: Stealer Logs in Context (bleepingcomputer.com)

• Minecraft Malware Spreading Through Mods, Plug-ins (darkreading.com)

• Online sellers targeted by new information-stealing malware campaign (bleepingcomputer.com)

• Google puts $1M behind its mining-malware detection promise • The Register

Mobile

• Over 60,000 Android apps secretly installed adware for past six months (bleepingcomputer.com)

• Android security update fixes Mali GPU flaw exploited by spyware (bleepingcomputer.com)

• New tool scans iPhones for 'Triangulation' malware infection (bleepingcomputer.com)

• New Android feature drop will scan the dark web for your Gmail address | Trusted Reviews

• Apple announces next-level privacy and security innovations - Help Net Security

• How Does Android Stack Up Vs IOS? (informationsecuritybuzz.com)

Botnets

• New Horabot campaign takes over victim's Gmail, Outlook accounts (bleepingcomputer.com)

• Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors (thehackernews.com)

Denial of Service/DoS/DDOS

• Outlook.com hit by outages as hacktivists claim DDoS attacks (bleepingcomputer.com)

• The evolution of DDoS attacks in 2023 - Help Net Security

• Microsoft OneDrive down worldwide following claims of DDoS attacks (bleepingcomputer.com)

Internet of Things – IoT             

• Britain to remove Chinese surveillance gear from government sites | Surveillance | The Guardian

• Morrisons and Tesco ban Chinese CCTV cameras over security fears (telegraph.co.uk)

• Amazon’s Ring doorbell employees spied on users’ bathrooms (telegraph.co.uk)

• High-risk vulnerabilities patched in ABB Aspect building management system - Help Net Security

• New York City sues Hyundai, Kia claiming cars easy to steal • The Register

Data Breaches/Leaks

• Verizon DBIR: Social Engineering Gains Lead to Spiraling Breach Costs (darkreading.com)

• BA, BBC and Boots staff data hit by Russia-linked cyber attack (telegraph.co.uk)

• This Google Workspace security flaw could let hackers quietly steal your Drive files | TechRadar

• Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App (thehackernews.com)

• Hackers launch another wave of mass-hacks targeting company file transfer tools | TechCrunch

• Massive free VPN data breach exposes 360M records | Fox News

• 2.5M Impacted by Enzo Biochem Data Leak After Ransomware Attack (darkreading.com)

• Cloud misconfiguration causes massive data breach at Toyota Motor | CSO Online

• Honda API flaws exposed customer data, dealer panels, internal docs (bleepingcomputer.com)

• Every Netherlands resident affected by data leak: watchdog | NL Times

• German recruiter Pflegia leaks sensitive job seeker info- Security Affairs

• What’s really changed 10 years after the Snowden revelations? | Edward Snowden | The Guardian

Organised Crime & Criminal Actors

• RaidForums: The child hacker facing extradition to the US | Euronews

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft – Security Week

• Google puts $1M behind its mining-malware detection promise • The Register

Insider Risk and Insider Threats

• Verizon 2023 Data Breach Investigations Report: 74% of breaches involve human element - Help Net Security

• How to Boost Cyber Security Through Better Communication (securityintelligence.com)

Fraud, Scams & Financial Crime

• Scammers publish ads for hacking services on government websites | TechCrunch

• Hackers hijack legitimate sites to host credit card stealer scripts (bleepingcomputer.com)

• A new wave of sophisticated digital fraud hits Europe - Help Net Security

• ID fraud a possibility forever, claims data breach lawsuit • The Register

• How fraudsters undermine text passcodes - Help Net Security

• Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack (thehackernews.com)

• Brazilian Cyber criminals Using LOLBaS and CMD Scripts to Drain Bank Accounts (thehackernews.com)

• Virtual claims raise alarms among insurance carriers and customers - Help Net Security

• UK banks to reimburse fraud victims under new rules, regulator confirms | Scams | The Guardian

• Interpol: Human Trafficking is Fueling Fraud Epidemic - Infosecurity Magazine (infosecurity-magazine.com)

Impersonation Attacks

• 'Picture-in-Picture' Obfuscation Spoofs Delta, Kohl's for Credential Harvesting (darkreading.com)

• Gmail spoofing vulnerability sparks Google ‘Priority 1’ probe | SC Media (scmagazine.com)

Deepfakes

• Sextortionists are making AI nudes from your social media images (bleepingcomputer.com)

• Deepfakes being used in ‘sextortion’ scams, FBI warns • The Register

• Consumers overestimate their deepfake detection skills - Help Net Security

• Defenders Buckle Up for a Future of Detecting Deepfakes (darkreading.com)

Insurance

• Insurers Predict $33bn Bill for Catastrophic "Cyber Event" - Infosecurity Magazine (infosecurity-magazine.com)

• Virtual claims raise alarms among insurance carriers and customers - Help Net Security

Dark Web

• New Android feature drop will scan the dark web for your Gmail address | Trusted Reviews

• Dissecting the Dark Web Supply Chain: Stealer Logs in Context (bleepingcomputer.com)

• What is the dark web and how do you access it? (androidpolice.com)

Supply Chain and Third Parties

• Firms warned not to give in to blackmail threats after Russia-linked payroll data hack | Evening Standard

• Capita data breach ‘may affect millions’ (thetimes.co.uk)

• BA, BBC and Boots staff data hit by Russia-linked cyber attack (telegraph.co.uk)

• Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App (thehackernews.com)

• Clop extortion gang gives MOVEit exploit victims one week to reach out | CSO Online

• Clop Ransomware Gang Likely Aware of MOVEit Transfer Vulnerability Since 2021 (thehackernews.com)

• Hacking Spree Feared After Breach of File-Sharing Software - Bloomberg

• data privacy: Swiss administration hit by cyber attack - The Economic Times (indiatimes.com)

Software Supply Chain

• SBOMs - Software Supply Chain Security’s Future or Fantasy? - SecurityWeek

• 10 security tool categories needed to shore up software supply chain security | CSO Online

Cloud/SaaS

• Cloud Security Tops Concerns for Cyber Security Leaders: EC-Council's Certified CISO Hall of Fame Report 2023 (thehackernews.com)

• The Annual Report: 2024 Plans and Priorities for SaaS Security (thehackernews.com)

• Cloud misconfiguration causes massive data breach at Toyota Motor | CSO Online

• This Google Workspace security flaw could let hackers quietly steal your Drive files | TechRadar

• Current SaaS security strategies don't go far enough - Help Net Security

Hybrid/Remote Working

• Filling the Gaps: How to Secure the Future of Hybrid Work (darkreading.com)

• Thought of Going Into Office Gives Quarter of Employees Sunday Scaries - IT Security Guru

• Surveilling your employees? You could be putting your company at risk of attack - Help Net Security

Shadow IT

• Shadow IT is increasing and so are the associated security risks | CSO Online

Encryption

• UK Government Official Offers Up Nonsensical Defence Of Criminalizing End-To-End Encryption | Techdirt

API

• Honda API flaws exposed customer data, dealer panels, internal docs (bleepingcomputer.com)

• OWASP's 2023 API Security Top 10 Refines View of API Risks - SecurityWeek

Passwords, Credential Stuffing & Brute Force Attacks

• Watch brute force hacking attempts fail in realtime | Boing Boing

Social Media

• UK mental health charities handed sensitive data to Facebook for targeted ads | Mental health | The Guardian

• Microsoft Preps $425M Payment for LinkedIn GDPR Violations (darkreading.com)

• Hate speech is driving advertisers away from Twitter • Graham Cluley

• US government's TikTok ban extended to include contractors • The Register

Training, Education and Awareness

• Employee cyber security awareness takes center stage in defense strategies - Help Net Security

• Want Sustainable Security? Find Middle Ground Between Tech & Education (darkreading.com)

• Make Your Employees Your Best Asset in Combating Cyber crime | CISO Collective (fortinet.com)

• How to Boost Cyber security Through Better Communication (securityintelligence.com)

• Embracing realistic simulations in cyber security training programs - Help Net Security

Data Protection

• SEC drops 42 cases after staff bungle data protection • The Register

• Japan privacy watchdog warns ChatGPT-maker OpenAI on user data | Reuters

• Microsoft Preps $425M Payment for LinkedIn GDPR Violations (darkreading.com)

• Microsoft Fined $20M For Xbox Child Data Collection (darkreading.com)

Careers, Working in Cyber and Information Security

• Governments Need a Cyber Blueprint to Hire, Retain Cyber security Talent, Report Says - MSSP Alert

Privacy, Surveillance and Mass Monitoring

• UK mental health charities handed sensitive data to Facebook for targeted ads | Mental health | The Guardian

• Amazon’s Ring doorbell employees spied on users’ bathrooms (telegraph.co.uk)

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• British Army organises major Western European cyber warfare exercise (ibtimes.co.uk)

• Still standing after 260m attacks: inside Ukraine’s cyber warfare squad (thetimes.co.uk)

• Hacks Against Ukraine's Emergency Response Services Rise During Bombings | WIRED

Nation State Actors

• North Korea Makes 50% of Income from Cyber-Attacks: Report - Infosecurity Magazine (infosecurity-magazine.com)

• A Peek Behind the Curtain: Examining the Dimensions of a National-level Cyber Program | Mandiant

• Chinese Phishing Gang "PostalFurious" Expands Campaign - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean APT group targets email credentials in social engineering campaign | CSO Online

• UK to strip Chinese surveillance cameras from sensitive government sites | Financial Times (ft.com)

• Morrisons and Tesco ban Chinese CCTV cameras over security fears (telegraph.co.uk)

• US government's TikTok ban extended to include contractors • The Register

• Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering (thehackernews.com)

• Kimsuky APT poses as journalists and broadcast writers in attacks- Security Affairs

• Meet TeamT5, the Taiwanese infosec outfit taking on Beijing • The Register

• China has closed unofficial ‘police stations’ in Britain, UK minister says | China | The Guardian

• Lazarus hackers linked to the $35 million Atomic Wallet heist (bleepingcomputer.com)

• Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks (thehackernews.com)

• Hostile states face contract ban amid security concerns (thetimes.co.uk)

• North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft - SecurityWeek

• Espionage Attacks in North Africa Linked to "Stealth Soldier" Backdoor - Infosecurity Magazine (infosecurity-magazine.com)

Vulnerability Management

• Exploitation of Vulnerabilities Soared By 55% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• New vulnerabilities increase by 25 percent (betanews.com)

• OWASP lists 10 most critical large language model vulnerabilities | CSO Online

• Public sector apps show higher rates of security flaws - Help Net Security

Vulnerabilities

• CISA adds Progress MOVEit Transfer zero-day to its Known Exploited Vulnerabilities catalog- Security Affairs

• Zyxel vulnerability under 'widespread exploitation' | TechTarget

• Barracuda Urges Immediate Replacement of Hacked ESG Appliances (thehackernews.com)

• Experts Unveil Exploit for Recent Windows Vulnerability Under Active Exploitation (thehackernews.com)

• Urgent Security Updates: Cisco and VMware Address Critical Vulnerabilities (thehackernews.com)

• High-Severity Vulnerabilities Patched in Splunk Enterprise - SecurityWeek

• Zero Day Initiative — CVE-2023-24941: Microsoft Network File System Remote Code Execution

• Gigabyte Slams Backdoor Shut With Attack-Killing BIOS Update (darkreading.com)

• Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability - Update Now! (thehackernews.com)

• Android security update fixes Mali GPU flaw exploited by spyware (bleepingcomputer.com)

• Three Vulnerabilities Discovered in Game Dev Tool RenderDoc - Infosecurity Magazine (infosecurity-magazine.com)

• Firefox 114 is out: No 0-days, but one fascinating “teachable moment” bug – Naked Security (sophos.com)

• High-risk vulnerabilities patched in ABB Aspect building management system - Help Net Security

• Easily Exploitable Microsoft Visual Studio Bug Opens Developers to Takeover (darkreading.com)

Tools and Controls

• CISOs focus more on business strategy than threat research - Help Net Security

• CIOs prioritize new technologies over tech stack optimization - Help Net Security

• Going Beyond “Next Generation” Network Security - Cisco Blogs

• Make Your Employees Your Best Asset in Combating Cybercrime | CISO Collective (fortinet.com)

• UK Organisations lack clear path to achieve threat intelligence - IT Security Guru

• Why a proactive detection and incident response plan is crucial for your organisation | Microsoft Security Blog

• Employee cybersecurity awareness takes center stage in defence strategies - Help Net Security

• Want Sustainable Security? Find Middle Ground Between Tech & Education (darkreading.com)

• Factors influencing IT security spending - Help Net Security

• Top factors driving enterprise demand for new cyber security technology - Help Net Security

• How to Boost Cyber security Through Better Communication (securityintelligence.com)

• MoD adopts ‘secure by design’ for cyber security | UKAuthority

• Everyone is selling VPNs, and that's a problem for security | Engadget

• ISMG Editors: Why Communications Skills Matter for CISOs (inforisktoday.com)

• Network Security Checklist - 2023 (cybersecuritynews.com)

• Phishing Attack Prevention Checklist - A Detailed Guide (gbhackers.com)

• Ransomware Attack Prevention Checklist - 2023 (cybersecuritynews.com)

• OWASP lists 10 most critical large language model vulnerabilities | CSO Online

• This Google Workspace security flaw could let hackers quietly steal your Drive files | TechRadar

• How to make developers love security - Help Net Security

• Embracing realistic simulations in cyber security training programs - Help Net Security

• The Key to Zero Trust Identity Is Automation (darkreading.com)

• What generative AI's rise means for the cyber security industry | TechTarget

• Cisco spotlights generative AI in security, collaboration | Network World

• 10 security tool categories needed to shore up software supply chain security | CSO Online

• How to Improve Your API Security Posture (thehackernews.com)

• Consolidate Vendors and Products for Better Security - SecurityWeek

Reports Published in the Last Week

• Verizon 2023 DBIR: Ransomware remains steady but complicated | TechTarget

• The Annual Report: 2024 Plans and Priorities for SaaS Security (thehackernews.com)

• Threat Intelligence report 2023 | Nokia

Other News

• The country with the best cyber security skills may surprise you | TechRadar

• CEO guilty of selling counterfeit Cisco devices to military, govt orgs (bleepingcomputer.com)

• NASA website flaw jeopardizes astrobiology fans- Security Affairs

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive summary

This week, Barracuda, Cisco, and VMware have all addressed vulnerabilities in their products. The vulnerabilities allow an attacker to elevate privileges to the highest available and remotely execute. Both Cisco and VMware have applied patches, whilst Barracuda have urged users to immediately replace appliances impacted by the vulnerability.

Barracuda

CVE-2023-2868: This is a remote code injection vulnerability which has been exploited for at least seven months, allowing a successful attacker to steal information from Barracuda Email Security Gateway (ESG) devices.

Impacted versions include:

• ESG devices on version 5.1.3.001 through 9.2.0.006

What can I do?

Barracuda have stated that regardless of the patch version level, customers must immediately replace impacted ESG appliances. If you are unsure, Black Arrow recommend to check with your MSP.

CISCO

CVE-2023-20178: This vulnerability, if exploited, can allow an attacker to execute code with SYSTEM privileges, the highest available.

 Impacted versions include:

• Cisco AnyConnect Secure Mobility Client Software for Windows (version 4.10 and earlier)

• Cisco Secure Client Software for Windows (version 5.0). For releases earlier than 5.0, this is known as Cisco AnyConnect Secure Mobility Client for Windows.

CVE-2023-20105: A vulnerability which allows an administrator with read-only access to elevate to have the ability to write to files.

CVE-2023-20192: A vulnerability which allows an authenticated local user to execute commands and modify configuration files. For this to be successful, the vulnerable version must have granted command line interface access (CLI) to a read-only administrator of the system.

Impacted versions include:

Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier.

What can I do?

Patches are available in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2 should be applied. No workarounds are available.

For Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier, the first fixed releases are 14.2.1. for CVE-2023-20105 and 14.3.0 for CVE-2023-20192. As a mitigation for CVE-2023-20192, Cisco have recommended ensure CLI access is disabled for read-only users; this should be disabled by default.

VMware

CVE-2023-20887: A command injection vulnerability, allowing an attacker to execute code remotely.

CVE-2023-20888: An authentication deserialization vulnerability, allowing remote code execution.

CVE-2023-20889: An information disclosure vulnerability, where an attacker with network access can inject commands to force information out.

Impacted versions include:

• VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches available for versions: 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.

Further details on the Barracuda ESG vulnerabilities can be found here: https://www.barracuda.com/company/legal/esg-vulnerability

Further details on the Cisco vulnerability can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Further details on the VMware vulnerabilities can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details of the patches available for VMware can be found here: https://kb.vmware.com/s/article/92684

Need help understanding your gaps, or just want some advice? Get in touch with us

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

A number of recently disclosed vulnerabilities in Zyxel firewalls are now known to be being actively exploited by malicious actors.

Two of these exploited vulnerabilities are buffer overflows which enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. In addition, a further critical vulnerability has been disclosed which allows an unauthenticated attacker to execute operating system commands to remotely send packets to a device.

These vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog: Known Exploited Vulnerabilities Catalog | CISA

What’s the risk to me or my business?

The vulnerabilities, if exploited, allow an attacker to execute remote code and cause a denial of service. If this occurs it can allow an attacker to disable or modify the firewall rules, allowing further malicious attacks to breach the network – all of which impact the confidentiality, integrity and availability of data of the organisation.

Technical Summary

CVE-2023-3309 – A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even remotely execute code on an affected device.

CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even motely execute code on an affected device.

CVE-2023-28771 – Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some operating system commands remotely by sending crafted packets to an affected device.

The affected firewall products and versions are patched in version ZLD V5.36 Patch 2:

- ATP – versions: ZLD V4.32 to V5.36 Patch 1

- USG FLEX – versions: ZLD V4.50 to V5.36 Patch 1

- USG FLEX50(W)/USG20(W)-VPN – versions: ZLD V4.25 to V5.36 Patch 1

- VPN – versions: ZLD V4.30 to V5.36 Patch 1

The following affected product and versions are patched in version ZLD V4.73 Patch 2:

-  ZyWALL/USG – versions: ZLD V4.25 to V4.73 Patch 1

What can I do?

It is recommended that patches are applied immediately for the impacted products. Zyxel has also issued guidance to disable HTTP/HTTPS services from the Wide Area Network (WAN) unless absolutely required, and to disable UDP ports 500 and 4500 if not in use. If you are unsure, it is advised to check with your MSP.

Further information can be found here:

https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A few days ago, a critical flaw in file transfer software Moveit was exploited, and millions could be impacted. The flaw (CVE-2023-34362) is under active exploitation, with the recent announcement of breaches against UK Payroll provider Zellis, who support services to hundreds of services in the UK. The breach against Zellis has further impacted companies that use Zellis, including the BBC, major UK airline British Airways and major UK retailer, Boots. In addition, the US Government’s Cybersecurity and Infrastructure Agency (CISA)  has ordered agencies to patch the flaw.

What’s the risk to me or my business?

The flaw, which has been linked by Microsoft to Lace Tempest, known for ransomware operations & running the Clop extortion site, is being used to exfiltrate data, impacting the confidentiality, integrity and availability of the data an organisation holds. Exploitation of the flaw allows a successful threat actor to gain unauthenticated, remote access to the MOVEit database, allow them to execute code.

Technical Summary:

CVE-2023-34362 – A SQL injection vulnerability in the MOVEit Transfer web application which if exploited, could allow unauthorised access to MOVEit Transfer’s database.

The table below has been taken from MOVEit’s security bulletin:

What can I do?

It is important that organisations not only consider themselves and whether they are using MOVEit Transfer software, but also whether any of their suppliers are using it. In both cases, the relevant fixed version should be installed.

The breaches further reinforce the importance of the supply chain and the impact it can have on organisations. It’s not just about your own security, but also any provider who your organisation uses.

Further details the patch can be found here:

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• How to Keep Cyber Attacks from Tanking Your Balance Sheet

According to a recent Forrester report, last year saw 1 billion records exposed in the top 35 breaches, $2.6 billion stolen in the top nine cryptocurrency breaches, and $2.7 billion in fines levied to the top 35 violators.

The average cost of a data breach reached $4.35 million in 2022, according to IBM’s Cost of a Data Breach Report for that year, which represents a 2.6% increase over the prior year, and a 12.7% increase from 2020. For ransomware, a report found the average payment in 2021 was approximately $1.85 million, more than double the $760,000 figure from 2020. These are just direct costs; indirect costs are far greater and can include lost business, lost customers, reputational loss and regulatory fines.

When it comes to managing cyber risk, corporate boards should look to understand cyber security as a strategic business enabler, understand the impacts, align risk-management with business needs, ensure the organisation supports cyber security, incorporate cyber security expertise into governance and encourage systemic resilience.

https://hbr.org/2023/06/how-to-keep-cyberattacks-from-tanking-your-balance-sheet

• Company Size Doesn’t Matter When It Comes to Cyber Attacks

65% of large organisations suffered a cyber attack within the last 12 months, which is similar to the results among companies of all sizes (68%), according to a recent report. The most common security incidents were the same for all companies; these were phishing, ransomware and user account compromise, also known as business email compromise (BEC).

Smaller companies often underestimate their risk, with the reasoning that cyber criminals want the biggest targets as they will likely have more intellectual property, however all businesses have valuable data and are therefore a target. Additionally, smaller organisations can sometimes be seen as a way into larger organisations that use their services.

https://www.helpnetsecurity.com/2023/05/29/larger-organizations-cyberattacks/

• ‘Exceptional’ Cyber Attacks Now Normal, says BT Security Chief

The threat of cyber attacks is growing at an “unprecedented” pace, according to the chief security officer at multinational teleco BT, Howard Watson, but it is not just large organisations such as BT who will be impacted by this increase.

Watson highlighted that the increase in sophisticated technology poses the biggest threat in the long run: “Technological advancement, as ever, is a double-edged sword in security. Quantum and AI have great potential for benefits in the right hands, or to cause massive damage in the wrong hands. But we know that cyber criminals will utilise these technologies, so we have to be able to respond in kind.”  Adding to this, the chief security officer highlighted that events that were previously considered as ‘exceptional’ need to be assessed and planned for as a probability, rather than a possibility.

https://www.thetimes.co.uk/article/exceptional-cyberattacks-now-normal-says-bt-security-chief-nd2kfp3gc

• How State-Sponsored/Advanced Persistent Threat Groups (APTs) Target SMBs

Small and medium businesses (SMBs) are not exempt from being targeted by advanced persistent threat (APT) actors, according to Proofpoint researchers who collected data from over 200,000 SMB customers. Proofpoint identified a rise in phishing campaigns originating from such state-sponsored APT groups, who are highly skilled and typically state-sponsored groups with distinct strategic goals. These goals range from espionage and intellectual property theft to destructive attacks, state-sponsored financial theft, and disinformation campaigns.

Unfortunately, SMBs often lack adequate cyber security measures, making them vulnerable to all kinds of cyber threats. APT actors exploit this weakness by targeting SMBs as a stepping stone towards achieving their larger goals.

Alongside phishing campaigns, it was identified that APTs are increasingly targeting regional outsourced IT providers/Managed Service Providers (MSPs) to mount supply chain attacks. By compromising regional MSPs within geographies that align with the strategic collection requirements of APT actors, threat actors can gain access to multiple SMBs to extract sensitive information or execute further attacks.

https://www.helpnetsecurity.com/2023/05/31/apt-targeting-smbs/

• Phishing Campaigns Thrive as Evasive Tactics Outsmart Conventional Detection

According to research, 2022 saw a 25% increase in the use of phishing kits. These phishing kits are a set of tools that enable cyber criminals to effortlessly create and maintain large scale sophisticated phishing campaigns. It is this sophistication that allows cyber criminals to circumnavigate conventional detections; in fact, the research found a 40% increase in the use of anti-bot technologies designed to prevent automated scanners from identifying content as phishing.

In some cases (11% of observed phishing kits) malicious links would not be detected when tested by anti-phishing controls because those controls do not use the exact device parameters, geolocation and referrer of the intended target victim’s profile; therefore the malicious link is allowed to be delivered to the intended target.

https://www.helpnetsecurity.com/2023/06/01/advanced-detection-evasion-techniques/

• Don't be Polite When you Get a Text from a Wrong Number

You should immediately be suspicious of any text you get from a number not in your contacts, even if it may be innocent looking. Your first reaction may be to be polite and let them know they have the wrong number, but this person is a stranger. Strangely, despite teaching our children not to talk to strangers, many are comfortable with divulging information to them. Although letting them know they made a mistake seems harmless, responding opens you up to being scammed and you’ve just let them know you’re a real person. Every bit of helpful information you provide has the potential to be leveraged by an attacker.

https://www.kens5.com/article/money/consumer/wrong-number-text-messages/273-c94cd68b-6117-4add-bf16-e010f7e16726

• Capita Cyber Attack: 90 Downstream Organisations Reported Data Breaches

90 organisations have reported breaches of personal information held by Capita after the outsourcing group had suffered a cyber attack, according to Britain’s data watchdog. The attack on Capita, which occurred in March, is still impacting businesses, with the UK Information Commissioners Office (ICO) making enquiries. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach.

The impact of the attack, and its knock-on effect, highlights the need for organisations to consider their third party security, no matter the size of the third party they use.

https://www.theguardian.com/business/2023/may/30/capita-cyber-attack-data-breaches-ico

• Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives

A recent survey from McAfee found that nearly a third (30%) of adults have fallen victim or know someone who has fallen victim to an online scam when bargain hunting for travel deals during the summer season, with a full two-thirds of victims losing up to $1,000.

This has extended to the corporate environment, with threat actors impersonating the HR department and exploiting the trust users place in their employers, a report has found. The attack leverages regular HR procedures associated with holiday requests and taps into the anticipation and excitement surrounding the summer travel season, to capitalise on exploiting the user.

https://www.darkreading.com/endpoint/travel-themed-phishing-bec-campaigns-smarter-summer-season

• Organisations Spend 100 Hours Battling Post-Delivery Email Threats

Nearly every victim of a spear-phishing attack in the last 12 months saw impacts on their organisation, including malware infections, stolen data, and reputational damage, according to Barracuda Networks. The research shows that cyber criminals continue to barrage organisations with targeted email attacks, and many companies are struggling to keep up.

While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks. On average, organisations take nearly 100 hours to identify, respond to, and remediate a post-deliver email threat: 43 hours to detect the attack and 56 hours to respond and remediate after the attack is detected.

Users at companies with more than a 50% remote workforce report higher levels of suspicious emails: 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce. Companies with more than a 50% remote workforce also reported that it takes longer to both detect and respond to email security incidents: 55 hours to detect and 63 hours to respond and mitigate, compared to an average of 36 hours and 51 hours respectively for organisations with fewer remote workers.

https://www.helpnetsecurity.com/2023/05/30/2023-spear-phishing-trends/

• Ransomware Gangs Adopting Business-like Practices to Boost Profits

Ransomware gangs are using a variety of business-like practices to boost profits, making it more difficult for defenders to differentiate various groups, a new report by WithSecure has surmised. This move towards mirroring legitimate businesses practices means that tactics, techniques and procedures (TTPs) are blurring.

The underground marketplace now includes entities including ransomware-as-a-service (RaaS) groups, Initial Access Brokers (IAB), crypter-as-a-service (CaaS), cryptojackers, malware-as-a-service (MaaS) groups and nation-state actors. This allows nation-states to use tools available on the underground market to gain access to networks and systems without being detected. Ultimately, this trend towards professionalisation makes the expertise and resources to attack organisations accessible to lesser-skilled or poorly resourced threat actors.

https://www.infosecurity-magazine.com/news/ransomware-gangs-business-practices/

• The Sobering Truth about Ransomware—for the 80% Who Paid Up

Newly published research of 1,200 organisations impacted by ransomware reveals a sobering truth that awaits many of those who decide to pay the ransom. According to research, 80% of the organisations surveyed decided to pay the demanded ransom in order to both end the ongoing cyber attack and recover otherwise lost data. This is despite 41% of those organisations having a “do not pay” policy in place, which only goes to reinforce the cold hard fact that cyber crime isn’t an easy landscape to navigate. This is something that’s especially true when your business is facing the real-world impact of dealing with a ransomware attack.

Of the 960 organisations that paid a ransom, 201 of them (21%) were still unable to recover their lost data. The same number also reported that ransomware attacks were now excluded from their insurance policies. Of those organisations with cyber insurance cover, 74% reported a rise in premiums. Another report, published by Sophos, revealed that 32% of those surveyed opted to pay the ransom but a shocking 92% failed to recover all their data and 29% were unable to recover more than half of the encrypted data.

Some groups have switched to stealing sensitive customer or corporate data instead, with the ransom demanded in return for them not selling it to the highest bidder or publishing it online. Many groups combine the two for a double extortion ransomware attack.

https://www.forbes.com/sites/daveywinder/2023/05/30/the-sobering-truth-about-ransomware-for-the-80-percent-who-paid-up 

• The Great CISO Resignation: Why Security Leaders are Quitting in Droves

With the rise in AI tools such as ChatGPT broadening an attacker’s arsenal, this places greater and greater pressure on security leaders who are already dealing with shrinking budgets, skeleton crew staff and a conglomeration of security tools and protocols — so much so that they are increasingly quitting. A recent report found that nearly a third (32%) of CISOs in the US and UK were considering leaving their current organisation and 9 out of 10 reported themselves as “moderately” or “tremendously” stressed.

This so-called Great CISO Resignation is concerning, because what happens when there’s nobody guarding the gate and rallying the troops?

https://www.sdxcentral.com/articles/analysis/the-great-ciso-resignation-why-security-leaders-are-quitting-in-droves/2023/05/

• When is it Time for a Cyber Hygiene Audit?

Effective cyber hygiene practices limit threats against your systems, devices and users, preventing breaches that could compromise sensitive business information, database information, and personal data. But cyber hygiene isn’t a static or one-off process. It requires routine execution and, occasionally, a full audit. This audit typically covers a range of aspects including encryption, documentation, authentication, patches, security and ongoing cyber hygiene.

Good cyber hygiene is a necessary part of maintaining IT security. Setting up processes and procedures within your organisation’s regular operating procedures is an effective way to maintain cyber hygiene. Although the responsibilities may differ by position, everyone in the organisation plays a role.

An audit provides important information on where and where you need to improve. It also provides a baseline for measuring improvement and effectiveness. The key to success is to integrate hygiene into routine process starting top down from policies into every part of the business and making use of third party experts to help aid in the process.

https://www.trendmicro.com/en_us/devops/23/e/cyber-hygiene-audit-best-practices.html

Governance, Risk and Compliance

• Company size doesn't matter when it comes to cyber attacks - Help Net Security

• How to Keep Cyber attacks from Tanking Your Balance Sheet (hbr.org)

• When is it Time for a Cyber Hygiene Audit? (trendmicro.com)

• The great CISO resignation: Why security leaders are quitting in droves - SDxCentral

• ‘Exceptional’ cyber attacks now normal, says BT security chief (thetimes.co.uk)

• HowTo: Improve Your Cyber Resilience - Infosecurity Magazine (infosecurity-magazine.com)

• The strategic importance of digital trust for modern businesses - Help Net Security

• Vendors: Threat actor taxonomies are confusing but essential | TechTarget

• Experts Not Willing To Wager A Candy Bar On Their Security (forbes.com)

• Breaking Enterprise Silos and Improving Protection – Security Week

• Zero-Day Vulnerabilities: 17 Consequences And Complications (forbes.com)

• Insider risk management: Where your program resides shapes its focus | CSO Online

Threats

Ransomware, Extortion and Destructive Attacks

• Attackers leave organisations with no recovery option - Help Net Security

• Ransomware Gangs Adopting Business-like Practices to Boost Profits - Infosecurity Magazine (infosecurity-magazine.com)

• The Sobering Truth About Ransomware—For The 80% Who Paid Up (forbes.com)

• Rogue IT security worker failed to cover his tracks | Tripwire

• Organisations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation – Security Week

• The Week in Ransomware - May 26th 2023 - Cities Under Attack (bleepingcomputer.com)

• Cyble — Obsidian ORB Ransomware Demands Gift Cards as Payment

• AceCryptor: Cyber criminals' Powerful Weapon, Detected in 240K+ Attacks (thehackernews.com)

• BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration (securityintelligence.com)

• BlackCat claims the hack of the Casepoint legal technology platform used by US agencies - Security Affairs

• Investigating BlackSuit Ransomware’s Similarities to Royal (trendmicro.com)

• Fighting ransomware: Perspectives from cyber security professionals - Help Net Security

Ransomware Victims

• New York county still dealing with ransomware 8 months later • The Register

• ABB confirms data stolen in Black Basta ransomware attack | SC Media (scmagazine.com)

• SAS Airlines hit by $3 million ransom demand following DDoS attacks (bitdefender.com)

• Industrial Giant ABB Confirms Ransomware Attack, Data Theft – Security Week

• MCNA Dental data breach impacts 8.9 million people after ransomware attack (bleepingcomputer.com)

• Harvard Pilgrim Health Care ransomware attack hits 2.5 million people (bleepingcomputer.com)

• Cyble — Bl00dy Ransomware Targets Indian University: Actively Exploiting PaperCut Vulnerability

Phishing & Email Based Attacks

• Phishing campaigns thrive as evasive tactics outsmart conventional detection - Help Net Security

• Organisations spend 100 hours battling post-delivery email threats - Help Net Security

• Phishing remained the top identity abuser in 2022: IDSA report | CSO Online

• DocuSign-themed email leads to script-based infection

• New phishing technique poses as a browser-based file archiver | CSO Online

• Nigerian Cyber crime Ring's Phishing Tactics Exposed - Infosecurity Magazine (infosecurity-magazine.com)

• Sustained 'Red Deer' Phishing Attacks Impersonate Israel Post, Drop RATs (darkreading.com)

• North Korean phishing gang stole rocket tech info • The Register

Artificial Intelligence

• AI is 'a nuclear bomb and the entire world has already got it,' Palantir ethics expert warns (yahoo.com)

• Artificial intelligence is similar extinction risk as nuclear war and pandemics, say experts | Science & Tech News | Sky News

• AI: War crimes evidence erased by social media platforms - BBC News

• Artificial Intelligence's Risks and Rewards in Cyber security (analyticsinsight.net)

• ChatGPT Plugins Open Security Holes From PDFs, Websites and More | Tom's Hardware (tomshardware.com)

• What not to share with ChatGPT if you use it for work | Mashable

• Is ChatGPT a cyber security disaster? We asked the experts | Digital Trends

• Generative AI: The new attack vector for trust and safety - Help Net Security

• What are the concerns around AI and are some of the warnings 'baloney'? | Science & Tech News | Sky News

2FA/MFA

• PyPI announces mandatory use of 2FA for all software publishers (bleepingcomputer.com)

Malware

• QBot malware abuses Windows WordPad EXE to infect devices (bleepingcomputer.com)

• New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets (thehackernews.com)

• Raspberry Pi Malware Infects Using Default Username and Password | Tom's Hardware (tomshardware.com)

• Tracking down a trojan: An inside look at threat hunting in a corporate network (malwarebytes.com)

• RomCom malware spread via Google Ads for ChatGPT, GIMP, more (bleepingcomputer.com)

• DogeRAT Malware Impersonates BFSI, Entertainment, E-commerce Apps - Infosecurity Magazine (infosecurity-magazine.com)

• Stealthy SeroXen RAT malware increasingly used to target gamers (bleepingcomputer.com)

• Terminator antivirus killer is a vulnerable Windows driver in disguise (bleepingcomputer.com)

• Top macOS Malware Threats: Here Are 6 to Watch (darkreading.com)

• PyPI malware ramps up the threat to the code repository • The Register

• Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks (thehackernews.com)

• Cyber criminals use legitimate websites to obfuscate malicious payloads - Help Net Security

• North Korean ScarCruft Hackers Exploit LNK Files to Spread RokRAT (thehackernews.com)

Mobile

• Don't be polite when you get a text from a wrong number | kens5.com

• Predator Android Spyware: Researchers Uncover New Data Theft Capabilities (thehackernews.com)

• Android threat: 'Guerrilla' virus sneakily snuck onto 8.9m phones (citizen.co.za)

• Operation Triangulation: previously undetected malware targets iOS devices - Security Affairs

• Russian government accuses Apple of colluding with NSA in iPhone spy operation | CyberScoop

• Android apps with spyware installed 421 million times from Google Play (bleepingcomputer.com)

Botnets

• Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks (thehackernews.com)

• Threatening botnets can be created with little code experience… – Unified Networking (unifiedguru.com)

• What Are Botnet Attacks & Explained Prevention Techniques | EC-Council (eccouncil.org)

• CAPTCHA-Breaking Services with Human Solvers Helping Cyber criminals Defeat Security (thehackernews.com)

Denial of Service/DoS/DDOS

• SAS Airlines hit by $3 million ransom demand following DDoS attacks (bitdefender.com)

• Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks (thehackernews.com)

Internet of Things – IoT

• Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks (thehackernews.com)

• Home routers helped Chinese hackers breach US Navy networks (mybroadband.co.za)

• How Safe Is Your Wearable Device? (darkreading.com)

• Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers (thehackernews.com)

• Solar panels vulnerable to hackers, concern for network security - DutchNews.nl

• Amazon to Pay $31m After FTC's Security and Privacy Allegations - Infosecurity Magazine (infosecurity-magazine.com)

Data Breaches/Leaks

• Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints (darkreading.com)

• Dutch watchdog looking into alleged Tesla data breach | Reuters

• NHS data breach: trusts shared patient details with Facebook without consent | Health | The Guardian

• The root causes of API incidents and data breaches - Help Net Security

• Pentagon Leaks Emphasise the Need for a Trusted Workforce (darkreading.com)

• Retailer Database Error Leaks Over One Million Customer Records - Infosecurity Magazine (infosecurity-magazine.com)

• Yet Another Toyota Cloud Data Breach Jeopardises Thousands of Customers (darkreading.com)

• Hacking forum hacked, user database leaked online • Graham Cluley

• Risk & Repeat: A troubling trend of poor breach disclosures | TechTarget

• New MOVEit Transfer zero-day mass-exploited in data theft attacks (bleepingcomputer.com)

• Workforce platform Prosperix leaks drivers licenses and medical records - Security Affairs

Organised Crime & Criminal Actors

• Types of Cyber Crime: A Comprehensive Guide to Uncover and Prevent Digital Attacks - Security Boulevard

• US intelligence research agency examines cyber psychology to outwit criminal hackers | CyberScoop

• What is the Cyber Crime Atlas? How it can help disrupt cyber crime | CSO Online

• New hacking forum leaks data of 478,000 RaidForums members (bleepingcomputer.com)

• Hacking forum hacked, user database leaked online • Graham Cluley

• Tricks of the trade: How a cyber crime ring operated a multi‑level fraud scheme | WeLiveSecurity

• 3 signs your kids may be hackers and what to do about it | Euronews

• “I was a teenage hacker”: Two child hackers share their stories | Euronews

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets (thehackernews.com)

• Hacked DJ's Twitter account costs cryptocurrency investors $170,000 (bitdefender.com)

• Cyber criminals Targeting Apache NiFi Instances for Cryptocurrency Mining (thehackernews.com)

Insider Risk and Insider Threats

• Report: ‘massive’ Tesla leak reveals data breaches, thousands of safety complaints | Tesla | The Guardian

• Rogue IT security worker failed to cover his tracks | Tripwire

• Pentagon Leaks Emphasise the Need for a Trusted Workforce (darkreading.com)

• Insider risk management: Where your program resides shapes its focus | CSO Online

Fraud, Scams & Financial Crime

• Don't be polite when you get a text from a wrong number | kens5.comTricks of the trade: How a cyber crime ring operated a multi‑level fraud scheme | WeLiveSecurity

• HMRC in New Tax Credits Scam Warning - Infosecurity Magazine (infosecurity-magazine.com)

AML/CFT/Sanctions

• US sanctions orgs behind North Korea’s ‘illicit’ IT worker army (bleepingcomputer.com)

Insurance

• Why You Need Cyber Insurance and How to Obtain It - Arctic Wolf

• Cyber Insurance: A Growth Market for Insurers With Some Caveats (carriermanagement.com)

Dark Web

• The Dark Web: Exploring the Hidden Internet | TechSpot

Supply Chain and Third Parties

• Capita cyber attack: 90 organisations report data breaches | Capita | The Guardian

• Cyber Actors Impact Daily Life in Attacks on Critical Infrastructure, Supply Chains, Report Says - MSSP Alert

Software Supply Chain

• CISO-approved strategies for software supply chain security - Help Net Security

• Where SBOMs Stand Today (darkreading.com)

Cloud/SaaS

• One of Microsoft Azure's top tools has a serious security flaw | TechRadar

• Top public cloud security concerns for the media and entertainment industry - Help Net Security

• Disaster recovery in the cloud | InfoWorld

• Cloud Security: Don’t Confuse Vendor and Tool Consolidation - The New Stack

• Why organisations should adopt a cloud cyber security framework - Help Net Security

• Can Cloud Services Encourage Better Login Security? Netflix's Accidental Model (darkreading.com)

• Google Drive Deficiency Allows Attackers to Exfiltrate Workspace Data Without a Trace (darkreading.com)

Hybrid/Remote Working

• Navigating cyber security in the age of remote work - Help Net Security

Shadow IT

• The shadow IT fight — 2023 style | Computerworld

Identity and Access Management

• Digital nomads drive changes in identity verification - Help Net Security

Encryption

• After 28 years, SSLv2 is still not gone from the internet... but we're getting there

API

• The root causes of API incidents and data breaches - Help Net Security

Open Source

• 2 Lenses for Examining the Safety of Open Source Software (darkreading.com)

• EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cyber security | Electronic Frontier Foundation (eff.org)

Passwords, Credential Stuffing & Brute Force Attacks

• Raspberry Pi Malware Infects Using Default Username and Password | Tom's Hardware (tomshardware.com)

• Swiss real estate agency Neho fails to put a password on its systems - Security Affairs

• Can Cloud Services Encourage Better Login Security? Netflix's Accidental Model (darkreading.com)

Social Media

• NHS data breach: trusts shared patient details with Facebook without consent | Health | The Guardian

• Twitter pulls out of voluntary EU disinformation code - BBC News

• AI: War crimes evidence erased by social media platforms - BBC News

Malvertising

• RomCom malware spread via Google Ads for ChatGPT, GIMP, more (bleepingcomputer.com)

Training, Education and Awareness

• Building an Effective Cyber security Training Program (hbr.org)

Travel

• Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives (darkreading.com)

• US court finds that border phone searches need a warrant • The Register

Parental Controls and Child Safety

• 3 signs your kids may be hackers and what to do about it | Euronews

• “I was a teenage hacker”: Two child hackers share their stories | Euronews

Regulations, Fines and Legislation

• OneMain pays $4.5M after ignored security flaws caused data breaches | SC Media (scmagazine.com)

• Amazon to Pay $31m After FTC's Security and Privacy Allegations - Infosecurity Magazine (infosecurity-magazine.com)

• Netflix warns it may remove content from UK catalogue over government media bill | The Independent

• EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cyber security | Electronic Frontier Foundation (eff.org)

Models, Frameworks and Standards

• Why organisations should adopt a cloud cyber security framework - Help Net Security

Data Protection

• OneMain pays $4.5M after ignored security flaws caused data breaches | SC Media (scmagazine.com)

Careers, Working in Cyber and Information Security

• Ways to Help Cyber security's Essential Workers Avoid Burnout (darkreading.com)

• Managing mental health in cyber security - Help Net Security

• ISACA pledges to help grow cyber security workforce in Europe | CSO Online

Law Enforcement Action and Take Downs

• US intelligence research agency examines cyber psychology to outwit criminal hackers | CyberScoop

Privacy, Surveillance and Mass Monitoring

• The answer to the FBI's advanced persistent threat • The Register

• Amazon to Pay $31m After FTC's Security and Privacy Allegations - Infosecurity Magazine (infosecurity-magazine.com)

Misinformation, Disinformation and Propaganda

• How giant pieces of spyware are shaping our views and our world | Evening Standard

• Twitter pulls out of voluntary EU disinformation code - BBC News

• The 2024 race promises to be 'very, very active' in terms of foreign and domestic meddling, says former CISA chief | CyberScoop

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Ukraine war blurs lines between cyber crims and state hacks • The Register

• Pegasus Spyware Is Detected in a War Zone for the First Time | WIRED

• Chinese State-Backed Cyber Operatives Threaten Critical Infrastructure in Espionage Campaign - MSSP Alert

• Russian government accuses Apple of colluding with NSA in iPhone spy operation | CyberScoop

• How giant pieces of spyware are shaping our views and our world | Evening Standard

• Predator may have more spyware capabilities than we know • The Register

• Cyber Army! US Mulls Creating A New Military Unit That Can 'Track & Whack' Chinese, Russian Aggression (eurasiantimes.com)

• Cyberweapon manufacturers plot to stay on the right side of US | Financial Times (ft.com)

• Suspected Russia-trained spy whale reappears off Sweden’s coast | Sweden | The Guardian

• Pentagon Cyber Policy Cites Learnings from Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• AI: War crimes evidence erased by social media platforms - BBC News

Nation State Actors

• How APTs target SMBs - Help Net Security

• Chinese hackers seeking ways to cripple infrastructure 'likely to have targeted UK operators' (inews.co.uk)

• China hacking Guam: Can the US stop foreign cyber attacks? | The Week

• Russian government accuses Apple of colluding with NSA in iPhone spy operation | CyberScoop

• US sanctions orgs behind North Korea’s ‘illicit’ IT worker army (bleepingcomputer.com)

• Home routers helped Chinese hackers breach US Navy networks (mybroadband.co.za)

• Investigation Launched After London City Airport Website Hacked (simpleflying.com)

• Taiwan rushes to prevent China from cutting off internet and phones | The Japan Times

• North Korea says spy satellite launch crashed into sea - BBC News

• Pentagon Cyber Policy Cites Learnings from Ukraine War - Infosecurity Magazine (infosecurity-magazine.com)

• Dark Pink hackers continue to target govt and military organisations (bleepingcomputer.com)

• The next Chinese tech threat is already here | The Spectator

• North Korean phishing gang stole rocket tech info • The Register

• North Korea's Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks (thehackernews.com)

• North Korean ScarCruft Hackers Exploit LNK Files to Spread RokRAT (thehackernews.com)

Vulnerability Management

• Zero-Day Vulnerabilities: 17 Consequences And Complications (forbes.com)

• Implementing Risk-Based Vulnerability Discovery and Remediation (thehackernews.com)

• 3 Challenges in Building a Continuous Threat Exposure Management (CTEM) Program and How to Beat Them (thehackernews.com)

• Focus Security Efforts on Choke Points, Not Visibility (darkreading.com)

Vulnerabilities

• New MOVEit Transfer zero-day mass-exploited in data theft attacks (bleepingcomputer.com)

• Zero-day vulnerability in MoveIt Transfer under attack | TechTarget

• Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months (thehackernews.com)

• Chrome 114 Released With 18 Security Fixes – Security Week

• WordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection (bleepingcomputer.com)

• WordPress force installs critical Jetpack patch on 5 million sites (bleepingcomputer.com)

• Microsoft finds macOS bug that lets hackers bypass SIP root restrictions (bleepingcomputer.com)

• Zyxel patches vulnerability in NAS devices (CVE-2023-27988) - Help Net Security

• Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices (thehackernews.com)

• Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor | WIRED

• Barracuda Email Security Gateway under active attack • The Register

• MacOS 'Migraine' Bug: Big Headache for Device System Integrity (darkreading.com)

• FTC accuses Amazon of nightmare IoT security fails • The Register

• Critical Vulnerabilities Found in Faronics Education Software – Security Week

Tools and Controls

• HowTo: Improve Your Cyber Resilience - Infosecurity Magazine (infosecurity-magazine.com)

• When is it Time for a Cyber Hygiene Audit? (trendmicro.com)

• The strategic importance of digital trust for modern businesses - Help Net Security

• Vendors: Threat actor taxonomies are confusing but essential | TechTarget

• 6 Steps to Effectively Threat Hunting: Safeguard Critical Assets and Fight Cyber crime (thehackernews.com)

• Artificial Intelligence's Risks and Rewards in Cyber security (analyticsinsight.net)

• Digital nomads drive changes in identity verification - Help Net Security

• Tracking down a trojan: An inside look at threat hunting in a corporate network (malwarebytes.com)

• The Top 10 endpoint security challenges and how to overcome them | VentureBeat

• Why You Need Cyber Insurance and How to Obtain It - Arctic Wolf

• Disaster recovery in the cloud | InfoWorld

• Cloud Security: Don’t Confuse Vendor and Tool Consolidation - The New Stack

• Disaster recovery challenges enterprise CISOs face - Help Net Security

• Implementing Risk-Based Vulnerability Discovery and Remediation (thehackernews.com)

• Research Reveals UK Firms Plan to Embrace New Era of Digital Identity- IT Security Guru

Reports Published in the Last Week

• Global Threat Intelligence Report April (blackberry.com)

• Top Cyber attacks Revealed in New Threat Intelligence Report (darkreading.com)

Other News

• Undetected Attacks Against Middle East Targets Conducted Since 2020 (darkreading.com)

• 8 best practices for securing your Mac from hackers in 2023 (techrepublic.com)

• Hot Pixels attack checks CPU temp, power changes to steal data (bleepingcomputer.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive summary

CrowdStrike have revealed a new cyber security threat, labelled as “Terminator”, which has the capability of stopping antivirus, endpoint detection and response (EDR) and extended detection and response (XDR) solutions. This allows for additional malicious software or actions to be used without being stopped or detected. While this tool does require local admin privileges to be effective, there is still a substantial number of organisations who allow employees to retain these privileges, and these privileges likely exist on Personally-owned devices that are being used for corporate activities as part of Bring Your Own Device (BYOD) schemes. The tool is being sold on Russian hacking forums for as little as $300 for a single bypass.

What’s the risk to me or my business?

Terminator requires the target user to first have local administrative privileges and then allow the tool to run by accepting the User Account Control (UAC) prompt. Once running, the tool will drop a legitimately signed Zemana anti-malware kernel into “C:\Windows\System32\drivers\ folder”. Next the tool will terminate any processes created by anti-virus (AV) or endpoint detection response (EDR). From here, the organisations AV and or EDR is disabled, allowing the malicious actor to run additional software or exploits without being stopped or detected, significantly increasing the risk of impacting the confidentiality, integrity and or availability of data held by an organisation that is accessible from the device.

What can I do?

Currently, only Elastic Security identifies the driver files used by Terminator- at current, no other AV or EDR is able to detect it. There has been no released patches or updates, and organisations are advised to block the signing certificate of the Zemena Anti-Malware driver used by Terminator.

Users should be educated not to run software that they do not trust, and where possible local administrator privileges should not be provided to end users to help prevent this and other similar attacks from being successful.

Further details can be found here:

https://www.techspot.com/news/98906-terminator-tool-uses-vulnerable-windows-driver-kill-almost.html

VirusTotal results can be found here: https://www.virustotal.com/gui/file/543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91

Need help understanding your gaps, or just want some advice? Get in touch with us: https://www.blackarrowcyber.com/contact

#threatadvisory #threatintelligence #cybersecurity

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 50% of UK CEOs see Cyber as a Bigger Business Risk than the Economy

Half of UK CEOs consider cyber security as a bigger risk to their organisation than economic uncertainty, a new study by Palo Alto Networks has found. The findings came from a survey of 2500 CEOs from the UK, Germany, France, Brazil and the UAE at large organisations (500+ employees).

Despite the recognition of the business threats posed by cyber attacks, UK CEOs have a lower level of understanding of cyber security risks than their international counterparts, with just 16% saying they have a complete understanding. This compares to 21% in Brazil, 21% in the UAE, 22% in France and 39% in Germany. Additionally, many UK CEOs feel detached from responsibility for cyber security at their organisations, instead leaving it to the responsibility of IT, although IT is only part of the solution.

https://www.infosecurity-magazine.com/news/uk-ceo-cyber-risk-economy/

• Report Finds 78% of Organisations Felt Prepared for Ransomware Attacks, Yet Half Still Fell Victim

Fortinet has unveiled its 2023 Global Ransomware Report based on a recent global survey and explores cyber security leaders’ perspectives on ransomware, particularly how it impacted their organisations in the last year and their strategies to mitigate an attack. The report found that the global threat of ransomware remains at peak levels, with half of organisations across all sizes, regions and industries falling victim in the last year.

The top challenges to stopping a ransomware attack were people and process related, with many organisations lacking clarity on how to secure against the threat. Specifically, four out of the five top challenges to stopping ransomware were people or process related. The second largest challenge was a lack of clarity on how to secure against the threat as a result of a lack of user awareness and training and no clear chain-of-command strategy to deal with attacks.

Despite the global macroeconomic environment, security budgets will have to increase in the next year with a focus on AI/ML technologies to speed detection, centralised monitoring tools to speed response and better preparation of people and processes.

https://www.itweb.co.za/content/mYZRX79g8gRqOgA8

• SMBs and Regional MSPs are Increasingly Targeted by State-Sponsored APT Groups

Advanced persistent threat (APT) attacks were once mainly a concern for large corporations in industries that presented cyber espionage interest. That's no longer the case and over the past year in particular, the number of such state-sponsored attacks against small- and medium-sized businesses (SMBs) has increased significantly.

Cyber security firm Proofpoint analysed its telemetry data more than 200,000 SMB customers over the past year and saw a rise in phishing campaigns originating from APT groups, particularly those serving Russian, Iranian, and North Korean interests.

SMBs are also targeted by APT groups indirectly, through the managed services providers (MSPs) that maintain their infrastructure. Proofpoint has seen an increase in attacks against regional MSPs because their cyber security defences could be weaker than larger MSPs yet they still serve hundreds of SMBs in local geographies.

https://www.csoonline.com/article/3697648/smbs-and-regional-msps-are-increasingly-targeted-by-state-sponsored-apt-groups.html#tk.rss_news

• IT Employee Piggybacked on Cyber Attack for Personal Gain

A 28-year-old former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorised access to a computer with intent to commit other offences.

The convicted employee was the one who began to investigate the incident and, along with colleagues and the police, tried to mitigate it and its fallout. But he also realized that he could take advantage of the breach to line his own pockets.

“He accessed a board member’s private emails over 300 times as well as altering the original blackmail email and changing the payment address provided by the original attacker. This was in the hope that if payment was made, it would be made to him rather than the original attacker,” the South East Regional Organised Crime Unit (SEROCU) revealed. He went as far as creating an almost identical email address to that of the original attacker, using it to pressure his employer into making the payment.

While some insider threats may stem from negligence or ignorance, this case highlights a more sinister scenario involving a malicious, opportunistic individual. Malicious insiders exploit their authorized access and privileges to engage in harmful, unethical, or illegal activities.

https://www.helpnetsecurity.com/2023/05/24/it-employee-blackmailing-company/

• Ransomware Threats Are Growing, and Targeting Microsoft Devices More and More

Ransomware attacks have never been this popular, a new report from cyber security researchers Securin, Ivanti, and Cyware has stated. New ransomware groups are emerging constantly, and new vulnerabilities being exploited are being discovered almost daily, but out of all the different hardware and software, Microsoft’s products are being targeted the most.

Attackers are now targeting more than 7,000 products built by 121 vendors, all used by businesses in their day-to-day operations. Most products belong to Microsoft, which has 135 vulnerabilities associated with ransomware. In just March 2023, there had been more breaches reported, than in all three previous years combined. Even though most cyber security incidents never get reported, too. In the first quarter of the year, the researchers discovered 12 new vulnerabilities used in ransomware attacks, three-quarters of which (73%) were trending in the dark web.

https://www.techradar.com/news/ransomware-threats-are-growing-and-targeting-microsoft-devices-more-and-more

• Microsoft Reports Jump in Business Email Compromise (BEC) Activity

Thirty-five million business email compromise (BEC) attempts were detected in the last year, according to the latest Microsoft Cyber Signals report. Activity around BEC spiked between April 2022 and April 2023, with over 150,000 daily attempts, on average, detected by Microsoft’s Digital Crimes Unit.

Rather than targeting unpatched devices for vulnerabilities, BEC operators focus on leveraging the vast volume of daily email and other message traffic to trick victims into sharing financial information or unknowingly transferring funds to money mule accounts. Their goal is to exploit the constant flow of communication to carry out fraudulent money transfers.

Using secure email applications, securing identities to block lateral movement, adopting a secure payment platform and training employees are a few effective methods, according to the report.

https://www.csoonline.com/article/3697152/microsoft-reports-jump-in-business-email-compromise-activity.html#tk.rss_news

• Forrester Predicts 2023’s Top Cyber security Threats: From Generative AI to Geopolitical Tensions

The nature of cyber attacks is changing fast. Generative AI, cloud complexity and geopolitical tensions are among the latest weapons and facilitators in attackers’ arsenals. Three-quarters (74%) of security decision-makers say their organisations’ sensitive data was “potentially compromised or breached in the past 12 months” alone. Forrester’s Top Cyber security Threats in 2023 report provides a stark warning about the top cyber security threats this year, along with prescriptive advice to CISOs and their teams on countering them. By weaponising generative AI and using ChatGPT, attackers are fine-tuning their ransomware and social engineering techniques.

Perimeter-based legacy systems not designed with an AI-based upgrade path are the most vulnerable. With a new wave of cyber attacks coming that seek to capitalise on any given business’ weakest links, including complex cloud configurations, the gap between reported and actual breaches will grow.

Forrester cites Russia’s invasion of Ukraine and its relentless cyber attacks on Ukrainian infrastructure as examples of geopolitical cyber attacks with immediate global implications. Forrester advises that nation-state actors continue to use cyber attacks on private companies for geopolitical purposes like espionage, negotiation leverage, resource control and intellectual property theft to gain technological superiority.

https://venturebeat.com/security/forrester-predicts-2023-top-cybersecurity-threats-generative-ai-geopolitical-tensions/

• Advanced Phishing Attacks Surge 356% in 2022

A new report published this week observed a 356% growth in the number of advanced phishing attacks attempted by threat actors in 2022, with the total number of attacks having increased by 87%. Among the reasons behind this growth is the fact that malicious actors continue to gain widespread access to new tools, including artificial intelligence (AI) and machine learning (ML)-powered tools. These have automated the process of generating sophisticated attacks, including those characterized by social engineering as well as evasion techniques.

The global threat landscape continues to evolve with a meteoric rise in the number of attacks, combined with increasingly sophisticated attack techniques designed to breach and damage organisations.

Additionally, the report highlighted that the changing threat landscape has resulted from the swift adoption of new cloud collaboration apps, cloud storage and productivity services for external collaboration.

https://www.infosecurity-magazine.com/news/advanced-phishing-attacks-surge/

• Today’s Cyber Defence Challenges: Complexity and a False Sense of Security

Organisations can mistakenly believe that deploying more security solutions will result in greater protection against threats. However, the truth of the matter can be very different. Gartner estimates that global spending on IT security and risk management solutions will exceed $189.7 billion annually in 2023, yet the breaches keep on coming. Blindly purchasing more security tools can add to complexity in enterprise environments and creates a false sense of security that contributes to today’s cyber security challenges.

To add to the dilemma, the new work-from-anywhere model is putting a strain on IT and security teams. Employees shifting between corporate and off-corporate networks are creating visibility and control challenges, which are impacting those teams’ ability to diagnose and remediate end user issues and minimize cyber security risks. In addition, they have to deal with a broad mix of networks, hardware, business and security applications, operating system (OS) versions, and patches.

https://www.securityweek.com/todays-cyber-defense-challenges-complexity-and-a-false-sense-of-security/

• Almost All Ransomware Attacks Target Backups

Data stored in backups is the most common target for ransomware attackers. Almost all intrusions (93%) target backups and in 75% of cases succeed in taking out victims’ ability to recover. In addition, 85% of global organisations suffered at least one cyber attack in the past year according to the Veeam 2023 Ransomware trends report. Only 16% of organisations avoided paying ransom because they were able to recover from backups, down from 19% in last year’s survey.

According to the survey, criminals attempt to attack backup repositories in almost all (93%) cyber events in EMEA, with 75% losing at least some of their backups and more than one-third (39%) of backup repositories being completely lost.

Other key findings included that 21% said ransomware is now specifically excluded from insurance policies; and of those with cyber insurance, 74% saw increased premiums since their last policy renewal.

With most ransomware actors moving to double and triple extortion the days of a backup being all you need to keep you safe are far behind and firms should do more to prevent being the victim of ransomware in the first place.

https://www.computerweekly.com/news/366538492/Almost-all-ransomware-attacks-target-backups-says-Veeam

• NCSC Warns Against Chinese Cyber Attacks on Critical Infrastructure

The UK National Cyber Security Centre (NCSC) and several other international security agencies have issued a new advisory warning the public against Chinese cyber activity targeting critical national infrastructure networks. According to the document, the People’s Republic of China (PRC)’s associated threat actors employed sophisticated tactics to evade detection while conducting malicious activities against targets in the US and Guam. These tactics are expected to be used on critical infrastructure targets outside the US, including the UK.

The document further added that the threat actors mainly focused on credential access theft via brute force and password spraying techniques. The NCSC advisory provides network defenders with technical indicators and examples of techniques used by the attacker to help identify any malicious activity.

https://www.infosecurity-magazine.com/news/ncsc-warns-chinese-cyber-attacks/

• Half of All Companies were Impacted by Spearphishing in 2022

Spearphishing is a sliver of all email exploits but the extent to which it succeeds is revealed in a new study from cyber security firm Barracuda Networks, which analysed 50 billion emails across 3.5 million mailboxes in 2022, unearthing around 30 million spearphishing emails and affecting 50% of all companies.

The report identified the top prevalent spearphishing emails were Scamming (47%) used to trick victims into disclosing sensitive information and the other being brand impersonation (42%) attacks mimicking a brand familiar with the victim to harvest credentials.

The report found that remote work is increasing risks. Users at companies with more than a 50% remote workforce report higher levels of suspicious emails — 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce.

https://www.techrepublic.com/article/barracuda-networks-spearphishing-study/

• Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool

Two new top-level domain names (.zip and .mov) have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss. While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension.

There's no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware. Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks.

https://www.darkreading.com/endpoint/google-zip-mov-domains-social-engineers-shiny-new-tool

Governance, Risk and Compliance

• Security Pros: Before You Do Anything, Understand Your Threat Landscape - SecurityWeek

• The Rising Threat of Secrets Sprawl and the Need for Action (thehackernews.com)

• Mass resignations, layoffs seen as major threat to corporate cyber security - The Korea Times

• Improving Cyber security Requires Building Better Public-Private Cooperation (darkreading.com)

• Cyber Defence: Council conclusions stress the importance of further strengthening the EU resilience to face cyber threats - Consilium (europa.eu)

• 5 Cyber security Woes That Threaten Digital Growth (analyticsinsight.net)

• Cyber Warfare Lessons From the Russia-Ukraine Conflict (darkreading.com)

• What Security Professionals Need to Know About Aggregate Cyber Risk (darkreading.com)

• Where to Focus Your Company’s Limited Cyber security Budget (hbr.org)

• Realistic Cyber security Simulations Deliver Strongest ROI for Training Programs, Security Innovation Finds - MSSP Alert

• Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach | CSO Online

• CISO Criminalization, Vague Cyber Disclosure Rules Create Angst for Security Teams (darkreading.com)

• Today’s Cyber Defence Challenges: Complexity and a False Sense of Security - SecurityWeek

• The biggest threats are always those we fail to predict - Big Think

• How continuous security monitoring is changing the compliance game - Help Net Security

• Forrester predicts 2023's top cyber security threats: From generative AI to geopolitical tensions | VentureBeat

• 50% of UK CEOs See Cyber as a Bigger Business Risk than the Economy - Infosecurity Magazine (infosecurity-magazine.com)

• Defining CISOs, CTOs, and CIOs' Roles in Cyber security (analyticsinsight.net)

Threats

Ransomware, Extortion and Destructive Attacks

• 3 Common Initial Attack Vectors Account for Most Ransomware Campaigns (darkreading.com)

• 12 vulnerabilities newly associated with ransomware - Help Net Security

• IT employee impersonates ransomware gang to extort employer (bleepingcomputer.com)

• Backup Repositories Targeted in 93% of Ransomware Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware threats are growing, and targeting Microsoft devices more and more | TechRadar

• Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks (bleepingcomputer.com)

• FIN7 gang returned and was spotted delivering Clop ransomware - Security Affairs

• Fortinet survey finds 78% of organisations felt prepared for ransomware attacks, yet half still fell victim | ITWeb

• Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking (darkreading.com)

• Cyble — New Ransomware Wave Engulfs over 200 Corporate Victims

• Updated 'StopRansomware Guide' warns of shifting tactics | TechTarget

• The Week in Ransomware - May 19th 2023 - A Shifting Landscape (bleepingcomputer.com)

• US saw 45% fewer ransomware victims posted on the dark web | Security Magazine

• BlackCat ransomware takes control of protected computers via new kernel driver | SC Media (scmagazine.com)

• Judge Throws Out Ransomware Class-Action Suit Against Rackspace - MSSP Alert

• Ransomware tales: The MitM attack that really had a Man in the Middle – Naked Security (sophos.com)

• Here's another great reason to make sure your enterprises is safeguarded from ransomware | TechRadar

• Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts (thehackernews.com)

• Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code (thehackernews.com)

Ransomware Victims

• Food Distributor Sysco Says Cyber Attack Exposed 126,000 Individuals - SecurityWeek

• Suzuki motorcycle plant shut down by cyber attack (bitdefender.com)

• February cyber incident will cost molten metal flow engineering firm Vesuvius £3.5 million - Security Affairs

• Iowa hospital discloses breach following Royal ransomware leak | TechTarget

• Arms maker Rheinmetall confirms BlackBasta ransomware attack (bleepingcomputer.com)

• Mazars Group allegedly breached by BlackCat | Cybernews

• Dish Network says February ransomware attack impacted +300K - Security Affairs

• Philly Inquirer disputes Cuba ransomware gang's leak claims • The Register

• Dorchester school IT system held to ransom in cyber attack - BBC News

• BlackByte lists city of Augusta after cyber 'incident' • The Register

Phishing & Email Based Attacks

• Advanced Phishing Attacks Surge 356% in 2022 - Infosecurity Magazine (infosecurity-magazine.com)

• 50% of companies had spearphishing puncture wounds in 2022 (techrepublic.com)

• Microsoft 365 phishing attacks use encrypted RPMSG messages (bleepingcomputer.com)

• Phishers use encrypted file attachments to steal Microsoft 365 account credentials - Help Net Security

• Threat actors exploit new channels for advanced phishing attacks - Help Net Security

• Malicious links and misaddressed emails slip past security controls - Help Net Security

• CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules (thehackernews.com)

• Crypto phishing service Inferno Drainer defrauds thousands of victims (bleepingcomputer.com)

• Phishing campaign targets ChatGPT users - Help Net Security

BEC – Business Email Compromise

• Cyber Signals: Shifting tactics show surge in business email compromise | Microsoft Security Blog

• Microsoft reports jump in business email compromise activity | CSO Online

• Microsoft: BEC Attackers Evade 'Impossible Travel' Flags With Residential IP Addresses (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool (darkreading.com)

Artificial Intelligence

• Employees are banned from using ChatGPT at these companies | Fortune

• When the tech boys start asking for new regulations, you know something’s up | John Naughton | The Guardian

• BatLoader campaign impersonates ChatGPT and Midjourney to deliver Redline Stealer - Security Affairs

• 6 ChatGPT risks for legal and compliance leaders - Help Net Security

• 5 Ways Hackers Will Use ChatGPT For Cyber attacks (informationsecuritybuzz.com)

• Simple OSINT techniques to spot AI-fueled disinformation, fake reviews - Help Net Security

• How to avoid shadow AI in your SOC - Help Net Security

• Microsoft urges lawmakers to adopt new guidelines for responsible AI | CyberScoop

• AI Used to Create Malware, WithSecure Observes - Infosecurity Magazine (infosecurity-magazine.com)

• Phishing campaign targets ChatGPT users - Help Net Security

• The Security Hole at the Heart of ChatGPT and Bing | WIRED UK

2FA/MFA

• Cyber criminals masquerading as MFA vendors - Help Net Security

Malware

• New PowerExchange malware backdoors Microsoft Exchange servers (bleepingcomputer.com)

• Hackers Use Weaponised DOCX File to Deploy Stealthy Malware (gbhackers.com)

• Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware (thehackernews.com)

• Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware (thehackernews.com)

• CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules (thehackernews.com)

• Threat actors leverage kernel drivers in new attacks | TechTarget

• BatLoader campaign impersonates ChatGPT and Midjourney to deliver Redline Stealer - Security Affairs

• Malicious links and misaddressed emails slip past security controls - Help Net Security

• Potentially millions of Android TVs and phones come with malware preinstalled | Ars Technica

• New AhRat Android malware hidden in app with 50,000 installs (bleepingcomputer.com)

• Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica

• PyPI open-source code repository deals with manic malware maelstrom – Naked Security (sophos.com)

• Legion Malware Upgraded to Target SSH Servers and AWS Credentials (thehackernews.com)

• AI Used to Create Malware, WithSecure Observes - Infosecurity Magazine (infosecurity-magazine.com)

Mobile

• Warning: Samsung Devices Under Attack! New Security Flaw Exposed (thehackernews.com)

• Smartphones with Qualcomm chips found to be transmitting users' private data without consent - Dimsum Daily

• WhatsApp now lets you hide your messages from prying eyes. But is Chat Lock a cheaters’ charter? | Technology | The Guardian

• Android phones are vulnerable to fingerprint brute-force attacks (bleepingcomputer.com)

• New AhRat Android malware hidden in app with 50,000 installs (bleepingcomputer.com)

• Google Unveils Bug Bounty Program For Android Apps - Infosecurity Magazine (infosecurity-magazine.com)

• Predator: Looking under the hood of Intellexa’s Android spyware (bleepingcomputer.com)

Botnets

• How smart bots are infecting and exploiting the internet - Help Net Security

• The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile | Akamai

Denial of Service/DoS/DDOS

• Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry (thehackernews.com)

Internet of Things – IoT

• Potentially millions of Android TVs and phones come with malware preinstalled | Ars Technica

• How Connected Car Cyber Risk will Evolve (trendmicro.com)

• Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica

Data Breaches/Leaks

• Capita under fire after ‘confidential’ files published online (thetimes.co.uk)

• Luxottica confirms 2021 data breach after info of 70M leaks online (bleepingcomputer.com)

• Hackers steal the SSN of nearly 6 million people (pandasecurity.com)

• Food Distributor Sysco Says Cyber attack Exposed 126,000 Individuals - SecurityWeek

Organised Crime & Criminal Actors

• Inside the Mind of a Cyber Attacker | Tactics, Techniques, and Procedures (TTPs) Every Security Practitioner Should Know

• IT employee piggybacked on cyber attack for personal gain - Help Net Security

• Child hackers: How are kids becoming sophisticated cyber criminals? | Euronews

• UK Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes (thehackernews.com)

• The Strange Story of the Teens Behind the Mirai Botnet - IEEE Spectrum

• FBI: Human Trafficking Rings Force Job Seekers Into Cryptojacking Schemes (darkreading.com)

• 'Operation Magalenha' Attacks Gives Window Into Brazil's Cyber crime Ecosystem (darkreading.com)

• Cyber criminals masquerading as MFA vendors - Help Net Security

• The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile | Akamai

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Crypto phishing service Inferno Drainer defrauds thousands of victims (bleepingcomputer.com)

• Forex boss Anthony Constantinou guilty of £70m ‘Ponzi’ fraud (thetimes.co.uk)

• FBI: Human Trafficking Rings Force Job Seekers Into Cryptojacking Schemes (darkreading.com)

Insider Risk and Insider Threats

• How to prevent against the 5 main types of insider threats - IT Security Guru

• IT employee impersonates ransomware gang to extort employer (bleepingcomputer.com)

Fraud, Scams & Financial Crime

• SMBs Targeted by State-Aligned Actors for Financial Theft and Supply Chain Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Get-rich-quick schemes, pyramids and ponzis: five signs you're being scammed (theconversation.com)

• Uncle Sam tries to wrangle 'money mules' • The Register

• Scammers Using ChatGPT "Fleeceware" Apps to Cash In on AI Hype, Sophos Report - MSSP Alert

• Online scams target bargain-hunting holiday travelers - Help Net Security

• Ads for lucrative jobs in Asia may be tech slavery scams • The Register

• Crypto phishing service Inferno Drainer defrauds thousands of victims (bleepingcomputer.com)

• 79-year-old woman tricks German scammers into getting arrested (iamexpat.de)

• Forex boss Anthony Constantinou guilty of £70m ‘Ponzi’ fraud (thetimes.co.uk)

• IT employee impersonates ransomware gang to extort employer (bleepingcomputer.com)

• Banking, tech and telecoms groups combine to gather intelligence on scammers | Financial Times (ft.com)

Supply Chain and Third Parties

• Capita under fire after ‘confidential’ files published online (thetimes.co.uk)

• SMBs Targeted by State-Aligned Actors for Financial Theft and Supply Chain Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• UK councils caught in Capita unsecured AWS bucket data leak • The Register

• New Cyber Security Training Packages Launched to Manage Supply Chain Risk - NCSC

Software Supply Chain

• GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains (thehackernews.com)

Cloud/SaaS

• Phishers use encrypted file attachments to steal Microsoft 365 account credentials - Help Net Security

• UK councils caught in Capita unsecured AWS bucket data leak • The Register

• CISO-level tips for securing corporate data in the cloud - Help Net Security

• Google Cloud Bug Allows Server Takeover From CloudSQL Service (darkreading.com)

Attack Surface Management

• The Need to Isolate Branch Offices in High-Risk Countries (darkreading.com)

Identity and Access Management

• 7 access management challenges during M&A - Help Net Security

• Think security first when switching from traditional Active Directory to Azure AD | CSO Online

Encryption

• Quantum attack would trigger Great Depression, think tank warns | SC Media (scmagazine.com)

API

• API bug in OAuth dev tool opened websites, apps to account hijacking | SC Media (scmagazine.com)

• Are Your APIs Leaking Sensitive Data? (thehackernews.com)

• What is API Security? | Definition from TechTarget

• The fragmented nature of API security ownership - Help Net Security

Open Source

• PyPI open-source code repository deals with manic malware maelstrom – Naked Security (sophos.com)

Passwords, Credential Stuffing & Brute Force Attacks

• Inactive accounts pose significant account takeover security risks | CSO Online

• What’s a Double-Blind Password Strategy and When Should It Be Used (bleepingcomputer.com)

• Netflix's Password-Sharing Ban Offers Security Upsides (darkreading.com)

Biometrics

• Android phones are vulnerable to fingerprint brute-force attacks (bleepingcomputer.com)

Social Media

• Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations (darkreading.com)

• Pentagon explosion hoax goes viral after verified Twitter accounts push (bleepingcomputer.com)

• A TikTok ban isn't a data security solution. It will be difficult to enforce – and could end up hurting users (theconversation.com)

Training, Education and Awareness

• Realistic Cyber security Simulations Deliver Strongest ROI for Training Programs, Security Innovation Finds - MSSP Alert

• A New Look for Risk in Awareness Training (darkreading.com)

• Realistic simulations are transforming cyber security training - Help Net Security

Travel

• Online scams target bargain-hunting holiday travelers - Help Net Security

• Four ways your devices can be hacked in hotels and how to stay safe | This is Money

• Tips to Protect Against Holiday and Airline Scams - IT Security Guru

Parental Controls and Child Safety

• Multiple Vulnerabilities Found in the Kiddoware Kids Place Parental Control Android App - IT Security Guru

Regulations, Fines and Legislation

• Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations (darkreading.com)

• Two-Thirds of IT Leaders Say GDPR Has Reduced Consumer Trust - Infosecurity Magazine (infosecurity-magazine.com)

• Microsoft urges lawmakers to adopt new guidelines for responsible AI | CyberScoop

Models, Frameworks and Standards

• NIST Launches Cyber security Initiative for Small Businesses (securityintelligence.com)

• New security model launched to eliminate 95% of cyber breaches - IT Security Guru

Backup and Recovery

• Almost all ransomware attacks target backups, says Veeam | Computer Weekly

• 'Operation Magalenha' Attacks Gives Window Into Brazil's Cyber crime Ecosystem (darkreading.com)

• China hits back after Microsoft says state-sponsored group hacked critical US infrastructure | Financial Times

• Here's another great reason to make sure your enterprises is safeguarded from ransomware | TechRadar

Data Protection

• Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations (darkreading.com)

• Two-Thirds of IT Leaders Say GDPR Has Reduced Consumer Trust - Infosecurity Magazine (infosecurity-magazine.com)

Careers, Working in Cyber and Information Security

• How to become a bug bounty hunter: Getting started | TechTarget

Law Enforcement Action and Take Downs

• UK Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes (thehackernews.com)

• 79-year-old woman tricks German scammers into getting arrested (iamexpat.de)

Privacy, Surveillance and Mass Monitoring

• Smartphones with Qualcomm chips found to be transmitting users' private data without consent - Dimsum Daily

• WhatsApp now lets you hide your messages from prying eyes. But is Chat Lock a cheaters’ charter? | Technology | The Guardian

• UK police to 'embed' facial recog but oversight is at risk • The Register

• Abuse of government spying powers: What's to worry about? • The Register

• Reflections on Ten Years Past The Snowden Revelations (ietf.org)

Misinformation, Disinformation and Propaganda

• Simple OSINT techniques to spot AI-fueled disinformation, fake reviews - Help Net Security

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Opinion: Cyber war and (no) peace (insuranceinsider.com)

• Cyber Warfare Lessons From the Russia-Ukraine Conflict (darkreading.com)

• Russia's War in Ukraine Shows Cyber attacks Can Be War Crimes (darkreading.com)

• The Underground History of Turla, Russia's Most Ingenious Hacker Group | WIRED

• Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade (thehackernews.com)

• North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (thehackernews.com)

• Cyber Attacks Strike Ukraine's State Bodies in Espionage Operation (thehackernews.com)

• A deeper insight into the CloudWizard APT's activity revealed a long-running activity - Security Affairs

• What’s Russia Planning? (informationsecuritybuzz.com)

• Mysterious malware designed to cripple industrial systems linked to Russia | CyberScoop

• New Russian-linked CosmicEnergy malware targets industrial systems (bleepingcomputer.com)

• What’s Russia Planning? (informationsecuritybuzz.com)

• United Nations official and others in Armenia hacked by NSO Group spyware | Hacking | The Guardian

• Predator: Looking under the hood of Intellexa’s Android spyware (bleepingcomputer.com)

Nation State Actors

• APT attacks: Exploring Advanced Persistent Threats and their evasive techniques (malwarebytes.com)

• SMBs and regional MSPs are increasingly targeted by state-sponsored APT groups | CSO Online

• NCSC Warns Against Chinese Cyber Attacks on Critical Infrastructure - Infosecurity Magazine (infosecurity-magazine.com)

• The Underground History of Turla, Russia's Most Ingenious Hacker Group | WIRED

• A TikTok ban isn't a data security solution. It will be difficult to enforce – and could end up hurting users (theconversation.com)

• Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica

• GoldenJackal: Threat Risk For Organisations In Middle East & South Asia (informationsecuritybuzz.com)

• North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (thehackernews.com)

• N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware (thehackernews.com)

• Fata Morgana Watering Hole Attack Targets Shipping, Logistics Firms - Infosecurity Magazine (infosecurity-magazine.com)

• A deeper insight into the CloudWizard APT's activity revealed a long-running activity - Security Affairs

• Five Eyes and Microsoft accuse China US infrastructure raids • The Register

• Iranian hackers use new Moneybird ransomware to attack Israeli orgs (bleepingcomputer.com)

• Mysterious malware designed to cripple industrial systems linked to Russia | CyberScoop

• GCHQ warns of fresh threat from Chinese state-sponsored hackers | Hacking | The Guardian

• New Russian-linked CosmicEnergy malware targets industrial systems (bleepingcomputer.com)

• China hits back after Microsoft says state-sponsored group hacked critical US infrastructure | Financial Times

• Five Eyes agencies detail how Chinese hackers breached US infrastructure - Help Net Security

• Lazarus Group Striking Vulnerable Windows IIS Web Servers (darkreading.com)

• 'Volt Typhoon' Breaks Fresh Ground for China-Backed Cyber Campaigns (darkreading.com)

Vulnerability Management

• 12 vulnerabilities newly associated with ransomware - Help Net Security

• Fresh perspectives needed to manage growing vulnerabilities - Help Net Security

• Judge Throws Out Ransomware Class-Action Suit Against Rackspace - MSSP Alert

• How to check for new exploits in real time? VulnCheck has an answer | CSO Online

Vulnerabilities

• 12 vulnerabilities newly associated with ransomware - Help Net Security

• Vulnerability in WordPress Google Analytics Plugin Hits +3 Million Websites (searchenginejournal.com)

• Hackers target 1.5M WordPress sites with cookie consent plugin exploit (bleepingcomputer.com)

• Barracuda Alerts Of Breaches In Email Gateways From Zero-Day Flaws (informationsecuritybuzz.com)

• Threat Actors Compromise Barracuda Email Security Appliances (darkreading.com)

• Microsoft: Windows issue causes file copying, saving failures (bleepingcomputer.com)

• GitLab 'strongly recommends' patching max severity flaw ASAP (bleepingcomputer.com)

• 83C0000B: The error code that means a software update bricked your HP printer (bitdefender.com)

• CISA adds iPhone bugs to Known Exploited Vulnerabilities catalog - Security Affairs

• Vulnerability in Zyxel firewalls may soon be widely exploited (CVE-2023-28771) - Help Net Security

• Zyxel warns of critical vulnerabilities in firewall and VPN devices (bleepingcomputer.com)

• Warning: Samsung Devices Under Attack! New Security Flaw Exposed (thehackernews.com)

• Multiple Vulnerabilities Found in the Kiddoware Kids Place Parental Control Android App - IT Security Guru

Tools and Controls

• Security Pros: Before You Do Anything, Understand Your Threat Landscape - SecurityWeek

• Malicious links and misaddressed emails slip past security controls - Help Net Security

• Making The Most Of A Penetration Test: The Organisational Perspective (forbes.com)

• Against the Clock: Cyber Incident Response Plan (trendmicro.com)

• CMOs & CISOs: Uniting for Stronger Brands (cmswire.com)

• Investigating Risks Through Threat Hunting Capability Guide (informationsecuritybuzz.com)

• Realistic Cyber security Simulations Deliver Strongest ROI for Training Programs, Security Innovation Finds - MSSP Alert

• A New Look for Risk in Awareness Training (darkreading.com)

• Almost all ransomware attacks target backups, says Veeam | Computer Weekly

• How continuous security monitoring is changing the compliance game - Help Net Security

• Blacklist untrustworthy apps that peek behind your firewall - Help Net Security

• How generative AI is reshaping the identity verification landscape - Help Net Security

• What is API Security? | Definition from TechTarget

• Are Your APIs Leaking Sensitive Data? (thehackernews.com)

• The fragmented nature of API security ownership - Help Net Security

• Enterprises Must Prepare Now for Shorter TLS Certificate Lifespans (darkreading.com)

• Cutting Through the Noise: What is Zero Trust Security? - SecurityWeek

• CISO-level tips for securing corporate data in the cloud - Help Net Security

• 6 ways generative AI chatbots and LLMs can enhance cyber security | CSO Online

• 'Operation Magalenha' Attacks Gives Window Into Brazil's Cyber crime Ecosystem (darkreading.com)

• China hits back after Microsoft says state-sponsored group hacked critical US infrastructure | Financial Times

• Here's another great reason to make sure your enterprises is safeguarded from ransomware | TechRadar

• Attributes of a mature cyber-threat intelligence program | CSO Online

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive Summary

A recent report has found that almost all (93%) of ransomware attacks explicitly target backups and most succeed, with 60% of those attacked paying the ransom. 1 in 4 organisations paid the ransom and did not get their data back, and 75% of backup repositories were affected in successful attacks. This all highlights the importance of backup immutability and protecting access to backups as they are now the primary focus of the attacker.

What is the risk to my business?

With the rise of ransomware attacks, as identified by the report, attackers are deliberately seeking to compromise backups of an organisation. This means that even if the organisation has backups of their data, they are not necessarily protected since the backups are seen as a critical target to aim for which could then lead to further compromises, with the report detailing that 56% of organisations risked reinfection during restoration of their data after an attack. Attackers are also more commonly using double and triple extortion techniques instead of just encrypting the organisations data, which include exfiltrating the data, threating to release the data unless a ransom is paid or directly targeting individuals of whom the data may concern for a payment instead.

By targeting the backup, the time it takes for to recover to a business-as-usual state could be substantially increased. In a worst-case scenario complete data loss could occur, leading to potentially unrecoverable financial and reputational impacts to the organisation.

What can I do?

The best defence from a ransomware attack is implementing strong information and cyber security policies which dictate controls across people, processes and technology, including detection capabilities to identify and prevent an attack. These controls should be further enhanced with user education and awareness training to reduce the likeness of a ransomware attack from occurring at the ingress point which is often the end user.

Other actions to help protect backups from attacker includes ensuring that the backup solution being used provides immutability, meaning that the backed-up data cannot be altered once it has been saved. Backup Assurance testing should be regularly undertaken to ensure the data, and the environment stored can be recovered successfully. Consideration should be made for the use of air gapped environments between production and backup to lower the risk of lateral intrusion.

Further information on the report is available here:

https://www.veeam.com/blog/2023-ransomware-trends-report-insights-html.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Cisco has released updates to address 4 critical and 5 high rated vulnerabilities in the web-based user interface of some of its small business series switches. The identified flaws could be exploited by an unauthenticated, remote attacker to run arbitrary code with the highest level of privilege or cause a denial-of-service (DoS). Switches that are end of life will not be receiving security updates.

What can I do?

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities, however if the switches are not operating as a Layer 3 switch at the exposed edge of a network, and the web interface is not accessible externally from the internet then they would not be vulnerable to remote attackers, but would however allow for lateral movement to an attacker that already has access to the network. Patches for the critical vulnerabilities should be applied immediately and for the high rated vulnerabilities, as soon as possible, and replacements for supported end of life switches should be considered.  To download the firmware from the Software Centre on Cisco.com, click Browse all and choose Switches > LAN Switches - Small Business.

The following vulnerabilities have been patched in the following firmware versions:

• 250 Series Smart Switches (Fixed in firmware version 2.5.9.16)

• 350 Series Managed Switches (Fixed in firmware version 2.5.9.16)

• 350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)

• 550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16)

• Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16)

• Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16)

The following switches will not have an update to address these flaws due to being in the end-of-life process, and should be replaced where possible:

• Small Business 200 Series Smart Switches

• Small Business 300 Series Managed Switches

• Small Business 500 Series Stackable Managed Switches

Technical Summary

The four critical vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, CVE-2023-20189) relate to on improper validation of requests that are sent to the web-based user interface. An attacker could exploit this vulnerability by sending a crafted request through this interface, allowing them to execute arbitrary code with root privileges, the highest available, on an affected device.

Further information on these flaws is available here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv

Need help understanding your gaps, or just want some advice? Get in touch with us.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Triple Threat: Insecure Economy, Cyber Crime Recruitment and Insider Threats

Across all sectors employees are feeling the ramifications of economic uncertainty, coupled with ransomware attacks continuing to evolve and become more sophisticated, and with this, cyber crime gangs are increasing their recruitment efforts. All the while, the cyber security skills gap persists and continues to widen for most organisations. This has the potential to create a perfect storm in terms of insider threats.

Insider threats can be malicious or unintentional, and they might come from current or former employees, business partners, board members or consultants. A recent report found that the past two years have seen a 44% rise in insider incidents. There is no quick fix to solve the insider threat problem. At a time when many businesses are struggling with visibility issues brought on by digital transformation and vendor sprawl, what’s needed is planning. Reducing the risk associated with insider threats requires a multifaceted approach.

https://www.securityweek.com/triple-threat-insecure-economy-cybercrime-recruitment-and-insider-threats/

• Ensuring Security Remains/Becomes Everyone’s Responsibility

In the same way as organisations believe that everyone is somewhat responsible for keeping costs reasonable, why would an organisation not think the same of cyber security, especially as cyber security is not just a technology problem: it is a business problem. One of the best methods for ensuring that security is everyone’s responsibility is to make cyber a top-down issue, with the board and C-suite setting the tone for security; they should provide clear direction and guidance, prioritising security as a business objective.

Other methods that can help ensure security as everyone’s responsibility include integrating it into the functions of roles, creating a security culture, providing awareness and training and rewarding employees for responses such as reporting phishing attacks.

https://cisoseries.com/20-ways-to-ensure-security-remains-becomes-everyones-responsibility/

• Insured Companies More Likely to be Ransomware Victims, Sometimes More Than Once

Companies with cyber insurance are more likely to get hit by ransomware, more likely to be attacked multiple times, and more likely to pay ransoms, according to a recent survey of IT decision makers.

According to the survey by Barracuda Networks, 77% of organisations with cyber insurance were hit at least once, compared to 65% without insurance. Of those with insurance, 39% paid the ransom. Worryingly, the survey found that insured companies were also 70% more likely to be hit multiple times. Repeat victims were also more likely to pay the ransom, and less likely to use backup systems to help them recover.

https://www.csoonline.com/article/3696350/insured-companies-more-likely-to-be-ransomware-victims-sometimes-more-than-once.html

• Software Supply Chain Attacks Hit 61% of Firms

More than three-fifths (61%) of businesses have been directly impacted by a software supply chain threat over the past year, according to a new report. The report pointed to open source software as a key source of supply chain risk. Open source is now used by 94% of companies in some form, with over half (57%) using multiple open source platforms, the report revealed.

Organisations may be putting themselves at further risk by not having a full view of the software which is used within their corporate environment. One of the first things an organisation seeking to reduce their risk of a software supply chain attack should do is to understand their attack surface and maintain a record of the software which they use.

https://www.infosecurity-magazine.com/news/software-supply-chain-attacks-hit/

• More than 2.25 Million Exposed Assets on the Dark Web Tied to Fortune 1000 Employees

In a newly released 2023 Fortune 1000 Identity Exposure Report, an analysis of the dark net exposure of employees across 21 industries, including technology, financial, retailing and media, researchers analysed 2.27 billion exposed dark web assets. These assets included more than 423 million records containing personally identifiable information (PII) found in data breaches and exfiltrated from malware-infected devices tied directly to Fortune 1000 employees’ email addresses.  

Additional findings include 27.48 million pairs of credentials with Fortune 1000 corporate email addresses and plain text passwords, and a 62% re-use rate of passwords amongst Fortune 1000 employees. Whilst the research focuses on Fortune 1000 employees, it is unlikely that these are the only employees who are exposed on the dark web. Organisations should be aware of how such PII could include their own employees, and how to avoid password re-use in the corporate environment.

https://www.msspalert.com/cybersecurity-research/more-than-2-25-million-exposed-assets-on-the-dark-web-tied-to-fortune-1000-employees/

• Law Enforcement Crackdowns and New Techniques are Forcing Cyber Criminals to Pivot

Researchers say that law enforcement crackdowns and new investigative tools are putting pressure on cyber criminals, but challenges for defenders remain. It can seem like cyber criminals are running rampant across the world's digital infrastructure, launching ransomware attacks, scams, and outright thefts with impunity. Over the last year, however, US and global authorities seized $112 million from cryptocurrency investment scams, disrupted the Hive ransomware group, broke up online illegal drug marketplaces, and sanctioned crypto money launderers, among other operations to crack down on internet-enabled crimes. With such pressure, financially motivated threat actors are pivoting to crimes that have a higher rate of success, such as selling data instead of extorting, and romance scams and pig butchering (building rapport and trust with victims over time only to steal from them) are replacing the old get-rich schemes.

https://www.csoonline.com/article/3696748/law-enforcement-crackdowns-and-new-techniques-are-forcing-cybercriminals-to-pivot.html

• Talking Security Strategy: Why Cyber Security Requires a Seat at the Boardroom Table

Cyber security is no longer a fringe issue for businesses. What was once a siloed function is now woven into the fabric of any successful business. Any business still treating its cyber security initiatives as a side project is setting itself up to fail. The US Securities and Exchange Commission (SEC) has laid to rest any doubts about the importance of cyber security with new regulations around how boards of directors should approach it. The regulations, which are in the process of being finalised, will require companies to openly report any serious cyber security attack and explain who on their board is responsible for dealing with it. The regulations also will require businesses to include board of directors' cyber security experience and credentials as part of any public disclosure.

https://www.darkreading.com/vulnerabilities-threats/talking-security-strategy-cybersecurity-has-a-seat-at-the-boardroom-table

• How Incident Response Rehearsals and Readiness Exercises Can Aid Incident Response

Incident response rehearsals and readiness exercises can aid organisations by identifying security gaps, testing communications in the event of a cyber attack, and understanding roles in reducing response times. All of which benefits the business objectives of the organisation.

The importance for organisations to understand who their adversaries are and how they operate against their enterprise environments cannot be overstated. An organisation's approach to cyber security testing and resilience improvements in the face of an increasingly volatile threat landscape must be underpinned around this perspective.

Rehearsals should look to leverage scenarios based on evolving and emerging attacker techniques, tactics and procedures (TTPs), with different levels of complexity; this allows an organisation to constantly sharpen their technique and update rehearsals to reflect the current attack environment. These TTPs should be driven by an intelligence-led and risk-based approach. Additionally, organisations need to set metrics for understanding the results of rehearsals, which in turn should be used in established feedback channels to drive improvement in the organisation’s incident response.

https://www.darkreading.com/edge-articles/5-ways-security-testing-can-aid-incident-response 

• Ransomware’s Real Goals are to Exploit Internet Facing Apps, Mine Intellectual Property and Grab Sensitive Information

The majority of ransomware attacks in 2022 were intended to unearth personal data, mine intellectual property and grab other sensitive information rather than financial extortion or data encryption, Kaspersky said in a new report.

Most attacks started off as exploiting public facing applications (43%), data from compromised user accounts (24%) and malicious emails (12%). The goal was to snatch information the cyber crews could leverage into bigger and more lucrative scores. The report also revealed that the longest-running ransomware attacks began with the exploitation of public-facing applications, with just over 2% of them lasting for a year and more.

https://www.msspalert.com/cybersecurity-research/ransomwares-real-goals-are-exploit-internet-facing-apps-mine-intellectual-property-grab-sensitive-info/

• Organisations’ Cyber Resilience Efforts Fail to Keep Up with Evolving Threats

A steady increase in cyber attacks and an evolving threat landscape are resulting in more organisations turning their attention to building long-term cyber resilience; however, many of these programs are falling short and fail to prove teams’ real-world cyber capabilities, according to Immersive Labs. The report found that while 86% of organisations have a cyber resilience program, 52% of respondents say their organisation lacks a comprehensive approach to assessing cyber resilience.

Organisations have taken steps to deploy cyber resilience programs; however, 53% of respondents indicate the organisation’s workforce is not well-prepared for the next cyber attack and just over half say they lack a comprehensive approach to assessing cyber resilience. These statistics indicate that although cyber resilience is a priority and programs are in place, their current structure and training are ineffective.

https://www.helpnetsecurity.com/2023/05/18/cyber-resilience-programs-shortcomings/

• Fraudsters Send Fake Invoice, Follow Up with Fake Executive Confirmation

Fraudsters are trying out a new approach to convince companies to pay bogus invoices: instead of hijacking existing email threads, they are creating convincing ones themselves. The fraud attempt begins with an email containing a payment request for a fake invoice. The recipient, an employee in a company’s finance department, reads the email and checks who sent it. The sender’s email address looks like it belongs to one of the company’s trusted vendors, and the VP of Finance has been CC-ed. Soon after, the “VP of Finance” replies to the email thread, and asks the employee (by name) to pay this at the earliest convenience.

Most organisations view social engineering methods as a one step process; however, threat actors are employing multiple layers. In this case, adding management to increase authenticity. Businesses looking to bolster their resilience should look to ensure that these kinds of attacks are addressed in their organisation’s user education and awareness training.

https://www.helpnetsecurity.com/2023/05/16/payment-request-fraud/

• Capita Warns Customers They Should Assume Data was Stolen

Outsourcing giant Capita is warning customers to assume that their data was stolen in a cyber attack that affected its systems in early April. This includes the Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, which holds pensions of over 500,000 individuals. A total of 350 UK corporate retirement schemes are believed to be impacted. The cyber attack, originally described to be a technical problem, has been reported to the UK’s Information Commissioner’s Office.

https://www.bleepingcomputer.com/news/security/capita-warns-customers-they-should-assume-data-was-stolen/

Governance, Risk and Compliance

• Cyber security Often Overlooked as Key Factor for Business Success, New Study Says - MSSP Alert

• Cyber Risk Management in 2023: The People Element (trendmicro.com)

• Is Your Cyber security “Too” Good? (securityintelligence.com)

• Cyber risk: Can banks win the arms race? | Financial Times (ft.com)

• Security breaches push digital trust to the fore | CSO Online

• Cyber-Resilience Programs Failing on Poor Visibility - Infosecurity Magazine (infosecurity-magazine.com)

• 5 Ways Security Testing Can Aid Incident Response (darkreading.com)

• Organisations reporting cyber resilience are hardly resilient: Study | CSO Online

• Organisations' cyber resilience efforts fail to keep up with evolving threats - Help Net Security

• Keeping a competitive edge in the cyber security ‘game’ | CyberScoop

• UK NCSC, ICO debunk 6 cyber attack reporting myths | CSO Online

• An Executive's Guide To The Cyber crime Underground (forbes.com)

• Accelerating Security Risk Management (trendmicro.com)

• Law enforcement crackdowns and new techniques are forcing cyber criminals to pivot | CSO Online

• 20 Ways to Ensure Security Remains/Becomes Everyone’s Responsibility (cisoseries.com)

• Talking Security Strategy: Cyber security Has a Seat at the Boardroom Table (darkreading.com)

• ‘Attackers only have to get it right once’: how cyber security burst into the boardroom | Financial Times (ft.com)

• Triple Threat: Insecure Economy, Cyber crime Recruitment and Insider Threats - SecurityWeek

Threats

Ransomware, Extortion and Destructive Attacks

• Insured companies more likely to be ransomware victims, sometimes more than once | CSO Online

• Ransomware payments nearly double in one year | Cyber crime | The Guardian

• Ransomware’s Real Goals are Exploit Internet Facing Apps, Mine Intellectual Property, Grab Sensitive Info - MSSP Alert

• The Week in Ransomware - May 12th 2023 - New Gangs Emerge (bleepingcomputer.com)

• New trends in ransomware attacks shape the future of cyber security - Help Net Security

• Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol-Security Affairs

• Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability (thehackernews.com)

• ABB 'suffers cyber attack' by ransomware gang Black Basta (techmonitor.ai)

• Why Amazon S3 is a ransomware target and how to protect it | TechTarget

• Experts question San Bernardino's $1.1M ransom payment | TechTarget

• Manufacturers Targeted as Ransomware Victim Numbers Spike 27% - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware corrupts data, making restoration harder • The Register

• CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware (thehackernews.com)

• VPN vulnerability linked to ransomware attack on Law Society: PDPC - CNA (channelnewsasia.com)

• New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems (thehackernews.com)

• Philadelphia Inquirer operations disrupted after cyber attack (bleepingcomputer.com)

• Ransomware gang steals data of 5.8 million PharMerica patients (bleepingcomputer.com)

• New RA Group ransomware targets US orgs in double-extortion attacks (bleepingcomputer.com)

• Ransomware Prevention – Are Meeting Password Security Requirements Enough (bleepingcomputer.com)

• US Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator (thehackernews.com)

• Qilin Ransomware Operation Outfits Affiliates With Sleek, Turnkey Cyber attacks (darkreading.com)

• Qilin's Dark Web Ransomware Targets Critical Sectors - Infosecurity Magazine (infosecurity-magazine.com)

• Ransomware-as-a-service groups pay affiliates top dollar • The Register

• Russian ransomware affiliate charged with attacks on critical infrastructure (bleepingcomputer.com)

• This new ransomware group is targeting big businesses - here's what you need to know | TechRadar

• Warning Issued About BianLian Ransomware Attacks By CISA & FBI (informationsecuritybuzz.com)

• FBI confirms BianLian ransomware switch to extortion only attacks (bleepingcomputer.com)

• 'Strictly limit' remote desktop to avoid BianLian ransomware • The Register

• MalasLocker ransomware targets Zimbra servers, demands charity donation (bleepingcomputer.com)

• Russian national indicted for ransomware attacks against the US | CSO Online

• A different kind of ransomware demand: Donate to charity to get your data back | CyberScoop

• Introducing the DRM-Report Q1 2023: Unveiling the Current State of Ransomware - -Security Affairs-Security Affairs

Phishing & Email Based Attacks

• What the Email Security Landscape Looks Like in 2023-Security Affairs

• New Phishing-as-a-Service Platform Lets Cyber criminals Generate Convincing Phishing Pages (thehackernews.com)

• Ongoing Facebook phishing campaign without a sender and (almost) without links

• Google's .zip Top Level domain is already used in phishing attacks - gHacks Tech News

• New ZIP domains spark debate among cyber security experts (bleepingcomputer.com)

• Exploring the tactics of phishing and scam websites in 2023 - Help Net Security

• Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• Fraudsters send fake invoice, follow up with fake exec confirmation - Help Net Security

• Insider threats surge across US CNI as attackers exploit human factors | CSO Online

• Microsoft Teams Features Amp Up Orgs' Cyber attack Exposure (darkreading.com)

• Social Engineering Risks Found in Microsoft Teams - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers show ways to abuse Microsoft Teams accounts for lateral movement | CSO Online

Artificial Intelligence

• 10 Types of AI Attacks CISOs Should Track (darkreading.com)

• New Google search tool will distinguish real images from AI-generated phonies | ZDNET

• AI-Powered Tools Threaten Password Strength, New Study Finds - MSSP Alert

• AI Is About to Be Everywhere: Where Will Regulators Be? (darkreading.com)

• Zut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France – Naked Security (sophos.com)

• Generative AI Empowers Users but Challenges Security (darkreading.com)

• ChatGPT’s Chief Testifies Before Congress, Calls for New Agency to Regulate Artificial Intelligence - SecurityWeek

• BatLoader Impersonates ChatGPT and Midjourney in Cyber-Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Security Vulnerabilities of ChatGPT-Generated Code (trendmicro.com)

• 3 Ways Hackers Use ChatGPT to Cause Security Headaches (darkreading.com)

• ChatGPT is about to revolutionize cyber security | VentureBeat

• Mitigating Dark Web Risks: The Role Of AI And Machine Learning (forbes.com)

2FA/MFA

• The Ultimate Guide to Multi-Factor Authentication - Security Boulevard

Malware

• Microsoft is scanning the inside of password-protected zip files for malware | Ars Technica

• XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks (thehackernews.com)

• Atomic malware steals Mac passwords, crypto wallets, and more • Graham Cluley

• CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware (thehackernews.com)

• Lancefly APT Custom Backdoor Targets Government and Aviation Sectors - Infosecurity Magazine (infosecurity-magazine.com)

• No more macros? No problem, say attackers, we'll adapt • The Register

• Infostealer Malware Surges: Stolen Logs Up 670% on Russian Market - Infosecurity Magazine (infosecurity-magazine.com)

• The new info-stealing malware operations to watch out for (bleepingcomputer.com)

• DangerousPassword - A Malware Attack Pattern to Infect Devices (gbhackers.com)

• Stealthy MerDoor malware uncovered after five years of attacks (bleepingcomputer.com)

• Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems (thehackernews.com)

• New ZIP domains spark debate among cyber security experts (bleepingcomputer.com)

• Infamous cyber crime marketplace offers pre-order service for stolen credentials - Help Net Security

• BatLoader Impersonates ChatGPT and Midjourney in Cyber-Attacks - Infosecurity Magazine (infosecurity-magazine.com)

• Once Again, Malware Discovered Hidden in npm (darkreading.com)

• Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict (darkreading.com)

Mobile

• Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cyber crime Enterprise (darkreading.com)

• Parental control app with 5 million downloads vulnerable to attacks (bleepingcomputer.com)

• Apple blocked 1.7 million apps for privacy, security issues in 2022 (bleepingcomputer.com)

• Converso walks back E2EE claims, yanks app from stores • The Register

• OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users (thehackernews.com)

• Google Announces New Rating System for Android and Device Vulnerability Reports - SecurityWeek

• Millions of Smartphones Distributed Worldwide With Preinstalled 'Guerrilla' Malware - SecurityWeek

Botnets

• Beware Bots: Human Internet Traffic Dives to Lowest Level in Eight Years, New Report Finds - MSSP Alert

• Latest variant of RapperBot botnet adds cryptojacking capabilities-Security Affairs

• Bad bots are coming for APIs - Help Net Security

• Spanish cops arrest 69 in immigration bot scheme • The Register

Denial of Service/DoS/DDOS

• Polish news websites hit by DDoS attacks | Reuters

• Europe: The DDoS battlefield - Help Net Security

Internet of Things – IoT

• Netgear Routers' Flaws Expose Users to Malware, Remote Attacks, and Surveillance (thehackernews.com)

• Why 2.4GHz Wi-Fi is both the savior and the scourge of the smart home - The Verge

• Hackers infect TP-Link router firmware to attack EU entities (bleepingcomputer.com)

• Chinese Hackers Mustang Panda Attacks TP-Link Routers (informationsecuritybuzz.com)

• Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyber attacks (darkreading.com)

• Government Publishes Playbook to Enhance Smart City Security - Infosecurity Magazine (infosecurity-magazine.com)

• Is your car safe from a cyber attack? | E&T Magazine (theiet.org)

Data Breaches/Leaks

• UK's largest private pension scheme hit by Capita attack • The Register

• Capita warns customers they should assume data was stolen (bleepingcomputer.com)

• More than 2.25 Million Exposed Assets on the Dark Web Tied to Fortune 1000 Employees - MSSP Alert

• MP’s laptop stolen from Welcome Break spot 'not covered by CCTV' | UK News | Metro News

• Discord discloses data breach after support agent got hacked (bleepingcomputer.com)

• Data of 237,000 US government employees breached - CNA (channelnewsasia.com)

• Toyota: Car location data of 2 million customers exposed for ten years (bleepingcomputer.com)

• Toyota's bungling of customer privacy is becoming a pattern • The Register

• Making Sure Lost Data Stays Lost (darkreading.com)

• WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers - SecurityWeek

• Personal info of 90k hikers leaked by French tourism company La Malle Postale-Security Affairs

• Ransomware gang steals data of 5.8 million PharMerica patients (bleepingcomputer.com)

• Airline exposes passenger info to others due to a 'technical error' (bleepingcomputer.com)

• University admission platform exposed student passports-Security Affairs

• Millions of deleted files recovered in hard drives purchased online | TechRadar

Organised Crime & Criminal Actors

• Law enforcement crackdowns and new techniques are forcing cyber criminals to pivot | CSO Online

• An Executive's Guide To The Cyber crime Underground (forbes.com)

• Hacker marketplace still active despite police 'takedown' claim - BBC News

• Former Ubiquiti Employee Gets 6 Years in Jail for $2 Million Crypto Extortion Case (thehackernews.com)

• How Cyber criminals Adapted to Microsoft Blocking Macros by Default (darkreading.com)

• Darknet Carding Kingpin Pleads Guilty: Sold Financial Info of Tens of Thousands (thehackernews.com)

• Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cyber crime Enterprise (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Atomic malware steals Mac passwords, crypto wallets, and more • Graham Cluley

• Hacker admits he was connected to 'tens of thousands’ laptops to mine crypto (finbold.com)

• CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware (thehackernews.com)

• Latest variant of RapperBot botnet adds cryptojacking capabilities-Security Affairs

• North Korean hackers stole $721 million in cryptocurrency from Japan - Nikkei | Reuters

• DangerousPassword - A Malware Attack Pattern to Infect Devices (gbhackers.com)

• Landmark crypto rules make exchanges liable for customer losses in EU | Ars Technica

• 8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency (thehackernews.com)

Insider Risk and Insider Threats

• Triple Threat: Insecure Economy, Cyber crime Recruitment and Insider Threats - SecurityWeek

• Avoiding Reputational Damage By Conquering Insider Threats (informationsecuritybuzz.com)

• Insider threats surge across US CNI as attackers exploit human factors | CSO Online

• Ex-Apple engineer accused of stealing self-driving car secrets - BBC News

• Identity crimes: Too many victims, limited resources - Help Net Security

Fraud, Scams & Financial Crime

• Fraudsters send fake invoice, follow up with fake exec confirmation - Help Net Security

• Exploring the tactics of phishing and scam websites in 2023 - Help Net Security

• Edinburgh coffee shop owner devastated after losing £100,000 life savings to cyber criminals in internet scam | Edinburgh News (scotsman.com)

• How To Avoid Mother's Day Scams By Protecting Your Purse And Heart (informationsecuritybuzz.com)

• US Says VoIP Firm Delivered Billions of Scam Robocalls - Infosecurity Magazine (infosecurity-magazine.com)

• Spanish cops arrest 69 in immigration bot scheme • The Register

• This Is Catfishing on an Industrial Scale | WIRED

• Admin of the darknet carding platform Skynet Market pleads guilty-Security Affairs

• 18-year-old charged with hacking 60,000 sports betting accounts (bleepingcomputer.com)

AML/CFT/Sanctions

• How China came to dominate the black market for money laundering (telegraph.co.uk)

Insurance

• Insured companies more likely to be ransomware victims, sometimes more than once | CSO Online

Dark Web

• Hacker marketplace still active despite police 'takedown' claim - BBC News

• Infamous cyber crime marketplace offers pre-order service for stolen credentials - Help Net Security

• Darknet Carding Kingpin Pleads Guilty: Sold Financial Info of Tens of Thousands (thehackernews.com)

• Mitigating Dark Web Risks: The Role Of AI And Machine Learning (forbes.com)

Supply Chain and Third Parties

• Capita warns customers they should assume data was stolen (bleepingcomputer.com)

• Capita hit by new data breach incident | Financial Times (ft.com)

• Another security calamity for Capita: Unsecured AWS bucket • The Register

• UK's largest private pension scheme hit by Capita attack • The Register

• Discord Informs Users of Data Breach Involving Customer Support Provider - SecurityWeek

• Preparing for federal supply chain security standardization - Help Net Security

Software Supply Chain

• Software Supply Chain Attacks Hit 61% of Firms - Infosecurity Magazine (infosecurity-magazine.com)

Cloud/SaaS

• Security experts share cloud auditing best practices | TechTarget

• Stop worrying about cloud-lock-in, and outages: Gartner • The Register

• Microsoft Azure VMs Hijacked in Cloud Cyber attack (darkreading.com)

• Why High Tech Companies Struggle with SaaS Security (thehackernews.com)

• Sticking to traditional security playbook is mistake for cloud security: Palo Alto Networks SVP (techrepublic.com)

• Capita hit by new data breach incident | Financial Times (ft.com)

• Why Amazon S3 is a ransomware target and how to protect it | TechTarget

• Microsoft lets Azure AD choose authentication method • The Register

Encryption

• Converso walks back E2EE claims, yanks app from stores • The Register

• Protect against current and future threats with encryption | TechTarget

API

• Bad bots are coming for APIs - Help Net Security

• Attack automation becomes a prevalent threat against APIs - Help Net Security

Open Source

• EU attempts to secure software could hurt open source • The Register

• CISA: Several Old Linux Vulnerabilities Exploited in Attacks - SecurityWeek

• Open-source Cobalt Strike port 'Geacon' used in macOS attacks (bleepingcomputer.com)

• Malicious open-source components threatening digital infrastructure - Help Net Security

• Congress looks to expand CISA's role, adding responsibilities for satellites and open source software | CyberScoop

• Enhancing open source security: Insights from the OpenSSF on addressing key challenges - Help Net Security

Passwords, Credential Stuffing & Brute Force Attacks

• Time Taken For Hackers to Crack Passwords Revealed - IT Security Guru

• AI-Powered Tools Threaten Password Strength, New Study Finds - MSSP Alert

• Passkeys may not be for you, but they are safe and easy—here’s why | Ars Technica

• Ransomware Prevention – Are Meeting Password Security Requirements Enough (bleepingcomputer.com)

• KeePass 2.X Master Password Dumper allows retrieving the KeePass master password-Security Affairs

Social Media

• Former TikTok official says China had access to app data | Al Arabiya English

• Ongoing Facebook phishing campaign without a sender and (almost) without links

• Twitter wrong to block tweets during Turkey election - Wikipedia founder - BBC News

• Twitter sued over Saudi spying that allegedly landed popular user in prison [Updated] | Ars Technica

Training, Education and Awareness

• White House plan to implement cyber strategy includes ambitious digital education effort | CyberScoop

Parental Controls and Child Safety

• Parental control app with 5 million downloads vulnerable to attacks (bleepingcomputer.com)

Regulations, Fines and Legislation

• EU attempts to secure software could hurt open source • The Register

• AI Is About to Be Everywhere: Where Will Regulators Be? (darkreading.com)

• ChatGPT’s Chief Testifies Before Congress, Calls for New Agency to Regulate Artificial Intelligence - SecurityWeek

• Preparing for federal supply chain security standardization - Help Net Security

Secure Disposal

• Making Sure Lost Data Stays Lost (darkreading.com)

• Millions of deleted files recovered in hard drives purchased online | TechRadar

Careers, Working in Cyber and Information Security

• How I Got Started: Offensive Security

• Open source and Linux skills are still in demand in a dark economy | ZDNET

• Top 10 Ideas for Addressing the Cyber security Skills Gap in 2023 (analyticsinsight.net)

• Google Cloud CISO on why the Google Cyber security Certificate matters - Help Net Security

• Improving cyber mindfulness - IT Security Guru

• The Future is (Cyber) Mindful - IT Security Guru

Law Enforcement Action and Take Downs

• Law enforcement crackdowns and new techniques are forcing cyber criminals to pivot | CSO Online

• Hacker marketplace still active despite police 'takedown' claim - BBC News

• Spanish cops arrest 69 in immigration bot scheme • The Register

• Identity crimes: Too many victims, limited resources - Help Net Security

• Darknet Carding Kingpin Pleads Guilty: Sold Financial Info of Tens of Thousands (thehackernews.com)

• Admin of the darknet carding platform Skynet Market pleads guilty-Security Affairs

• 18-year-old charged with hacking 60,000 sports betting accounts (bleepingcomputer.com)

• Russian national indicted for ransomware attacks against the US | CSO Online

Privacy, Surveillance and Mass Monitoring

• The UK’s Secretive Web Surveillance Program Is Ramping Up | WIRED

• WhatsApp allows users to lock sensitive chats - Help Net Security

• Apple blocked 1.7 million apps for privacy, security issues in 2022 (bleepingcomputer.com)

• Google details its next steps for wiping out Chrome tracking cookies | Engadget

• Zut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France – Naked Security (sophos.com)

Misinformation, Disinformation and Propaganda

• Pakistan shut down the internet - but that didn't stop the protests - BBC News

• Twitter wrong to block tweets during Turkey election - Wikipedia founder - BBC News

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Cyber Warfare Escalates Amid China-Taiwan Tensions - Infosecurity Magazine (infosecurity-magazine.com)

• New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe (thehackernews.com)

• China's 'Satellite Killer' Spacecraft Threatens To Puncture US Military In Space By Crippling Its Recon, Navigation & EW Satellites

• President Zelensky imposes sanctions against the Russian IT sector-Security Affairs

• 4 Countries Join NATO Cyber Defence Center - SecurityWeek

Nation State Actors

• Former TikTok official says China had access to app data | Al Arabiya English

• Cyber Warfare Escalates Amid China-Taiwan Tensions - Infosecurity Magazine (infosecurity-magazine.com)

• New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe (thehackernews.com)

• Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol-Security Affairs

• Gatewatcher unveils research into advanced persistent threats | Data Centre Solutions

• China's 'Satellite Killer' Spacecraft Threatens To Puncture US Military In Space By Crippling Its Recon, Navigation & EW Satellites

• How China came to dominate the black market for money laundering (telegraph.co.uk)

• Lancefly APT Custom Backdoor Targets Government and Aviation Sectors - Infosecurity Magazine (infosecurity-magazine.com)

• Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign (thehackernews.com)

• North Korean hackers stole $721 million in cryptocurrency from Japan - Nikkei | Reuters

• Hackers infect TP-Link router firmware to attack EU entities (bleepingcomputer.com)

• Chinese Hackers Mustang Panda Attacks TP-Link Routers (informationsecuritybuzz.com)

• Cyble — Cisco Routers Exploited by Russian State-Sponsored Attackers

• DOJ links Iran, China and Russia to five IP theft-related cases | SC Media (scmagazine.com)

• Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict (darkreading.com)

Vulnerability Management

• Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug | Ars Technica

• Remote updates on motherboards could lead to bricked servers • The Register

• Hacking Groups Rapidly Weaponizing N-Day Vulnerabilities (gbhackers.com)

• CISA: Several Old Linux Vulnerabilities Exploited in Attacks - SecurityWeek

• Microsoft Advisories Are Getting Worse (darkreading.com)

• How to build a better vulnerability management program | TechTarget

• Google Announces New Rating System for Android and Device Vulnerability Reports - SecurityWeek

• How to Protect Your Organisation From Vulnerabilities (darkreading.com)

Vulnerabilities

• Hackers target Wordpress plugin flaw after PoC exploit released (bleepingcomputer.com)

• Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks (thehackernews.com)

• KeePass flaw allows retrieval of master password, PoC is public (CVE-2023-32784) - Help Net Security

• Apple fixes three new zero-days exploited to hack iPhones, Macs (bleepingcomputer.com)

• XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks (thehackernews.com)

• Details Disclosed for Exploit Chain That Allows Hacking of Netgear Routers - SecurityWeek

• CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (paloaltonetworks.com)

• Arm confident Cortex-M is secure after side-channel attack • The Register

• Microsoft Follina Bug Is Back in Meme-Themed Cyber attacks Against Travel Orgs (darkreading.com)

• CISA: Several Old Linux Vulnerabilities Exploited in Attacks - SecurityWeek

• Remote updates on motherboards could lead to bricked servers • The Register

• Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug | Ars Technica

• Microsoft pulls Defender update fixing Windows LSA Protection bug (bleepingcomputer.com)

• WordPress 6.2.1 Released with Fixes for 5 Security Vulnerabilities – WP Tavern

• 8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency (thehackernews.com)

• Cisco Says PoC Exploits Available for Newly Patched Enterprise Switch Vulnerabilities - SecurityWeek

Tools and Controls

• Organisations' cyber resilience efforts fail to keep up with evolving threats - Help Net Security

• Hacking Groups Rapidly Weaponizing N-Day Vulnerabilities (gbhackers.com)

• Cyber-Resilience Programs Failing on Poor Visibility - Infosecurity Magazine (infosecurity-magazine.com)

• 5 Ways Security Testing Can Aid Incident Response (darkreading.com)

• Organisations reporting cyber resilience are hardly resilient: Study | CSO Online

• Making Sure Lost Data Stays Lost (darkreading.com)

• Passkeys may not be for you, but they are safe and easy—here’s why | Ars Technica

• Not-Too-Safe Boot: Remotely Bypassing Endpoint Security Solutions (AV/EDR/…) and Anti-Tampering Mechanisms – Zero-Day Zone (zerodayzone.com)

• The Ultimate Guide to Multi-Factor Authentication - Security Boulevard

• Open-source Cobalt Strike port 'Geacon' used in macOS attacks (bleepingcomputer.com)

• White House plan to implement cyber strategy includes ambitious digital education effort | CyberScoop

• Protect against current and future threats with encryption | TechTarget

• Can AI Decision-Making Be Trusted for Cyber security? (analyticsinsight.net)

• 'Strictly limit' remote desktop to avoid BianLian ransomware • The Register

• Millions of deleted files recovered in hard drives purchased online | TechRadar

• Key Metrics In Evaluating DevOps Threat Matrix (informationsecuritybuzz.com)

• ChatGPT is about to revolutionize cyber security | VentureBeat

• A Requirements-Driven Approach to Cyber Threat Intelligence | Mandiant

• Embedding Security by Design: A Shared Responsibility (darkreading.com)

Reports Published in the Last Week

• UK Cyber security Landscape: challenges and opportunities | Expel

• Kaspersky Incident Response report 2022 | Securelist

• The State of Pentesting 2023 Report | Cobalt

• Introducing the DRM-Report Q1 2023: Unveiling the Current State of Ransomware - -Security Affairs-Security Affairs

Other News

• Heightened cyber attacks threat before Council of Europe summit in Reykjavik – EURACTIV.com

• White House plan to implement cyber strategy includes ambitious digital education effort | CyberScoop

• 12 common network protocols and their functions explained | TechTarget

• Pentagon Hacking Fears Fueled by Microsoft's Monopoly on Military IT (newsweek.com)

• Ukraine, Ireland, Japan and Iceland join NATO CCDCOE-Security Affairs

• Web entity activity reveals insights into internet security - Help Net Security

• Microsoft Security highlights from RSAC 2023 - Microsoft Security Blog

• Top 5 Cyber security Predictions and Statistics for 2023 (analyticsinsight.net)

• No more macros? No problem, say attackers, we'll adapt • The Register

• Not-Too-Safe Boot: Remotely Bypassing Endpoint Security Solutions (AV/EDR/…) and Anti-Tampering Mechanisms – Zero-Day Zone (zerodayzone.com)

• Researchers show ways to abuse Microsoft Teams accounts for lateral movement | CSO Online

• Rebinding Attacks Persist With Spotty Browser Defences (darkreading.com)

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• 79% of Cyber Pros Make Decisions Without Threat Intelligence

In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on?

Threat intelligence helps organisations stay informed about the latest cyber threats and vulnerabilities. By gathering and analysing information about potential attacks, threat intelligence can provide organisations with valuable insights into the tactics, techniques and procedures (TTPs) used by cyber criminals.

Given the deep value provided by threat intelligence, why aren’t more cyber pros taking advantage of it?

https://securityintelligence.com/articles/79-percent-of-cyber-pros-make-decisions-without-threat-intelligence/

• 61% of Business Leadership Overlook the Role of Cyber Security as a Business Enabler and as being Key to Business Success

A recent report found only 39% of respondents think their company's leadership has a sound understanding of cyber security's role as a business enabler. Cyber security can be a huge business enabler; executive leaders need to think of cyber security in terms of the value it can deliver at a more strategic level.

https://www.darkreading.com/risk/global-research-from-delinea-reveals-that-61-of-it-security-decision-makers-think-leadership-overlooks-the-role-of-cybersecurity-in-business-success

• Risk Managers Warn Cyber Insurance Could Become ‘Unviable Product’

The Federation of European Risk Management Associations (FERMA), an umbrella body representing 22 trade associations, said the cyber insurance market is “evolving in isolation from the industries it serves”.

It highlighted a move by Lloyd’s of London, the specialist insurance market and hub for cyber insurance, demanding that standard cyber policies have an exemption for big state-backed attacks.

“Without a more collaborative approach to cyber balancing the risk appetite of the insurance market with the coverage requirements of the corporate buyers, there is a risk that cyber insurance becomes an unviable product for many organisations,” FERMA said in a statement shared with the Financial Times.

The intervention is the strongest yet by the business lobby over the controversial exemption and wider concerns about cyber insurance.

https://www.ft.com/content/401629cc-e68a-41a4-8d50-e7c0d3e27835

• Small and Medium-Sized Businesses: Don’t Give up on Cyber Security

In today’s increasingly hostile environment, every enterprise, big or small, should be concerned about cyber security and have access to protection from hackers, scammers, phishers, and all the rest of the host of bad actors who seem to be sprouting up around the world.

Yet time and again, small and medium-sized businesses (SMBs) are left out in the cold, an unaddressed market segment that finds real protection either too expensive or far too complex to adopt. Thus, cyber security becomes an “afterthought” or “add when we can” kind of service that leaves SMBs far more vulnerable than the corporate giants — just reading the news every day shows even they aren’t immune to ransomware, intrusions, and data theft. If you haven’t already, start thinking about security now.

https://www.csoonline.com/article/3695593/small-and-medium-sized-businesses-don-t-give-up-on-cybersecurity.html

• AI Has Been Dubbed a 'Nuclear' Threat to Cyber Security, but It Can Also Be Used for Defence

Hackers using ChatGPT are faster and more sophisticated than before, and cyber security analysts who don’t have access to similar tools can very quickly find themselves outgunned and outsmarted by these AI-assisted attackers. However, corporations are stumbling to figure out governance around AI, and while they do so, their employees are clearly defying rules and possibly jeopardising company operations. According to a study of 1.6 million workers, 3.1% input confidential company information into ChatGPT. Although the number seems small, 11% of users' questions include private information. This is a fatal flaw for corporate use considering how hackers can manipulate the system into giving them previously hidden information. In another study, it was found that 80% of security professionals used AI, with 46% of these giving specialised capabilities as a reason.

https://www.euronews.com/2023/05/04/ai-has-been-dubbed-a-nuclear-threat-to-cybersecurity-but-it-can-also-be-used-for-defence

• Paying Cyber Hijackers’ Ransoms Doubles Cost of Recovery, Sophos Study Shows

In three out of four cyber attacks, the hijackers succeeded in encrypting victims’ data, cyber security provider Sophos said in its newly released State of Ransomware 2023 report.

The rate of data encryption amounted to the highest from ransomware since Sophos first issued the report in 2020. Overall, roughly two-thirds of the 3,000 cyber security/IT leaders’ organisations were infected by a ransomware attack in the first quarter of 2023, or the same percentage as last year.

Much advice has been doled out by cyber security providers and law enforcement urging organisations to not pay a ransom. According to Sophos’ survey, the data shows that when organisations paid a ransom to decrypt their data, they ended up doubling their recovery costs. On average, those organisations paying ransoms for decryption forked out $750,000 in recovery costs versus $375,000 for organisations that used backups to recover their data.

Moreover, paying the ransom usually meant longer recovery times, with 45% of those organisations that used backups recovering within a week, compared to 39% of those that paid the ransom.

https://www.msspalert.com/cybersecurity-research/paying-cyber-hijackers-ransoms-doubles-cost-of-recovery-sophos-study-shows/

• Majority of US, UK CISOs Unable to Protect Company 'Secrets'

A recent study found 75% of organisations have experienced a data leak involving company secrets, including API keys, usernames, passwords, and encryption keys, in the past. It was found that about 52% of chief information and security officers (CISOs) in the US and UK organisations are unable to fully secure their company secrets. The study showed that a huge chunk of the IT sector realises the danger of exposed secrets. Seventy-five percent said that a secret leak has happened in their organisation in the past, with 60% acknowledging it caused serious issues for the company, employees, or both. The report has pointed out that even though secrets management practice across the US and the UK has seen some maturity, it still needs to go a long way.

https://www.csoonline.com/article/3695583/majority-of-us-uk-cisos-unable-to-protect-company-secrets-report.html

• Company Executives Can’t Afford to Ignore Cyber Security Anymore

In a recent survey, when asked about the Board and C-Suite‘s understanding of cyber security across the organisation, only 36% of respondents believe that it is considered important only in terms of compliance and regulatory demands, while 17% said it is not seen as a business priority. The disconnect between business and security goals appears to have caused at least one negative consequence to 89% of respondents’ organisations, with 26% also reporting it resulted in an increased number of successful cyber attacks at their company. On the misalignment of cyber security goals, respondents believed it contributed to delays in investments (35%), delays in strategic decision making (34%), and unnecessary increases in spending (27%).

https://www.helpnetsecurity.com/2023/05/10/cybersecurity-business-goals-alignment/

• BEC Campaign via Israel Spotted Targeting Multinational Companies

An Israel-based threat group was discovered carrying out a business email compromise (BEC) campaign primarily targeting large and multinational enterprises. The group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents. The group operate through two personas — a CEO and an external attorney and spoofed email addresses using real domains.

https://www.darkreading.com/remote-workforce/bec-attacks-out-of-israel-target-multinational-corporations

• CISOs Worried About Personal Liability for Breaches

Over three-fifths (62%) of global CISOs are concerned about being held personally liable for successful cyber attacks that occur on their watch, and a similar share would not join an organisation that fails to offer insurance to protect them, according to Proofpoint annual ‘Voice of the CISO’ survey for 2023. The security vendor polled 1600 CISOs from organisations of 200 employees or more across different industries in 16 countries to compile the report.

It revealed that CISOs in sectors with high volumes of sensitive data and/or heavy regulation such as retail (69%), financial services (65%) and manufacturing (65%) are most likely to demand insurance coverage.

Such concerns only add to the mental load on corporate IT security bosses. A combination of high-stress working environments, shrinking budgets and personal liability could be harming CISOs’ quality of life. Some 60% told Proofpoint they’ve experienced burnout in the past 12 months.

CISOs are most likely to experience burnout in the retail (72%) and IT, technology and telecoms (66%) industries.

https://www.infosecurity-magazine.com/news/cisos-worried-personal-liability/

• UK, US and International Allies Uncover Russian Snake Malware Network in 50+ Countries

The UK NCSC along with the US National Security Agency (NSA) and various international partner agencies have discovered infrastructure connected with the sophisticated Russian cyber-espionage tool Snake in over 50 countries worldwide. Snake operations have been attributed to a specific unit within Russia’s Federal Security Service (FSB), Center 16.

Cyber criminals reportedly used Snake to retrieve and remove confidential documents related to international relations and diplomatic communications.

According to an advisory published by the agencies on Tuesday, the FSB targeted various industries, including education, small businesses, media, local government, finance, manufacturing and telecommunications. The Snake malware is installed on external infrastructure nodes for further exploitation.

According to the NSA Russian government actors have used this tool for years for intelligence collection and it is hoped that the technical details shared in the advisory will help many organisations find and shut down the malware globally.

https://www.infosecurity-magazine.com/news/nsa-uncovers-russian-snake-malware/

• Plug-and-Play Microsoft 365 Phishing Tool 'Democratizes' Attack Campaigns

A new phishing-as-a-service tool called "Greatness" is being used in attacks targeting manufacturing, healthcare, technology, and other sectors.

Researchers at Cisco Talos detailed their findings on "Greatness," a one-stop-shop for all of a cyber criminal's phishing needs. With Greatness, anyone with even rudimentary technical chops can craft compelling Microsoft 365-based phishing lures, then carry out man-in-the-middle attacks that steal authentication credentials — even in the face of multifactor authentication (MFA) — and much more.

The tool has been in circulation since at least mid-2022 and has been used in attacks against enterprises in manufacturing, healthcare, and technology, among other sectors. Half of the targets thus far have been concentrated in the US, with further attacks occurring around Western Europe, Australia, Brazil, Canada, and South Africa.

https://www.darkreading.com/cloud/plug-and-play-microsoft-365-phishing-tool-democratizes-attacks

Threats

Ransomware, Extortion and Destructive Attacks

• Make them pay: Hackers devise new tactics to ensure ransomware payment | CSO Online

• Ransomware gangs display ruthless extortion tactics in April | TechTarget

• Our appetite for data increases the risk of being held to ransom (thetimes.co.uk)

• Paying Cyber Hijackers’ Ransoms Doubles Cost of Recovery, Sophos Study Shows - MSSP Alert

• Ransomware review: May 2023 (malwarebytes.com)

• Ransomware Attacks Adapt With New Techniques: Kaspersky Report - Infosecurity Magazine (infosecurity-magazine.com)

• The new ransomware strain is picking off big businesses one by one - and yours could be next | TechRadar

• Refined methodologies of ransomware attacks - Help Net Security

• Ranking ransomware: The gangs, the malware and the ever-present risks | CyberScoop

• Ransomware Encryption Rates Reach New Heights - Infosecurity Magazine (infosecurity-magazine.com)

• UK ‘increasingly concerned’ ransomware victims are keeping incidents secret (therecord.media)

• Royal ransomware gang quickly expands reign | SC Media (scmagazine.com)

• Legitimate Software Abuse: A Disturbing Trend in Ransomware Attacks (darkreading.com)

• Ransomware attack confirmed at Rochester Public Schools, FBI alerted - Bring Me The News

• Constellation Struck By Ransomware Attack, ALPHV Lays Claim (informationsecuritybuzz.com)

• New Ransomware Strain 'CACTUS' Exploits VPN Flaws to Infiltrate Networks (thehackernews.com)

• New Akira Ransomware Operation Hits Corporate Networks | Black Hat Ethical Hacking

• Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers (bleepingcomputer.com)

• $1.1M Paid to Resolve Ransomware Attack on California County - SecurityWeek

• Western Digital store offline due to March breach - Help Net Security

• Western Digital Confirms Ransomware Group Stole Customer Information - SecurityWeek

• Former Conti members are behind latest Royal ransomware hacking spree, report finds (axios.com)

• Hackers Contacted Dragos CEO’s Son, Wife in Extortion Attempt - Bloomberg

• Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs (darkreading.com)

• Australian software giant won’t say if customers affected by hack | TechCrunch

• Multinational tech firm ABB hit by Black Basta ransomware attack (bleepingcomputer.com)

• Smashing Pumpkins frontman paid ransom to a hacker who threatened to leak the band's songs -Security Affairs

Phishing & Email Based Attacks

• Q1 Cofense Phishing Intelligence Report - Cofense

• "Greatness" Phishing Tool Exploits Microsoft 365 Credentials - Infosecurity Magazine (infosecurity-magazine.com)

• This dangerous phishing attack is targeting Microsoft users everywhere, so be on your guard | TechRadar

• Gmail gets blue verification checks to protect against spoofing and phishing | ZDNET

• Phishing Ring Bust, Spanish Police Have Arrested 40 People (informationsecuritybuzz.com)

BEC – Business Email Compromise

• Exploring the Rise of Israel-Based BEC Attacks | Abnormal (abnormalsecurity.com)

2FA/MFA

• Microsoft enforces number matching to fight MFA fatigue attacks (bleepingcomputer.com)

Malware

• Chrome users, stay alert: Malware may be just one click away - gHacks Tech News

• Microsoft issues optional fix for Secure Boot zero-day used by malware (bleepingcomputer.com)

• 56,000+ cloud-based apps at risk of malware exfiltration - Help Net Security

• Millions of mobile phones come pre-infected with malware • The Register

• Severe Ruckus RCE Flaws Utilized By Fresh DDoS Botnet Malware (informationsecuritybuzz.com)

• Fake system update drops Aurora stealer via Invalid Printer loader (malwarebytes.com)

• Stealthier version of Linux BPFDoor malware spotted in the wild (bleepingcomputer.com)

Mobile

• Millions of mobile phones come pre-infected with malware • The Register

• Mobile hacking and spyware – understanding the risks - TechHQ

• Google Announces New Privacy, Safety, and Security Features Across Its Services (thehackernews.com)

• Google Improves Android Security With New APIs - SecurityWeek

• New Android FluHorse malware steals your passwords, 2FA codes (bleepingcomputer.com)

• Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads (thehackernews.com)

• New Android updates fix kernel bug exploited in spyware attacks (bleepingcomputer.com)

Botnets

• Bad Bots Now Account For 30% of All Internet Traffic - Infosecurity Magazine (infosecurity-magazine.com)

• Fortinet warns of a spike of the activity linked to AndoryuBot botnet- Security Affairs

• RapperBot DDoS malware adds cryptojacking as new revenue stream (bleepingcomputer.com)

Denial of Service/DoS/DDOS

• FBI seizes 13 more domains linked to DDoS-for-hire services (bleepingcomputer.com)

• Severe Ruckus RCE Flaws Utilized By Fresh DDoS Botnet Malware (informationsecuritybuzz.com)

• Fortinet warns of a spike of the activity linked to AndoryuBot botnet- Security Affairs

• RapperBot DDoS malware adds cryptojacking as new revenue stream (bleepingcomputer.com)

Internet of Things – IoT

• CISA warns of Mirai botnet exploiting TP-Link routers • The Register

Data Breaches/Leaks

• Security researcher finds trove of Capita data exposed online | TechCrunch

• In a new hacking crime wave, more personal data is being held hostage (cnbc.com)

• Why the 'Why' of a Data Breach Matters (darkreading.com)

• OpenAI confirms ChatGPT data breach (cshub.com)

• Western Digital says hackers stole customer data in March cyber attack (bleepingcomputer.com)

• Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack | Ars Technica

• Boot Guard Keys From MSI Hack Posted, Many PCs Vulnerable | Tom's Hardware(tomshardware.com)

• 1 Million Impacted by Data Breach at NextGen Healthcare - SecurityWeek

• Twitter admits 'security incident' broke Circle privacy • The Register

• Food distribution giant Sysco warns of data breach after cyber attack (bleepingcomputer.com)

• North Korean Hackers Stole 830K Data From Seoul's Top Hospital (informationsecuritybuzz.com)

• Brightly warns of SchoolDude data breach exposing credentials (bleepingcomputer.com)

• Simplify data hack cost the firm almost £7m - Property Industry Eye

Organised Crime & Criminal Actors

• In a new hacking crime wave, more personal data is being held hostage (cnbc.com)

• How hackers are recruiting on the dark web (thetimes.co.uk)

• 5 Types of Cyber Crime Groups (trendmicro.com)

• The Team of Sleuths Quietly Hunting Cyber attack-for-Hire Services | WIRED

• Briton pleads guilty in US to 2020 Twitter hack - BBC News

• Phishing Ring Bust, Spanish Police Have Arrested 40 People (informationsecuritybuzz.com)

• Former Ubiquiti Employee Who Posed as Hacker Sentenced to Prison - SecurityWeek

• UK cops score another legal win in EncroChat spying case • The Register

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Cyber Patrols Lead to Seizure of Stolen Artefacts - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber Criminals Exploit Hardware Wallet to Steal Almost $30,000 - Infosecurity Magazine (infosecurity-magazine.com)

• RapperBot DDoS malware adds cryptojacking as new revenue stream (bleepingcomputer.com)

Insider Risk and Insider Threats

• Human Error Drives Most Cyber Incidents. Could AI Help? (hbr.org)

• Overlooking These 4 Critical Measures Expose Your Company to Cyber Attacks | Entrepreneur

Fraud, Scams & Financial Crime

• Banks warn of big increase in online scams - BBC News

• Fraud victims risk more than money - Help Net Security

• Five Things Scammers Are Hoping You Google (lifehacker.com)

• UK’s new fraud strategy too weak to tackle soaring crime, say experts | Financial Times (ft.com)

• The true numbers behind deepfake fraud - Help Net Security

• Your voice could be your biggest vulnerability - Help Net Security

• QR codes used in fake parking tickets, surveys to steal your money (bleepingcomputer.com)

Deepfakes

• The true numbers behind deepfake fraud - Help Net Security

• Your voice could be your biggest vulnerability - Help Net Security

Insurance

• Risk managers warn cyber insurance could become ‘unviable product’ | Financial Times (ft.com)

• Court Rules in Favour of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyber attack - SecurityWeek

Dark Web

• How hackers are recruiting on the dark web (thetimes.co.uk)

• Google Broadens Dark Web Monitoring To Track All Gmail Users (informationsecuritybuzz.com)

Supply Chain and Third Parties

• Security researcher finds trove of Capita data exposed online | TechCrunch

• Cyber hack to cost UK outsourcer Capita up to $25 mln | Reuters

• Leak of MSI UEFI signing keys stokes fears of “doomsday” supply chain attack | Ars Technica

Software Supply Chain

• The SBOM Bombshell - SecurityWeek

• 5 SBOM tools to start securing the software supply chain | TechTarget

Cloud/SaaS

• 56,000+ cloud-based apps at risk of malware exfiltration - Help Net Security

• How to reduce risk with cloud attack surface management | TechTarget

• ENISA leans into EU clouds with draft cyber security label • The Register

Hybrid/Remote Working

• 8 habits of highly-secure remote workers | ZDNET

Attack Surface Management

• How Attack Surface Management Supports Continuous Threat Exposure Management (thehackernews.com)

Identity and Access Management

• Top 3 trends shaping the future of cyber security and IAM - Help Net Security

• Review your on-prem ADCS infrastructure before attackers do it for you | CSO Online

• Why the FTX Collapse Was an Identity Problem (darkreading.com)

Asset Management

• CISOs confront mounting obstacles in tracking cyber assets - Help Net Security

• How Attack Surface Management Supports Continuous Threat Exposure Management (thehackernews.com)

Encryption

• Tor Project, LGBTQ groups and CDT sound alarm over efforts to weaken encryption | SC Media (scmagazine.com)

• Europe’s Moral Crusader Lays Down the Law on Encryption | WIRED

API

• Google Improves Android Security With New APIs - SecurityWeek

Open Source

• India bans open source messaging apps on security grounds • The Register

• Stealthier version of Linux BPFDoor malware spotted in the wild (bleepingcomputer.com)

Passwords, Credential Stuffing & Brute Force Attacks

• 83% of Americans’ Passwords Can Be Hacked in Less Than a Second, Study Shows (thedailybeast.com)

• Top 5 Password Cracking Techniques Used by Hackers (bleepingcomputer.com)

Social Media

• Twitter admits 'security incident' broke Circle privacy • The Register

• TikTok tracked UK journalist via her cat's account - BBC News

Parental Controls and Child Safety

• Scanning Plans On Europe's CSAM May Violate International Law (informationsecuritybuzz.com)

• EU's Client-Side Scanning Plans Could be Unlawful - Infosecurity Magazine (infosecurity-magazine.com)

Regulations, Fines and Legislation

• UK’s new fraud strategy too weak to tackle soaring crime, say experts | Financial Times (ft.com)

• Tor Project, LGBTQ groups and CDT sound alarm over efforts to weaken encryption | SC Media (scmagazine.com)

• AI needs superintelligent regulation | Financial Times

• EU parliament report calls for tighter regulation of spyware | Surveillance | The Guardian

• India bans open source messaging apps on security grounds • The Register

• PEGA committee calls for EU level regulation of spyware • The Register

• EU's Client-Side Scanning Plans Could be Unlawful - Infosecurity Magazine (infosecurity-magazine.com)

• ENISA leans into EU clouds with draft cyber security label • The Register

• Europe’s Moral Crusader Lays Down the Law on Encryption | WIRED

• Scanning Plans On Europe's CSAM May Violate International Law (informationsecuritybuzz.com)

Governance, Risk and Compliance

• Risk managers warn cyber insurance could become ‘unviable product’ | Financial Times (ft.com)

• 79% of Cyber Pros Make Decisions Without Threat Intelligence (securityintelligence.com)

• Company executives can't afford to ignore cyber security anymore - Help Net Security

• Majority of US, UK CISOs unable to protect company 'secrets': Report | CSO Online

• Small- and medium-sized businesses: don’t give up on cyber security | CSO Online

• CISOs Worried About Personal Liability For Breaches - Infosecurity Magazine (infosecurity-magazine.com)

• Global Research From Delinea Reveals That 61% of IT Security Decision Makers Think Leadership Overlooks the Role of Cyber security in Business Success (darkreading.com)

• 5 Types of Cyber Crime Groups (trendmicro.com)

• (ISC)² Calls for Global Cyber security Standards, Collaboration, Frameworks - MSSP Alert

• Organisations Reliant on Social Media For Threat Intelligence - TechRound

• Recognizing Cyberthreat Trends For Effective Defence (forbes.com)

• Digital trust can make or break an organisation - Help Net Security

• ISACA: Companies Still Face Many Barriers to Achieving Digital Trust - Infosecurity Magazine (infosecurity-magazine.com)

• Why more transparency around cyber attacks is good for everyone - NCSC

• CISOs face mounting pressures, expectations post-pandemic | TechTarget

• CISOs' confidence in post-pandemic security landscape fades - Help Net Security

• This New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT - SecurityWeek

• Overlooking These 4 Critical Measures Expose Your Company to Cyber Attacks | Entrepreneur

• Key Trends and Insights from RSAC 2023 (trendmicro.com)

• NCSC and ICO Dispel Incident Reporting Myths - Infosecurity Magazine (infosecurity-magazine.com)

Models, Frameworks and Standards

• (ISC)² Calls for Global Cyber security Standards, Collaboration, Frameworks - MSSP Alert

• ENISA leans into EU clouds with draft cyber security label • The Register

Data Protection

• The (Security) Cost of Too Much Data Privacy (darkreading.com)

Careers, Working in Cyber and Information Security

• CISOs Worried About Personal Liability For Breaches - Infosecurity Magazine (infosecurity-magazine.com)

• 7 ways to mitigate CISO liability and risk | TechTarget

• Google Launches New Cyber security Analyst Training Program - SecurityWeek

Law Enforcement Action and Take Downs

• Cyber Patrols Lead to Seizure of Stolen Artefacts - Infosecurity Magazine (infosecurity-magazine.com)

• FBI seizes 13 more domains linked to DDoS-for-hire services (bleepingcomputer.com)

• Briton pleads guilty to hacking stars' Twitter accounts to steal Bitcoin | Science & Tech News | Sky News

• Phishing Ring Bust, Spanish Police Have Arrested 40 People (informationsecuritybuzz.com)

• UK cops score another legal win in EncroChat spying case • The Register

Privacy, Surveillance and Mass Monitoring

• The (Security) Cost of Too Much Data Privacy (darkreading.com)

• Twitter admits 'security incident' broke Circle privacy • The Register

• TikTok tracked UK journalist via her cat's account - BBC News

Artificial Intelligence

• AI has been dubbed a 'nuclear' threat to cyber security. But it can be also used for defence | Euronews

• Top US cyber official warns AI may be the 'most powerful weapon of our time' | CyberScoop

• ‘A race it might be impossible to stop’: how worried should we be about AI? | Artificial intelligence (AI) | The Guardian

• OpenAI confirms ChatGPT data breach (cshub.com)

• AI needs superintelligent regulation | Financial Times

• Amazon Is Being Flooded With Books Entirely Written by AI (futurism.com)

• Your voice could be your biggest vulnerability - Help Net Security

• The security and privacy risks of large language models - Help Net Security

• Rethinking democracy for the age of AI | CyberScoop

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

• Killnet, a Pro-Russian Hacktivist Crew, Pivots to Cyber Mercenaries for Hire, Report Says - MSSP Alert

• NCSC and allies expose Snake malware threat - NCSC.GOV.UK

• It’s being called Russia's most sophisticated cyber espionage tool. What is Snake, and why is it so dangerous? (theconversation.com)

• EU parliament report calls for tighter regulation of spyware | Surveillance | The Guardian

• China targets foreign consulting companies in anti-spying raids | China | The Guardian

• Mobile hacking and spyware – understanding the risks - TechHQ

• New Android updates fix kernel bug exploited in spyware attacks (bleepingcomputer.com)

• CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine (thehackernews.com)

• Five Takeaways From the Russian Cyber Attack on Viasat’s Satellites - Infosecurity Magazine (infosecurity-magazine.com)

• GCHQ building under fire from senior Tory for using Chinese surveillance cameras - Gloucestershire Live

• PEGA committee calls for EU level regulation of spyware • The Register

• FBI-led Operation Medusa kills Russian FSB malware network • The Register

• How one of Vladimir Putin’s most prized hacking units got pwned by the FBI | Ars Technica

Nation State Actors

• Killnet, a Pro-Russian Hacktivist Crew, Pivots to Cyber Mercenaries for Hire, Report Says - MSSP Alert

• NSA and Allies Uncover Russian Snake Malware Network in 50+ Countries - Infosecurity Magazine (infosecurity-magazine.com)

• Deterring China isn't all about submarines. Australia's 'cyber offence' might be its most potent weapon (theconversation.com)

• Microsoft warns Iran increasing its cyber-enabled influence operations | SC Media (scmagazine.com)

• China labels USA ‘Empire of hacking’ citing old WikiLeaks • The Register

• CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine (thehackernews.com)

• LinkedIn shuts service in China, lays off employees | Fortune

• Microsoft: Iranian hacking groups join Papercut attack spree (bleepingcomputer.com)

• FBI-led Operation Medusa kills Russian FSB malware network • The Register

• China targets foreign consulting companies in anti-spying raids | China | The Guardian

• Beijing raids consultancy firm Capvision, promises more • The Register

• Five Takeaways From the Russian Cyber Attack on Viasat’s Satellites - Infosecurity Magazine (infosecurity-magazine.com)

• GCHQ building under fire from senior Tory for using Chinese surveillance cameras - Gloucestershire Live

• Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry (thehackernews.com)

• SideWinder Strikes Victims in Pakistan, Turkey in Multiphase Polymorphic Attack (darkreading.com)

• ESET APT Activity Report Q4 2022­–Q1 2023 | WeLiveSecurity

• North Korean Hackers Stole 830K Data From Seoul's Top Hospital (informationsecuritybuzz.com)

• People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA

Vulnerability Management

• The Problem of Old Vulnerabilities — and What to Do About It (darkreading.com)

Vulnerabilities

• Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug (thehackernews.com)

• Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324) - Help Net Security

• Microsoft warns of two bugs under active exploit • The Register

• Light May Patch Tuesday will weigh heavily on Windows admins | TechTarget

• New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyber attacks (thehackernews.com)

• Fortinet fixed two severe issues in FortiADC and FortiOS-Security Affairs

• Azure API Management flaws highlight server-side request forgery risks in API development | CSO Online

• New PaperCut RCE exploit created that bypasses existing detections (bleepingcomputer.com)

• Microsoft issues optional fix for Secure Boot zero-day used by malware (bleepingcomputer.com)

• Adobe Patches 14 Vulnerabilities in Substance 3D Painter - SecurityWeek

• Severe Ruckus RCE Flaws Utilized By Fresh DDoS Botnet Malware (informationsecuritybuzz.com)

• CyberGhost VPN patches command injection vulnerability | SC Media (scmagazine.com)

• A Linux NetFilter kernel flaw allows escalating privileges to 'root'-Security Affairs

• SAP Patches Critical Vulnerabilities With May 2023 Security Updates - SecurityWeek

• Fortinet warns of a spike of the activity linked to AndoryuBot botnet-Security Affairs

Tools and Controls

• Risk managers warn cyber insurance could become ‘unviable product’ | Financial Times (ft.com)

• 79% of Cyber Pros Make Decisions Without Threat Intelligence (securityintelligence.com)

• Human Error Drives Most Cyber Incidents. Could AI Help? (hbr.org)

• AI has been dubbed a 'nuclear' threat to cyber security. But it can be also used for defence | Euronews

• Identifying Compromised Data Can Be a Logistical Nightmare (darkreading.com)

• Organisations Reliant on Social Media For Threat Intelligence - TechRound

• Recognizing Cyberthreat Trends For Effective Defence (forbes.com)

• Digital trust can make or break an organisation - Help Net Security

• ISACA: Companies Still Face Many Barriers to Achieving Digital Trust - Infosecurity Magazine (infosecurity-magazine.com)

• Prevent attackers from using legitimate tools against you - Help Net Security

• Lack of Visibility: The Challenge of Protecting Websites from Third-Party Scripts (thehackernews.com)

• How to implement principle of least privilege in Azure AD | TechTarget

• How to start handling Azure network security | TechTarget

• What is Digital Forensics? Tools, Types, Phases & History (cybersecuritynews.com)

• Microsoft enforces number matching to fight MFA fatigue attacks (bleepingcomputer.com)

• AI Will Take Many Cyber security Jobs, But It's Not a Complete Disaster | PCMag

• Google Broadens Dark Web Monitoring To Track All Gmail Users (informationsecuritybuzz.com)

• 5 SBOM tools to start securing the software supply chain | TechTarget

• The Industrywide Consequences of Making Security Products Inaccessible (darkreading.com)

• Top 3 trends shaping the future of cyber security and IAM - Help Net Security

Reports Published in the Last Week

• ESET APT Activity Report Q4 2022­–Q1 2023 | WeLiveSecurity

• Q1 Cofense Phishing Intelligence Report - Cofense

• 2023 AT&T Cyber security Insights Report: Edge Ecosystem (darkreading.com)

• 2023 Voice of the CISO | Proofpoint UK

Other News

• The Team of Sleuths Quietly Hunting Cyber attack-for-Hire Services | WIRED

• Why Should You Take IT Security Seriously? - IT Security Guru

• To enable ethical hackers, a law reform is needed - Help Net Security

• How datacentre operators can fend off cyber attacks | Computer Weekly

• US Advances Cyber Defences Since Colonial Pipeline Attack But More Work Remains, CISA Director Says - MSSP Alert

• Evil digital twins and other risks: the use of twins opens up a host of new security concerns | CSO Online

• 'Windows for Gamers' Rolls Dice With Your Security (vice.com)

• Risk of cyber attack is main Eurovision worry, says BBC executive | Eurovision 2023 | The Guardian

• Evil digital twins and other risks: the use of twins opens up a host of new security concerns | CSO Online

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Executive summary

Microsoft’s May patch Tuesday addressed 38 security issues, including one actively exploited zero-day vulnerability used to escalate privileges. Adobe released updates to fix security issues across their products, including one actively exploited vulnerability impacting Acrobat and Reader. SAP have also issued fixes for a number of vulnerabilities within their product range.

Microsoft

Microsoft’s May Patch Tuesday provides updates to address 38 security issues across its product range, including three zero-day vulnerabilities (CVE-2023-29336, CVE-2923-24932 and CVE-2023-29325). One of the exploited zero-day vulnerabilities (CVE-2023-29336) is a privilege escalation vulnerability which has been added the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. 6 critical vulnerabilities were also patched through updates provided by Microsoft.

Adobe

This month, Adobe released fixes for 43 vulnerabilities, of which 22 were rated critical. The 43 vulnerabilities impact Adobe Experience Manager(1), InDesign(3), Illustrator(5), InCopy(1), Genuine Service(1), Acrobat(14), Magneto(7), Creative Cloud Desktop Application(1), Media Encoder(1), After Effects(security bulletin not available), Medium(1), Animate(7). One vulnerability (CVE-2021-28550) has been recorded as actively exploited.

SAP

Enterprise software vendor SAP has addressed vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP 3D visual Enterprise License Manager and SAP BusinessObjects Business Intelligence Platform. The updates included fixes for 18 vulnerabilities. Including remote execution and authentication bypass. A total of 2 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to gain SYSTEM privileges, remotely execute code and install bootkits. All of which could be used to compromise the confidentiality, integrity and availability of information stored by an organisation.

What can I do?

Regarding Microsoft’s patch Tuesday, security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the zero day vulnerabilities and all other vulnerabilities that have a critical severity rating. For CVE-2023-2942, the patch is not enabled by default and as such must be applied. For CVE-2023-29325, Microsoft have recommended that if a patch is not applied, the vulnerability can be mitigated by users viewing emails in plain text format.

The exploited zero-day vulnerability impacting Adobe should be patched immediately. Updates should also be applied immediately for critical vulnerabilities impacting both Adobe and SAP products.

Technical Summary

CVE-2023-29336: The actively exploited vulnerability could allow an attacker to gain SYSTEM privileges, effectively providing them with unlimited permission.

CVE-2023-29432: This zero day vulnerability allows an attacker with physical access or administrative rights to install the Blacklotus UEFI bootkit. The UEFI is usually the first thing to run and the bootkit therefore is invisible to security software running on the impacted device.

CVE-2023-29325: this zero day vulnerability allows an attacker to perform remote code execution in Outlook, through specially crafted emails. These emails only need to be previewed for the exploit to work.

CVE-2021-28550: This is a remote code execution vulnerability impacting Adobe Acrobat and Reader which would allow the attacker to perform commands with the same permissions as the victim would.    

Further details on other specific updates within Microsoft’s patch Tuesday can be found here: https://www.ghacks.net/2023/05/09/microsoft-patches-several-critical-security-issues-on-the-may-2023-windows-patch-day/

Further details about CVE-2023-29336 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29336   

Further details about CVE-2023-24932 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24932    

Further details about 2023-29325 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29325    

Further details of the vulnerabilities addressed in Adobe Experience Manager can be found here: https://helpx.adobe.com/security/products/experience-manager/apsb21-15.html

Further details of the vulnerabilities addressed in Adobe InDesign can be found here: https://helpx.adobe.com/security/products/indesign/apsb21-22.html

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here: https://helpx.adobe.com/security/products/illustrator/apsb21-24.html

Further details of the vulnerabilities addressed in Adobe InCopy can be found here: https://helpx.adobe.com/security/products/incopy/apsb21-25.html

Further details of the vulnerabilities addressed in Adobe Acrobat and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html

Further details of the vulnerabilities addressed in Adobe Magento can be found here: https://helpx.adobe.com/security/products/magento/apsb21-30.html

Further details of the vulnerabilities addressed in Adobe Creative Cloud Desktop Application can be found here: https://helpx.adobe.com/security/products/creative-cloud/apsb21-31.html

Further details of the vulnerabilities addressed in Adobe Media Encoder can be found here: https://helpx.adobe.com/security/products/media-encoder/apsb21-32.html

Further details of the vulnerabilities addressed in Adobe Medium can be found here: https://helpx.adobe.com/security/products/medium/apsb21-34.html

Further details of the vulnerabilities addressed in Adobe Animate can be found here: https://helpx.adobe.com/security/products/animate/apsb21-35.html

Further details of the vulnerabilities addressed by SAP can be found here: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

• Boards Need Better Conversations About Cyber Security

In a survey by Harvard Business Review, 65% of directors believed their organisations were at risk of a cyber attack within the next 12 months, and almost half believed they were unprepared to cope with such an attack. Boards that struggle with their role in providing oversight for cyber security create a security problem for their organisations. By not focusing on resilience, boards fail their companies and their stakeholders.

Regarding board interactions with CISOs, just 69% of responding board members see eye-to-eye with their chief information security officers (CISOs). Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This is worrying, as this leaves little time for leaders to have a meaningful dialogue about cyber security.

As a result, boards need to discuss their organisations’ cyber security-induced risks and evaluate plans to manage those risks frequently; the CISO should be involved in this. With the right conversations about keeping the organisation resilient, they can take the next step to provide adequate cyber security oversight. To bring more cyber security into the board room, board members may need to gain expertise, whether through frequent training or development programmes.

https://hbr.org/2023/05/boards-are-having-the-wrong-conversations-about-cybersecurity

• Uber’s Ex-Security Chief Sentenced for Security Breach

Earlier this week, Uber’s former head of cyber security, Joseph Sullivan, faced several years of prison time for covering up a massive security breach at the ride-hailing company seven years ago. When it actually came to sentencing he managed to avoid jail but received three years of probation and 200 hours of community service, despite pleas from the prosecution to throw him in jail.

The case highlights the seriousness of covering up a security breach, as at one point the ex-security chief was looking at 24-30 months of jail time. With increasing regulations and focus on cyber security, it is unlikely that this is a one-off incident.

https://gizmodo.com/uber-security-joe-sullivan-sentenced-prison-data-breach-1850403347

• Global Cyber Attacks Rise by 7% in Q1 2023

Weekly cyber attacks have increased worldwide by 7% in Q1 2023 compared to the same period last year, with each firm facing an average of 1,248 attacks per week according to Check Point’s latest research. The report highlights a number of sophisticated campaigns including using ChatGPT for code generation to help less-skilled threat actors effortlessly launch cyber attacks.

The Check Point report also shows that 1 in 31 organisations worldwide experienced a ransomware attack weekly over the first quarter of 2023. To defend against such threats, the security researchers recommended a series of cyber safety tips, such as keeping computers and servers up-to-date, conducting regular cyber awareness training and utilising better threat prevention tools, among others.

https://www.infosecurity-magazine.com/news/global-cyber-attacks-rise-7-q1-2023/

• Three-Quarters of Firms Predict a Breach in the Coming Year

Most global organisations anticipate suffering a data breach or cyber attack in the next 12 months. Trend Micro’s six-monthly Cyber Risk Index (CRI) was compiled from interviews with 3,729 global organisations.

While results of the index score move in a positive direction showing organisations are taking steps to improve cyber preparedness, most responding organisations are pessimistic about the year ahead.

Respondents pointed to both negligent insiders and mobile users, and a lack of trained staff, as a key cause of concern going forward. Alongside cloud infrastructure and virtual computing environments, these comprised the top five infrastructure risks.

https://www.infosecurity-magazine.com/news/threequarters-firms-predict-breach/

• The Costly Threat That Many Businesses Fail to Address

Insider attacks such as fraud, sabotage, and data theft plague 71% of businesses, according to a recent report. The report found companies that allow excessive data access are much more likely to suffer insider attacks. However, only 57% of companies limit data appropriately while 31% allow employees access to more data than necessary and 12% allow employees access to all company data.

Alarmingly, of the companies that have experienced insider attacks, one in three (34%) report that the attack involved an employee with privileged access. Data theft was the most common type of insider attack, reported by 38% of businesses.

Insider attacks can damage businesses’ reputations, finances, and competitiveness, and therefore companies should take a proactive approach in preventing these incidents.

https://www.helpnetsecurity.com/2023/05/02/insider-attacks-damage/

• European Data at Risk with Tick-box GDPR Compliance and High Cyber Attack Volumes

Recent research revealed that European IT and security leaders may be dangerously over-confident in their ability to avoid cyber attacks and mitigate the risk of serious data compromise. The findings reveal that most organisations have suffered a serious cyber attack in the last two years, with over half of respondents saying their company suffered an attack 1 to 3 times in this time period. Worryingly, 20% of respondents claim to have been attacked 4 to 6 times. Only 18% managed to avoid an attack altogether.

Worryingly, three-quarters (76%) of those interviewed admit they’re taking a tick-box approach to GDPR compliance, which involves doing the bare minimum on data privacy and security. Although most (97%) have a contingency plan in place should they get breached, a quarter (26%) have not tested it.

Around two-thirds of respondents say their organisation considers customer (66%) and financial data (63%) to be “risky.” But the figure drops to 60% for employee data, and even further for intellectual property (45%) and health data (28%). Alarmingly, health-related data is classified as a special category data by GDPR, meaning it requires more protection.

https://www.itsecurityguru.org/2023/05/03/european-data-at-risk-with-tick-box-gdpr-compliance-and-high-cyberattack-volumes

• Understanding Cyber Threat Intelligence for Business Security

Cyber threat intelligence is not a solution itself, but a crucial component of any mature security programme, enabling organisations to gain insights into the motives, targets and behaviours of threat actors. As such, it is crucial for businesses looking to protect themselves from the ever-evolving cyber threat landscape.

Some of the benefits of effective cyber threat intelligence to a business include early threat detection, improved response, regulation compliance, competitive advantage and cost savings. It is important to highlight that an organisation does not need to come up with their own cyber threat intelligence initiative, it can instead be purchased as a service.

https://www.forbes.com/sites/forbestechcouncil/2023/05/04/understanding-cyber-threat-intelligence-for-business-security

• Hackers Are Finding Ways to Evade Latest Cyber Security Tools

As hacking has gotten more destructive and pervasive, new defensive tools continue to be developed. One such tool is called endpoint detection and response (EDR) software, it’s designed to spot early signs of malicious activity on laptops, servers and other devices known as “endpoints” on a computer network — and block them before intruders can steal data or lock the machines.

Experts however, claim hackers have developed workarounds for some forms of the technology, allowing them to slip past products that have become the gold standard for protecting critical systems. Security software is not enough on its own, it is just one of the layers of defence that organisations should employ as part of their cyber resilience; there is no silver bullet.

https://finance.yahoo.com/news/hackers-finding-ways-evade-latest-131600565.html

• Study Shows a 27% Spike in Publicly Known Ransomware Victims

A report released this week highlights a 27% increase in publicly known ransomware victims in the first quarter of the year. Some of the report’s key findings include the fact that manufacturing, technology, education, banking, finance, and healthcare organisations are the largest to be exposed to ransomware.

The report identified an increase in the use of “double extortion” as an attack model. This method is where ransomware groups not only encrypt files but also exfiltrate data. The top five most active ransomware threat actors are LockBit, Clop, AlphV, Royal and BianLian.

https://www.msspalert.com/cybersecurity-news/guidepoint-study-shows-a-27-spike-in-public-ransomware-victims/

• Data Loss Costs Are Going Up – and Not Just for Those Who Choose to Pay Thieves

A recent report found while the number of ransomware incidents that firms responded to dipped in early 2022, it came roaring back toward the end of the year and into early 2023. With this came higher ransom demands and, eventually, payments. The largest ransom demand last year was more than $90 million, with the largest payment exceeding $8 million. Both were larger than in 2021 (more than $60 million and $5.5 million respectively).

Ransomware groups are upping their attacks all the time and you don’t want to be an easy target.

https://www.theregister.com/2023/05/02/data_breach_costs_rise/

• Give NotPetya-hit Merck that $1.4B, Appeals Court Tells Insurers

In a significant ruling this week a court in the US found that pharmaceutical company Merck's insurers can't use an "act of war" clause to deny the pharmaceutical giant an enormous payout to clean up its NotPetya infection from 2017. The ruling will also undoubtedly affect the language used in underwriting policies, especially when it comes to risks such as ransomware and cyber warfare.

https://www.theregister.com/2023/05/03/merck_14bn_insurance_payout_upheld/

• 4 Ways Leaders Should Re-evaluate Their Cyber Security's Focus

The technology industry has long been building walls around structured data and communications—with little consideration of how employees use that information. Outlined below are four 4 ways leaders can better protect raw data.

• Recognise that priorities have evolved.

• Understand that security burdens have changed.

• Understand why, despite best efforts, criminals are still successful.

• Evaluate the ways in which you are protecting your most vulnerable data.

https://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2023/05/02/4-ways-leaders-should-reevaluate-their-cybersecuritys-focus/

Threats

Ransomware, Extortion and Destructive Attacks

• Data loss costs go up, and not just from ransom shakedowns • The Register

• Pension watchdog probes Capita data hack (thetimes.co.uk)

• To Fight Ransomware, Move Beyond Detection to Real-Time Response, Fortinet Study Says - MSSP Alert

• Using Threat Intelligence to Get Smarter About Ransomware – Security Week

• Merck's $1.4B NotPetya insurance payout upheld by court • The Register

• GuidePoint Study Shows a 27% Spike in Public Ransomware Victims - MSSP Alert

• Rapture, a Ransomware Family With Similarities to Paradise (trendmicro.com)

• The Tragic Fallout From a School District’s Ransomware Breach | WIRED

• Hackers leak images to taunt Western Digital's cyber attack response (bleepingcomputer.com)

• ‘Big game hunting’ hackers ALPHV claim major breach of law firm HWL Ebsworth (afr.com)

• FBI Uncovers 9 Crypto Exchanges In Ransomware Laundering (informationsecuritybuzz.com)

• Legitimate Software Abuse: A Disturbing Trend in Ransomware Attacks (darkreading.com)

• US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber criminals – Security Week

• BlackCat group releases screenshots of stolen Western Digital data | CSO Online

• Ransomware Attack Affects Dallas Police, Court Websites – Security Week

• Studies show ransomware has already caused patient deaths | TechTarget

• Cold storage giant Americold outage caused by network breach (bleepingcomputer.com)

• Brightline Hack Exposes Data of Over 780,000 Child Mental Health Patients - Infosecurity Magazine (infosecurity-magazine.com)

• Payment software giant AvidXchange suffers its second ransomware attack of 2023 | TechCrunch

• Ransomware Attack Disrupts IT Network at Hardenhuish School - Infosecurity Magazine (infosecurity-magazine.com)

• City of Dallas hit by Royal ransomware attack impacting IT services (bleepingcomputer.com)

• Ransomware gang hijacks university alert system to issue threats (bleepingcomputer.com)

• Cyber attack cost conveyancing giant £7m - but the insurers paid up | News | Law Gazette

• Bitmarck Halts Operations Due to Cyber security Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Teiss - News - Lockbit 3.0 targets Fullerton India, demands a £2.3 million ransom

Phishing & Email Based Attacks

• Malicious HTML Attachment Volumes Surge - Infosecurity Magazine (infosecurity-magazine.com)

• A Comprehensive Look At Email-Based Threats In 2023 (informationsecuritybuzz.com)

• How to Spot a ChatGPT Phishing Website (darkreading.com)

Other Social Engineering; Smishing, Vishing, etc

• Crooks show they don't need ChatGPT to scam victims • The Register

Malware

• ViperSoftX info-stealing malware now targets password managers (bleepingcomputer.com)

• Google Ads Abused to Lure Corporate Workers to LOBSHOT Backdoor (darkreading.com)

• Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram – Naked Security (sophos.com)

• Security experts are using malware's own code to protect potential victims | TechSpot

• New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks (thehackernews.com)

• How to Detect and Remove a Keylogger From Your Computer (howtogeek.com)

• Hackers start using double DLL sideloading to evade detection (bleepingcomputer.com)

• Anatomy of a Malicious Package Attack (darkreading.com)

Mobile

• Android Apps Fail to Protect User Data During Device Transfer - Infosecurity Magazine (infosecurity-magazine.com)

• Apple pushes first-ever 'rapid' patch, rapidly screws up • The Register

• Google fought a mountain of malware in 2022 | Android Central

• Google Bans Thousands of Play Store Developer Accounts to Block Malware (darkreading.com)

• Digital Intruders – Top Ways Hackers Can Breach Your Smartphone’s Security (freecodecamp.org)

• Smartphone owners warned about ‘shoulder-surfing’ thieves (thetimes.co.uk)

Botnets

• Cyber criminals use proxies to legitimise fraudulent requests - Help Net Security

• Bot Attacks Are Easy to Launch, Human Security Reports - MSSP Alert

Denial of Service/DoS/DDOS

• What’s the Difference Between a DOS and DDoS Attack? (howtogeek.com)

Internet of Things – IoT

• Top 5 IoT Security Risks In 2023 - The Cyber Express

• Hackers exploit 5-year-old unpatched flaw in TBK DVR devices (bleepingcomputer.com)

• CISA warns of Mirai botnet exploiting TP-Link routers • The Register

• Drone goggles maker claims firmware sabotaged to ‘brick’ devices (bleepingcomputer.com)

Data Breaches/Leaks

• Three-Quarters of Firms Predict Breach in Coming Year - Infosecurity Magazine (infosecurity-magazine.com)

• Cyber attack sparks fears that criminals could target UK gun owners for firearms | Cyber crime | The Guardian

• UK Gun Owners May Be Targeted After Rifle Association Breach - Infosecurity Magazine (infosecurity-magazine.com)

• Kodi Forum Data Breach - Lessons Learned, Actions Taken | News | Kodi

• T-Mobile suffered the second data breach in 2023 - Security Affairs

• Sensitive data is being leaked from servers running Salesforce software | Ars Technica

• ChatGPT Confirms Data Breach, Raising Security Concerns (securityintelligence.com)

• Sensitive files about Royal Navy submarine reportedly found in pub toilet | Royal Navy | The Guardian

• Millions of patients’ data confirmed stolen after Fortra mass-hack | TechCrunch

• TikTok security breach allowed attackers to leak personal information (ynetnews.com)

Organised Crime & Criminal Actors

• SpecTor operation: 288 individuals arrested in the seizure of marketplace Monopoly Market-Security Affairs

• US, Ukraine Shut Down Cryptocurrency Exchanges Used by Cyber criminals – Security Week

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

• Man Gets Four Years for Stealing Bitcoin Seized by Feds - Infosecurity Magazine (infosecurity-magazine.com)

• Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram – Naked Security (sophos.com)

• Crooks broke into AT&T email accounts to empty their crypto wallets - Security Affairs

• Level Finance crypto exchange hacked after two security audits (bleepingcomputer.com)

• Hackers stole $93M from crypto projects in April (cryptoslate.com)

Insider Risk and Insider Threats

• The costly threat that many businesses fail to address - Help Net Security

• The hidden security risks in tech layoffs and how to mitigate them | CSO Online