Threat Intelligence Blog

Subscribe to our Weekly Cyber Threat Intelligence Briefing

Black Arrow Admin 24/07/2021 Black Arrow Admin 24/07/2021

Black Arrow Cyber Threat Briefing 23 July 2021

Black Arrow Cyber Threat Briefing 23 July 2021: 40% Fell Victim To A Phishing Attack In The Past Month; Traditional Ransomware Defences Are Failing Businesses; The Number Of Employees Going Around IT Security May Surprise You; 740 Ransomware Victims Named On Data Leak Sites In Q2 2021; A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats; Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack; UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack; Even after Emotet takedown, Office docs deliver 43% of all malware downloads now; Gun owners' fears after firearms dealer data breach

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Black Arrow Cyber Threat Briefing 26 March 2021

Black Arrow Cyber Threat Briefing 26 March 2021: Cyber Warfare Will Grind Britain’s Economy To A Halt; $2 Billion Lost To BEC Scams In 2020; Ransomware Gangs Targets Firms With Cyber Insurance; Three Billion Phishing Emails Are Sent Every Day; $50 Million Ransomware For Computer Maker Acer; Office 365 Phishing Attack Targets Financial Execs; MS Exchange Hacking, Thousands Of Email Servers Still Compromised; Average Ransom Payment Surged 171% in 2020; Phishers’ Perfect Targets: Employees Getting Back To The Office; Nasty Malware Stealing Amazon, Facebook And Google Passwords

Threats

Ransomware

Phishing

Malware

IOT

The US Government Finally Gets Serious About IoT Security

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

Russian Pleads Guilty To Conspiracy To Introduce Malware Into Tesla's Computer Network

OT, ICS, IIoT and SCADA

UK Cyber Security Law Forcing Energy Companies To Report Hacks Has Led To No Reports, Despite Numerous Hacks

Nation State Actors

Privacy

Millions of People Can Lose Sensitive Data through Travel Apps, Privacysavvy reports

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 19/03/2021 Black Arrow Admin 19/03/2021

Black Arrow Cyber Threat Briefing 19 March 2021

Black Arrow Cyber Threat Briefing 19 March 2021: Tens Of Thousands Of Microsoft Exchange Customers Under Attack, Targeted By Multiple Hacker Groups; Over $4.2 Billion Officially Lost To Cyber Crime In 2020; Cyber Attacks Multiply On HNWIs; Largest Ransomware Demand Now Stands At $30 Million; 71 Percent Of Office 365 Users Suffer Malicious Account Takeovers; More Than 16 Million Covid-Themed Cyber Attacks Launched In 2020; Cyber Now Key To National Security;

Threats

Ransomware

Phishing

Malware

IOT

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

Privacy

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 30/01/2021 Black Arrow Admin 30/01/2021

Black Arrow Cyber Threat Briefing 29 January 2021

Black Arrow Cyber Threat Briefing 29 January 2021: Phishing Attacks Show High-Ranking Execs ‘Most Valuable Asset’ and ‘Greatest Vulnerability’; Paying Ransomware Funding Organised Crime; Police take down botnet that hacked millions of computers; After SolarWinds Hack, Who Knows What Cyber Dangers We Face; Russian businesses warned of retaliatory cyber attacks; iOS vulns actively exploited; Top Cyber Attacks of 2020

Top Cyber Headlines of the Week

Phishing Attacks Show High-Ranking Execs May Be ‘Most Valuable Asset,’ and ‘Greatest Vulnerability’

Cyber criminals have been using a phishing kit featuring fake Office 365 password alerts as a lure to target the credentials of chief executives, business owners and other high-level corporate leaders. The scheme highlights the role and responsibility upper management plays in ensuring the security of their own company’s assets.

https://www.scmagazine.com/home/security-news/phishing/phishing-scheme-shows-ceos-may-be-most-valuable-asset-and-greatest-vulnerability/

Insurers 'Funding Organised Crime' by Paying Ransomware Claims

Insurers are inadvertently funding organised crime by paying out claims from companies who have paid ransoms to regain access to data and systems after a hacking attack, Britain’s former top cybersecurity official has warned.

https://www.theguardian.com/technology/2021/jan/24/insurers-funding-organised-by-paying-ransomware-claims

Emotet: Police raids take down botnet that hacked 'millions of computers worldwide'

Emotet, one of the world's most dangerous cyber crime services, has been taken down following one of the largest ever internationally-coordinated actions against cyber criminals. Although it began as banking malware designed to steal financial credentials, Emotet had become an infrastructure tool leased out to cyber criminals to break into victim computer networks and install additional malicious software.

https://news.sky.com/story/emotet-police-raids-take-down-botnet-that-hacked-millions-of-computers-worldwide-12200460

After the SolarWinds Hack, We Have No Idea What Cyber Dangers We Face

Months before insurgents breached the Capitol and rampaged through the halls of Congress, a stealthier invader was muscling its way into the computers of government officials, stealing documents, monitoring e-mails, and setting traps for future incursions. Last March, a hacking team, believed to be affiliated with Russian intelligence, planted malware in a routine software upgrade from a Texas-based I.T. company called SolarWinds, which provides network-management systems to more than three hundred thousand clients.

https://www.newyorker.com/news/daily-comment/after-the-solarwinds-hack-we-have-no-idea-what-cyber-dangers-we-face

FSB warns Russian businesses of cyber attacks as retaliation for SolarWinds hack

Russian authorities are alerting Russian organizations of potential cyberattacks launched by the United States in response to SolarWinds attack. The Russian intelligence agency FSB has issued a security alert this week warning Russian organizations of potential cyberattacks launched by the United States in response to the SolarWinds supply chain attack.

https://securityaffairs.co/wordpress/113752/cyber-warfare-2/fsb-fears-retaliation-solarwinds-hack.html

Update your iPhone — Apple just disclosed hackers may have 'actively exploited' a vulnerability in its iOS

On Tuesday released a new iOS software update that includes fixes for three security weaknesses in the former version. Its support website that it is aware of the three security bugs and that they "may have been actively exploited. “Also, it does not disclose details regarding security issues "until an investigation has occurred."

https://www.businessinsider.com/apple-ios-14-update-hackers-security-bugs-iphone-software-2021-1?utmSource=twitter&utmContent=referral&utmTerm=topbar&referrer=twitter

Top Cyber Attacks of 2020

"Zoombomb" became the new photobomb—hackers would gain access to a private meeting or online class hosted on Zoom and shout profanities and racial slurs or flash pornographic images. Nation-state hacker groups mounted attacks against organisations involved in the coronavirus pandemic response, including the World Health Organization and Centres for Disease Control and Prevention, some in an attempt to politicize the pandemic.

https://thehackernews.com/2021/01/top-cyber-attacks-of-2020.html

Threats

Ransomware

BEC

BEC attack techniques exploit Microsoft 365 messages

Phishing

Targeted Phishing Attacks Strike High-Ranking Company Executives

Other Social Engineering

Google warns of ‘novel social engineering method’ used to hack security researchers

Malware

Mobile

Vulnerabilities

Data Breaches

Charities

A month after a high-level cyber attack, charity says many IT systems are still offline

Insider Threats

Man arrested after UK school finds wiped hard drives on devices connected to network

Nation-State Actors

More Security Vendors Admit to SolarWinds Attacks

Denial of Service

DDoS attacks: Big rise in threats to overload business networks

Privacy

Reports Published in the Last Week

Cyber fraud a national security issue, says RUSI report

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 23/01/2021 Black Arrow Admin 23/01/2021

Black Arrow Cyber Threat Briefing 22 January 2021

Black Arrow Cyber Threat Briefing 22 January 2021: Ransomware Biggest Cyber Concern; Ransomware Payments Grew 311% In 2020; Cyber Security Spending To Soar In 2021; Ransomware Provides The Perfect Cover For Other Attacks; Gdpr Fines Skyrocket As Eu Gets Tough On Data Breaches; Popular Pdf Reader Has Database Of 77 Miliion Users Leaked Online; Malware Incidents On Remote Devices Increase

Top Cyber Headlines of the Week

Ransomware is now the biggest Cyber Security concern for CISOs

Ransomware is the biggest cyber security concern facing businesses, according to those responsible for keeping organisations safe from hacking and cyberattacks. A survey of chief information security officers (CISOs) and chief security officers (CISOs found that ransomware is now viewed as the main cyber security threat to their organisation over the course of the next year. Almost half – 46% – of CISOs and CISOs surveyed said that ransomware or other forms of extortion by outsiders represents the biggest cyber security threat.

https://www.zdnet.com/article/ransomware-is-now-the-biggest-cybersecurity-concern-for-cisos/

Crypto ransomware payments grew 311% in 2020

Crypto payments associated with ransomware grew at least 311% in 2020. “Ransomware” refers to a category of malicious computer programs that force users into paying ransoms. Just 0.34% of all cryptocurrency transactions last year were criminal, down from 2.1% in 2019. But that number is bound to go up, said the firm.

https://decrypt.co/54648/crypto-crime-ransomware-chainalysis-report-2020

The SolarWinds hackers used tactics other groups will copy

One of the most chilling aspects of Russia's recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this was not the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims' networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.

https://www.wired.com/story/solarwinds-hacker-methods-copycats/

Global Cyber Security spending to soar in 2021

The worldwide cyber security market is set to grow by up to 10% this year to top $60bn, as the global economy slowly recovers from the pandemic. Double-digit growth from $54.7bn in 2020 would be its best-case scenario. However, even in the worst case, cyber security spending would reach 6.6%. That would factor in a deeper-than-anticipated economic impact from lockdowns, although the security market has proven to be remarkably resilient thus far to the pandemic-induced global economic crisis. That said, SMB spending was hit hard last year, along with certain sectors like hospitality, retail and transport.

https://www.infosecurity-magazine.com/news/global-cybersecurity-spending-to/

Cyber criminals publish more than 4,000 stolen Sepa files

Sepa rejected a ransom demand for the attack, which has been claimed by the international Conti ransomware group. Contracts, strategy documents and databases are among the 4,000 files released. The data has been put on the dark web - a part of the internet associated with criminality and only accessible through specialised software.

https://www.bbc.co.uk/news/uk-scotland-55757884

Ransomware provides the perfect cover for other attacks

Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes

https://www.helpnetsecurity.com/2021/01/21/ransomware-cover/

Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data

Some organisations that fall victim to ransomware attacks are paying ransoms to cyber-criminal gangs despite being able to restore their own networks from backups, in order to prevent hackers publishing stolen data. Over the course of the past year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn't received.

https://www.zdnet.com/article/ransomware-victims-that-have-backups-are-paying-ransoms-to-stop-hackers-leaking-their-stolen-data/

GDPR fines skyrocket as EU gets tough on data breaches

Europe’s new privacy protection regime has led to a surge in fines for bad actors, according to research published today. Law firm DLA Piper says that, since January 28th, 2020, the EU has issued around €158.5 million (around $192 million) in financial penalties. That’s a 39-percent increase on the previous 20-month period Piper examined in its report, published this time last year. And as well as the increased fines, the number of breach notifications has shot up by 19 percent across the same 12-month period.

https://www.engadget.com/gdpr-fines-dla-piper-report-144510440.html

Malware incidents on remote devices increase

Devices compromised by malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage, highlighting a need for organizations to better determine how to configure business tools to ensure fast and safe connectivity for all users in 2021.

https://www.helpnetsecurity.com/2021/01/18/malware-incidents-remote-devices/

Threats

Phishing

Malware

Vulnerabilities

Data Breaches

Denial of Service

Windows RDP servers are being abused to amplify DDoS attacks

Cloud

Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years

Privacy

Is your boss spying on you as you work from home? One in five firms admit using secret software

Other News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 14/11/2020 Black Arrow Admin 14/11/2020

Black Arrow Cyber Threat Briefing 13 November 2020

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Five Emerging Cyber-Threats to Watch Out for in 2021

What was the driving force behind your company’s digital strategy in 2020? Was it your CEO? Probably not. Your CTO or CISO? Perhaps.

For most organisations, it was COVID-19. In 2019, one company after another said: “work-from-home isn’t an option for us” or “we aren’t interested in shifting operations to the cloud.”

Then everything changed. The pandemic drove a massive shift towards remote work. For many companies, this wasn’t even an option — it was a case of ‘do or die.’

By April 2020, almost half of the American workforce was working from home. As organisations and employees become more comfortable with this, we shouldn’t expect a full return to the traditional in-office model anytime soon, if ever. Work-from-anywhere is the new way of doing business, with employees accessing cloud services, collaborative tools and remote systems from home and public networks – and not always through the safety of a VPN.

https://www.infosecurity-magazine.com/blogs/five-cyber-threats-2021/

Guernsey law firm fined £10,000 for data security breach

Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found.

It said a lack of security had given "unconnected" third parties access to the data.

The breach of data by Trinity was the result of "repeated human error", an investigation found.

https://www.bbc.co.uk/news/world-europe-guernsey-54854333

Every employee has a cyber security blind spot

80% of companies say that an increased cyber security risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.

This is a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:

· Cyber crime has increased by 63% since the COVID-19 lockdown was introduced

· Human error has been the biggest cyber security challenge during the COVID-19 pandemic, according to CISOs

· Just a quarter of businesses consider their remote working strategy effective

· 47% of people are concerned about their ability to manage stress during the coronavirus crisis

https://www.helpnetsecurity.com/2020/11/09/cybersecurity-blind-spot/

Zoom settles FTC charges for misleading users about security features

Video conferencing software maker Zoom has reached a deal today with the US Federal Trade Commission to settle accusations that its misled users about some of its security features.

During the height of the COVID-19 pandemic, Zoom had attracted users to its platform with misleading claims that its product supported "end-to-end, 256-bit encryption" and that its service would store recorded calls in an encrypted format.

However, in a complaint filed earlier this year, the investigators found that Zoom's claims were deceptive.

Despite claiming to support end-to-end encrypted (E2EE) calls, Zoom didn't support E2EE calls in the classic meaning of the word.

https://www.zdnet.com/article/zoom-settles-ftc-charges-for-misleading-users-about-security-features/

Threats

Ransomware

How Ryuk Ransomware operators made $34 million from one victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.

https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/

Ransomware hits e-commerce platform X-Cart

E-commerce software vendor X-Cart suffered a ransomware attack at the end of October that brought down customer stores hosted on the company's hosting platform.

The incident is believed to have taken place after attackers exploited a vulnerability in a third-party software to gain access to X-Cart's store hosting systems.

https://www.zdnet.com/article/ransomware-hits-e-commerce-platform-x-cart

Linux version of RansomEXX ransomware discovered

A Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.

https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/

Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital

Compal, the world’s second-largest white-label laptop manufacturer, has been hit by the file-scrambling DoppelPaymer ransomware gang – and the hackers want $17m in cryptocurrency before they'll hand over the decryption key.

The Taiwanese factory giant, which builds systems for Apple, Lenovo, Dell, and HP, finally admitted malware infected its computers and encrypted its documents after first insisting it had suffered no more than an IT "abnormality" and that its staff had beaten off a cyber-attack.

https://www.theregister.com/2020/11/09/compal_ransomware_report/

Capcom hit by ransomware attack, is reportedly being extorted for $11 million

Earlier this week it emerged that third-party giant Capcom's internal systems had been hacked, though the company claimed that no customer data was affected.

It has now emerged that the publisher was targeted by the Ragnar Locker ransomware, software designed to exfiltrate information from internal networks before encrypting the lot: at which point the victim is locked-out, contacted, and extorted.

https://www.pcgamer.com/capcom-hit-by-ransomware-attack-is-reportedly-being-extorted-for-pound11-million/

Business Email Compromise (BEC)

Jersey business targeted in £130,000 invoice scam

A Jersey building company has been targeted by a sophisticated impersonation scam, which saw fraudsters intercept more than £130,000 in invoice payments.

The owners, who wish to remain anonymous, said they were "left reeling" after realising their email correspondence with a customer had been hacked, and payments diverted to a scam bank account.

After taking swift action, they were able to recover all their money, but they now want to make sure other islanders do not fall victim. They are encouraging businesses in particular to be "extra vigilant".

https://www.itv.com/news/channel/2020-11-13/jersey-business-targeted-in-130000-invoice-scam

Phishing

Smishing attack tells you “mobile payment problem” – don’t fall for it!

As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.

Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.

But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.

That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.

Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.

https://nakedsecurity.sophos.com/2020/11/10/smishing-attack-tells-you-mobile-payment-problem-dont-fall-for-it/

Malware

Play Store identified as main distribution vector for most Android malware

The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.

Using telemetry data, researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.

In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.

https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/

This new malware wants to add your Linux servers and IoT devices to its botnet

A new form of malware is targeting Linux servers and Internet of Things (IoT) devices and adding them to a botnet in what appears to be the first stage of a hacking campaign targeting cloud-computing infrastructure – although the purpose of the attacks remains unclear.

The malicious worm has been dubbed Gitpaste-12, reflecting on how it uses GitHub and Pastebin for housing component code and has 12 different means of compromising Linux-based x86 servers, as well as Linux ARM- and MIPS-based IoT devices.

https://www.zdnet.com/article/this-new-malware-wants-to-add-your-linux-servers-and-iot-devices-to-its-botnet/

New 'Ghimob' malware can spy on 153 Android mobile applications

Security researchers have discovered a new Android banking trojan that can spy and steal data from 153 Android applications.

Named Ghimob, the trojan is believed to have been developed by the same group behind the Astaroth (Guildma) Windows malware, according to a report published.

Distribution was never carried out via the official Play Store.

Instead, the Ghimob group used emails or malicious sites to redirect users to websites promoting Android apps.

https://www.zdnet.com/article/new-ghimob-malware-can-spy-on-153-android-mobile-applications/

Microsoft Teams Users Under Attack in ‘Fake Updates’ Malware Campaign

Attackers are using ads for fake Microsoft Teams updates to deploy backdoors, which use Cobalt Strike to infect companies’ networks with malware.

The campaign is targeting various types of companies, with recent targets in the K-12 education sector, where organisations are currently dependent on using apps like Teams for videoconferencing due to COVID-19 restrictions.

Cobalt Strike is a commodity attack-simulation tool that’s used by attackers to spread malware, particularly ransomware. Recently, threat actors were seen using Cobalt Strike in attacks exploiting Zerologon, a privilege-elevation flaw that allows attackers to access a domain controller and completely compromise all Active Directory identity services.

https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/

DDoS

DDoS attacks are cheaper and easier to carry out than ever before

DDoS attacks are getting more complex and more sophisticated while also getting cheaper and easier to carry out as cyber criminals take advantage of the sheer number of insecure internet-connected devices.

Distributed Denial of Service attacks have been a problem for many years, with cyber attackers gaining control of armies of devices and directing their internet traffic at targets in order to take the victim offline.

The disruption causes problems for both businesses and individual users who are prevented from accessing digital services they require – and that's especially a problem as 2020's coronavirus pandemic has forced people to be more reliant on digital services than ever before.

https://www.zdnet.com/article/ddos-attacks-are-cheaper-and-easier-to-carry-out-than-ever-before/

IoT

IoT security is a mess. These guidelines could help fix that

The supply chain around the Internet of Things (IoT) has become the weak link in cyber security, potentially leaving organisations open to cyber attacks via vulnerabilities they're not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development.

The Guidelines for Securing the IoT – Secure Supply Chain for IoT report from the European Union Agency for Cybersecurity (ENISA) sets out recommendations throughout the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected things.

https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/

Vulnerabilities

Windows 10 update created a major password problem

A temporary fix for a frustrating Windows 10 bug that prevents software from storing account credentials, meaning the user must re-enter their username and password each time they log-in.

The flaw is also said to delete cookies held in web browsers, preventing websites from memorising credentials and serving bespoke content to the user.

First reported in April, the issue is present in specific builds of Windows 10 version 2004 and affects applications such as Outlook, Chrome, Edge, OneDrive and more.

https://www.techradar.com/news/windows-10-update-made-a-right-mess-of-this-basic-password-feature

Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs

A massive Intel security update this month addresses flaws across a myriad of products – most notably, critical bugs that can be exploited by unauthenticated cyber criminals in order to gain escalated privileges.

These critical flaws exist in products related to Wireless Bluetooth – including various Intel Wi-Fi modules and wireless network adapters – as well as in its remote out-of-band management tool, Active Management Technology (AMT).

Overall, Intel released 40 security advisories on Tuesday, each addressing critical-, high- and medium-severity vulnerabilities across various products. That by far trumps October’s Intel security update, which resolved one high-severity flaw.

https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/

Hackers are exploiting unpatched VoIP flaws to compromise business accounts

A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.

While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a steppingstone towards much more intrusive campaigns.

One hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign

https://www.zdnet.com/article/hackers-are-exploiting-unpatched-voip-flaws-to-compromise-business-accounts/

Google patches two more Chrome zero-days

Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.

These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.

The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.

https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/

Data Breaches

Ticketmaster fined £1.25m over payment data breach

Ticketmaster UK has been fined £1.25m for failing to keep its customers' personal data secure.

The fine was issued by the Information Commissioner's Office (ICO) following a cyber-attack on the Ticketmaster website in 2018.

The ICO said personal information and payment details had potentially been stolen from more than nine million customers in Europe.

https://www.bbc.co.uk/news/technology-54931873

Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

A cloud misconfiguration affecting users of a popular reservation platform threatens travellers with identity theft, scams, credit-card fraud and vacation-stealing.

A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket. The records include sensitive data, including credit-card details.

Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.

https://threatpost.com/millions-hotel-guests-worldwide-data-leak/161044/

DWP exposed 6,000 people’s data online for two years

The Department for Work and Pensions (DWP) has removed the personal details of thousands of people after they were exposed online for two years.

The files, published in March and June 2018, listed routine payments to the outsourcing giant Capita and included the National Insurance (NI) numbers of approximately 6,000 people, according to the Mirror. These individuals were believed to be applying for the disability benefit, PIP. No other personal data was exposed in the incident.

https://www.itpro.co.uk/security/data-breaches/357724/dwp-data-breach-exposed-6000-ni-numbers

Data breach at Mashable leaks users’ personal information online

Technology and culture news website Mashable have announced that the personal data of users has been discovered in a leaked database posted on the internet.

In a statement issued this week, Mashable confirmed that a database containing information from readers who made use of the platform’s social media sign-in feature had been found online.

The media company said that “a hacker known for targeting websites and apps” was responsible for the breach. The suspect has not been named.

Leaked data is said to include the full names, locations, email addresses, genders, IP addresses, and links to social media profiles of users.

https://portswigger.net/daily-swig/data-breach-at-mashable-leaks-users-nbsp-personal-information-online

Other News

Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chief

https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/

Microsoft says three APTs have targeted seven COVID-19 vaccine makers

https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/

New stealthy hacker-for-hire group mimics state-backed attackers

https://www.bleepingcomputer.com/news/security/new-stealthy-hacker-for-hire-group-mimics-state-backed-attackers/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 11/10/2020 Black Arrow Admin 11/10/2020

Cyber Weekly Flash Briefing 09 October 2020: Jersey based insurance firm Ardonagh hit with ransomware; Boards increase cyber investment; spike in romance scams; Amazon Prime Day phishing spike

Cyber Weekly Flash Briefing 09 October 2020: Jersey based insurance firm Ardonagh hit with ransomware; Boards increase cyber investment; spike in romance scams; cyber remains top business risk; ransomware surge as hackers take advantage of firms under pressure; Amazon Prime Day spurs phishing spike; new botnet wipes IoT devices; Emotet one of the most prevalent threats; Windows Error Reporting exploited

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Jersey based insurance firm Ardonagh Group disabled 200 admin accounts as ransomware infection took hold

Jersey-headquartered insurance company Ardonagh Group has suffered a potential ransomware infection.

Reports indicated that the insurance firm had been forced to suspend 200 internal accounts with admin privileges as the "cyber incident" progressed through its IT estate.

The UK's second largest privately owned insurance broker, according to the Financial Times, Ardonagh Group has spent the year to date acquiring other companies.

The timing of the most recent attack is unfortunate: Ardonagh recently published its financials, showing a loss of £94.m, according to reports.

Why this matters:

Whilst there is nothing to suggest these attacks are linked this attack comes a week after US insurance giant Gallagher was also hit with ransomware.

No firm is immune to being hit with ransomware, no matter how good they think their defences are, and then it comes down to how well you had planned for ransomware happening and how capable you are to recover and get the business back on its feet.

Boards Increase Investment in Cyber security in Face of Threats and Regulatory Fines

Board decisions on cyber security spending are slowly improving following the impact of regulatory fines and COVID-19.

According to research surveying 908 senior IT security decision makers working within organisations with more than 500 employees, 58% plan to add more security budget in the next 12 months.

Amid growing cyber threats and rising risks through the COVID crisis, CISOs report that boards are listening and stepping up with increased budget for cyber security, with 91% agreeing that their board adequately supports them with investment.

Retro-fixing of security to remote working tools was “a path and direction most organisations have been going down, however it was always a lower priority.”

COVID-19 has accelerated the investment into both cloud and remote working budgets, and this includes the need for secure remote access and the ability to access from any location. Having a CISO on the board is helping ensure technology that supports remote working environments are also secure by design.

Why this matters:

Boards are definitely listening and stepping up with increased budget for cyber security, however many firms still tend to view any investment as a cost rather than adding business value. There is still some way to go, boards mainly approve investments after a security incident or through fear of regulatory penalties for non-compliance which shows that cyber security investment decisions are more about insurance than about any desire to lead the field which, in the long run, limits the industry’s ability to keep pace with the cyber-criminals.

Online Romance Scams Spike Under Lockdown

Police and banks are celebrating after revealing that £19 million in fraud was stopped in the first half of the year, although romance scams are reportedly on the rise.

Over 600 reports of romance scams were made each month in June, July and August, contributing to a 26% year-on-year increase in cases recorded by Action Fraud, according to Sky News.

These are typically confidence tricks where a vulnerable individual is contacted via a dating site and financially exploited or unwittingly used as a money mule.

Why this matters:

Over 19,400 such crimes were logged with the FBI last year, making it the second highest earner for cyber-criminals after business email compromise (BEC). Over $475 million was lost to romance scammers in 2019, the law enforcement agency said.

In the UK, losses are said to have exceeded £66 million between August 2019 and August 2020. As a result, various dating sites, banking groups and police are running a “Take Five” awareness campaign designed to warn users of the dangers posed by internet scammers.

The spike in romance scams coincided with COVID-19 lockdowns in the UK and much of the rest of the world, and a subsequent shift in crime and fraud online.

Action Fraud claimed it saw an increase in reported attacks in the first month of lockdown, to nearly 4000. UK Finance last month claimed that fraudsters are increasingly shifting their operations online.

However, Action Fraud also revealed this week that millions of pounds worth of fraud has been prevented so far this year thanks to a Banking Protocol first introduced three years ago.

The initiative enables banking staff in branches to alert their local police force when they suspect a customer is being scammed, for example if they are transferring or withdrawing large sums of money. It has been used to good effect to stop romance fraud, and impersonation scams, Action Fraud claimed.

In addition to the £19.3 million in fraud allegedly prevented, 100 arrests were made in the first half of the year.

WEF: Cyber-Attacks Remain Top Business Risk in the West

Cyber-attacks have dropped down the pecking order in terms of top global business risks but remain high on the priority list in North America and Europe, according to the latest World Economic Forum (WEF) data.

The annual Regional Risks for Doing Business report is compiled from over 12,000 responses from business leaders in 127 countries. They are presented with a pre-selected list of 30 global risks and asked to choose the five that they believe to be of most concern for doing business in their country over the next decade.

Why this matters:

Unsurprisingly given the current financial and healthcare crisis, the top two global risks were unemployment and spread of infectious disease, followed by fiscal crisis. Spread of infectious disease also topped the priority list for business leaders regionally in Europe, Eurasia and East Asia and the Pacific.

However, although cyber-attacks fell from second place globally last year to fourth, they are still top-of-mind in the West.

They were named the number one risk of the next decade by North American business leaders, garnering a share of 55% versus infectious diseases in second with 30%. Cyber-risk was placed second in Europe but first in the UK, with 56% versus fiscal crises in second with 45%.

Ransomware: Surge in attacks as hackers take advantage of organisations under pressure

The number of ransomware attacks has significantly grown over the past few months as cyber criminals look to cash in on security vulnerabilities opened up by the rise in remote working.

Researchers at cyber security company Check Point said the number of daily ransomware attacks across the globe has increased by half over the past three months – and that they've almost doubled in the US.

Why this matters:

One of the reasons ransomware attacks are on the rise is because of the swift switch to remote working that has forced many people to work from home for the first time, something that could leave them vulnerable to phishing emails and malware attacks, especially on a home network that likely won't be as secure as an enterprise environment.

Working from home also makes monitoring devices for malicious activity harder for information security teams than it would be if every user was under one roof, providing hackers with a better chance of going about their business unnoticed.

Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

Cyber criminals are tapping into Amazon’s annual discount shopping campaign for subscribers, Prime Day, with researchers warning of a recent spike in phishing and malicious websites that are fraudulently using the Amazon brand.

There has been a spike in the number of new monthly phishing and fraudulent sites created using the Amazon brand since August, the most significant since the COVID-19 pandemic forced people indoors in March, according to a new report published this week.

Why this matters:

As shoppers gear up for two days of great deals, cyber criminals are preparing to prey on the unwary, taking advantage of those who let their guard down to snap up bargains.

Prime Day actually happens over two days—this year the event falls on Oct. 13 to 14. Amazon Prime customers enjoy special sales and discounts on top brands to mark the biggest shopping event of the year on the online retail giant’s site.

Amazon last year yielded over $7 billion in sales during the 36-hour event, which could go even bigger this year due to “the decline of brick and mortar retail and the close proximity to the holidays,” researchers noted. Indeed, mandatory stay-at-home orders globally that began with the COVID-19 pandemic in March have significantly boosted Amazon’s business, a trend that shows no signs of abating.

Microsoft warns of Android ransomware that activates when you press the Home button

A new strain of mobile ransomware abuses the mechanisms behind the "incoming call" notification and the "Home" button to lock screens on users' devices.

Named AndroidOS/MalLocker.B, the ransomware is hidden inside Android apps offered for download on online forums and third-party websites.

Just like most Android ransomware strains, MalLocker.B doesn't actually encrypt the victim's files but merely prevents access to the rest of the phone.

Once installed, the ransomware takes over the phone's screen and prevents the user from dismissing the ransom note — which is designed to look like a message from local law enforcement telling users they committed a crime and need to pay a fine.

Why this matters:

Ransomware posing as fake police fines has been the most popular form of Android ransomware for more than half a decade now.

Across time, these malware strains have abused various functions of the Android operating systems in order to keep users locked on their home screen.

Past techniques included abusing the System Alert window or disabling the functions that interface with the phone's physical buttons.

MalLocker.B comes with a new variation of these techniques.

The ransomware uses a two-part mechanism to show its ransom note.

The first part abuses the "call" notification. This is the function that activates for incoming calls to show details about the caller, and MalLocker.B uses it to show a window that covers the entire area of the screen with details about the incoming call.

The second part abuses the "onUserLeaveHint()" function. This function is called when users want to push an app into the background and switch to a new app, and it triggers when pressing buttons like Home or Recents. MalLocker.B abuses this function to bring its ransom note back into the foreground and prevent the user from leaving the ransom note for the home screen or another app.

The abuse of these two functions is a new and never-before-seen trick, but ransomware that hijacks the Home button has been seen before.

Suspected Chinese Hackers Unleash Malware That Can Survive OS Reinstalls

Chinese hackers may be using malware that can survive Windows OS reinstalls to spy on computers.

Security firm Kaspersky Lab uncovered the malware, which exploits a computer’s UEFI (Unified Extensible Firmware Interface) to continually persist on a Windows machine.

Why this matters:

Attacking the UEFI is pretty alarming because the software is used to boot up your computer and load the operating system. It also operates separately from your computer’s main hard drive, and usually resides in the motherboard’s SPI flash memory as firmware. As a result, any malicious process embedded in the UEFI can survive an operating system reinstall while evading traditional antivirus solutions. This attack shows that in exceptional cases actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine.

New HEH botnet can wipe routers and IoT devices

A newly discovered botnet contains code that can wipe all data from infected systems, such as routers, servers, and Internet of Things (IoT) devices.

Named HEH, the botnet spreads by launching brute-force attacks against any internet-connected system that has its Telnet ports (23 and 2323) exposed online.

If the device uses default or easy-to-guess Telnet credentials, the botnet gains access to the system, where it immediately downloads one of seven binaries that install the HEH malware.

Why this matters:

This HEH malware doesn't contain any offensive features, such as the ability to launch DDoS attacks, the ability to install crypto-miners, or code to run proxies and relay traffic for bad actors.

The only features present are a function that ensnares infected devices and coerces them to perform Telnet brute-force attacks across the internet to help amplify the botnet; a feature that lets attackers run Shell commands on the infected device; and a variation of this second feature that executes a list of predefined Shell operations that wipe all the device's partitions.

US Department of Homeland Security (DHS) warns that Emotet malware is one of the most prevalent threats today

The malware known as Emotet has emerged as “one of the most prevalent ongoing threats” as it increasingly targets state and local governments and infects them with other malware, the cybersecurity arm of the Department of Homeland Security said on Tuesday.

Why this matters:

Emotet was first identified in 2014 as a relatively simple trojan for stealing banking account credentials. Within a year or two, it had reinvented itself as a formidable downloader or dropper that, after infecting a PC, installed other malware. The Trickbot banking trojan and the Ryuk ransomware are two of the more common follow-ons. Over the past month, Emotet has successfully burrowed into Quebec’s Department of Justice and increased its onslaught on governments in France, Japan, and New Zealand. It has also targeted the Democratic National Committee and numerous other US state and local government agencies.

Hackers exploit Windows Error Reporting service in new fileless attack

A new fileless attack technique that abuses the Microsoft Windows Error Reporting (WER) service is the work of a hacking group that is yet to be identified.

According to researchers the attack vector relies on malware burying itself in WER-based executables to avoid arousing suspicion.

In a blog post on Tuesday the researchers said the new "Kraken" attack -- albeit not a completely novel technique in itself -- was detected on September 17.

A lure phishing document found by the research team was packaged up in a .ZIP file. Titled, "Compensation manual.doc," the file claims to contain information relating to worker compensation rights, but when opened, is able to trigger a malicious macro.

Why this matters:

The macro leads to a payload injected a process connected to the WER service and used by Microsoft to track and address operating system errors.

That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens," Malwarebytes says. "When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 04/10/2020 Black Arrow Admin 04/10/2020

Cyber Weekly Flash Briefing 2 October 2020: Entry to Ransom in 45 Mins; Cyber War Collateral; Gallagher Hit with Ransomware; Adapting to Permanent WFH; Consumers Ditch Breached Firms; Awareness Month

Cyber Weekly Flash Briefing 02 October 2020: Ransomware - Entry to Ransom in 45 Minutes; Business concerned by collateral damage in cyber war; Gallagher insurance hit with ransomware; paying ransoms could land you in hot water with regulators; security must adapt to permanent WFH; DDoS attacks are getting more powerful; Consumers Vote to Ditch Breached Firms; New Botnet now Infects Mac and Android Devices; Spyware Variant Snoops on WhatsApp & Telegram Messages; It’s Cyber Security Awareness Month

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware: from Entry to Ransom in Under 45 Minutes

Ransomware gangs are performing wide-ranging internet scans to find vulnerable systems and then accelerating attacks to just minutes to capitalize on COVID-19, Microsoft has warned in a blog post introducing the firm’s latest Digital Defense Report

The report claimed that threat actors have “rapidly increased sophistication” over the past year, with ransomware the number one reason for Microsoft incident response between October 2019 and July 2020.

“Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system — compromising, exfiltrating data and, in some cases, ransoming quickly — apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cyber-criminals went from initial entry to ransoming the entire network in under 45 minutes”.

“At the same time, we also see that human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they ‘bank’ access – waiting for a time that is advantageous to their purpose.”

Why this matters:

Not only are attackers speeding up attacks, attackers have also become more sophisticated in performing reconnaissance on high-value targets, so that they appear to know when certain factors like holidays will reduce the victim organisation’s chances of patching, or otherwise hardening their networks.

They’re also aware of how billing cycles operate in certain industries, and thus when specific targets may be more willing to pay.

Business are concerned their companies will be collateral damage in a future cyber-war

Businesses are worrying about being caught in the crossfire of cyber warfare, according to research from Bitdefender – while industry figures warn that the gap between common-or-garden cyber threats and what nation states are doing is becoming smaller and smaller.

Bitdefender’s latest report, titled 10 in 10, surveyed around 6,000 C-suite executives responsible for cyber security and found “over a fifth” said that cyber warfare was one of the most challenging topics they had to convince their colleagues to take seriously.

Bitdefender don’t think these executives are afraid of cyber warfare in the sense of directly being targeted, more in line with being collateral victims of cyber warfare taking out electric power grids, internet. They need to be prepared for these kind of attacks.

Why this matters:

Cyber warfare, at its simplest, involves disrupting computers to achieve a real-world effect. This could be something like a denial-of-service (DoS) attack against a power grid, intended to cause a power outage, or the infamous Stuxnet malware infection that set back Iran’s nuclear weapon ambitions by several years. It could also include attacks designed to degrade an adversary’s own ability to mount cyber attacks; cyber on cyber.

An attack by one nation against another nation could have significant impact on the ability of a business to continue to operate, either in the short term or over the longer term.

Ransomware hits US-based Arthur J. Gallagher insurance giant

US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems on Saturday.

AJG is one of the largest insurance brokers in the world with more than 33,300 employees and operations in 49 countries, including Rossborough in Guernsey.

The company is ranked 429 on the Fortune 500 list and it provides insurance services to customers in over 150 countries.

AJG says that it detected the ransomware attack on September 26, 2020, with only a limited number of the company's internal systems being affected, but that they shut down all computing systems to block the attack

"We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cyber security and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers," the company added on September 28th in an filing with US regulators.

Why this matters:

Firms everywhere are being hit with ransomware and the speed, frequency, and sophistication of these attacks is only going to carry on getting worse. Firms must ensure they are prepared for an attack ahead of an attack happening and ensure they have plans in place to be able to recover. Most ransomware starts with a user clicking on a link in an email or downloading an attachment so firms must ensure their staff realise the role they play in defending their organisations – this is not something that IT alone can protect firms against.

Paying ransomware demands could land you in hot water with authorities and regulators

Businesses, governments, and organisations that are hit by crippling ransomware attacks now have a new worry to contend with—big fines from authorities and regulators, such as the US Department of Treasury, in the event that they pay to recover their data.

US Treasury Department officials made that guidance official in an advisory published this week. It warns that payments made to specific entities or to any entity in certain countries—specifically, those with a designated “sanctions nexus”—could subject the payer to financial penalties levied by the US Office of Foreign Assets Control, or OFAC.

The prohibition applies not only to the group that is infected but also to any companies or contractors the hacked group’s security or insurance engages with, including those who provide insurance, digital forensics, and incident response, as well as all financial services that help facilitate or process ransom payments.

Why this matters:

Payments made to criminal groups, sanctioned groups or individuals, or otherwise making a payment that could be funding terrorism will fall foul of regulations in most regulated jurisdictions. The last thing a firm will need is having to recover from the ransomware attack and also then being hit with fines from regulators and authorities.

CIOs say security must adapt to permanent work-from-home

Both private- and public-sector CIOs see many more employees permanently working remotely, and say security needs to adapt to new threats and how they communicate.

Much of the public and private sector was forced to shut down in-person facilities and operations almost overnight in March as COVID quarantines began. The new conditions forced organisations to quickly find ways to secure tens of millions of new, vulnerable endpoints created by at-home workers. Now, six months later, technology leaders are taking stock of what happened and considering how a post-COVID landscape might look.

Why this matters:

COVID has resulted in a lot of changes and is behind a lot of innovation but it looks like some places will be putting up with these short term measures for longer than originally planned.

What might have been OK as a short term fix needs to become ‘business as usual’ and security controls will need to be adapted to these more permanent new ways of working.

DDoS attacks are getting more powerful as attackers change tactics

There's been a surge in Distributed Denial of Service (DDoS) attacks throughout the course of this year, and the attacks are getting more powerful and more disruptive.

Why this matters:

DDoS attacks are launched against websites or web services with the aim of disrupting them to the extent that they are taken offline. Attackers direct the traffic from a botnet army of hundreds of thousands of PCs, servers and other internet-connected devices they've gained control of via malware towards the target, with the aim of overwhelming it.

An attack can last for just seconds, or hours or days and prevent legitimate users from accessing the online service for that time.

And while DDoS attacks have been a nuisance for years, the prospect of corporate, e-commerce, healthcare, educational and other services being disrupted at a time when the ongoing global pandemic means more people are reliant on online services than ever could create huge problems.

KPMG: Consumers Vote to Ditch Breached Firms

Most consumers would take their business elsewhere if they discovered an organisation had suffered a major cyber-attack or data breach, according to new data from KPMG.

The global consulting firm polled over 2000 Canadians in September to better understand the impact of security incidents and the risks for online firms that fail to adequately protect customer data.

As many as 90% of respondents said they would feel wary about sharing personal or financial information with a company that had suffered such an incident, and over two-thirds (67%) are more worried than ever about their data being breached.

Why this matters:

The findings come at a time when consumers are spending more of their lives, and sharing more of their data, online.

Over half (54%) of respondents said they are shopping more online than they used to pre-COVID, rising to 64% for the 18-44 age group. The same number (54%) said they had received a lot more suspicious emails in the first half of 2020, and even more (84%) claimed they were being “extra careful” when shopping online for fear of their data being stolen.

Phishing (38%) and spear-phishing (13%) were revealed as the most common attacks likely to face Canadians, as they are consumers in other Western countries. Unfortunately for brands, they are likely to get the blame for successful attacks on consumers even though it is the email recipients themselves who make the mistake of clicking through.

InterPlanetary Storm Botnet Infects 13K Mac, Android Devices

A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware).

Researchers say the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow. Half of the infected machines are in Hong Kong, South Korea and Taiwan. Other infected systems are in Russia, Brazil, the U.S., Sweden and China.

Why this matters:

While the botnet that this malware is building does not have clear functionality yet, it gives the campaign operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks.

Android Spyware Variant Snoops on WhatsApp, Telegram Messages

Researchers say they have uncovered a new Android spyware variant with an updated command-and-control communication strategy and extended surveillance capabilities that snoops on social media apps WhatsApp and Telegram.

The malware, Android/SpyC32.A, is currently being used in active campaigns targeting victims in the Middle East. It is a new variant of an existing malware operated by threat group APT-C-23 (also known as Two-Tailed Scorpion and Desert Scorpion). APT-C-23 is known to utilize both Windows and Android components, and has previously targeted victims in the Middle East with apps in order to compromise Android smartphones.

Why this matters:

APT groups are increasing activity and they are continually, enhancing their toolsets and running new operations. This the group’s newest spyware version features several improvements making it more dangerous to victims. Whilst these attacks are targeting victims in the Middle East different groups will be using similar tactics against different targets in different locations.

It’s Cyber Security Awareness Month

October is Cyber Security Awareness Month, and annual initiative by the National Cyber Security Alliance. How cyber security aware are you? How cyber security aware are your staff? What about your Board?

Why this matters:

Fundamentally attackers find it easier to your people than to break in via technical means – so cyber security awareness, and instilling in your staff that they have a role to play in helping to secure your organisation is absolutely key.

If you need help raising cyber amongst your staff, users or executives drop us a line – we can help

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 04/07/2020 Black Arrow Admin 04/07/2020

Cyber Weekly Flash Briefing 03 July 2020: Ransomware attacks increasing, Microsoft emergency updates, ransomware gang auction data, 'return to work' traps, new Windows botnet, Cisco SMB router flaws

Ransomware attacks are increasing, do you have an emergency plan in place?

Cyber attacks and data breaches can have serious implications for organisations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread, yet 39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before.

The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.

21% of respondents to a recent survey said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organisations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.

In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.

Further reading: The 11 Biggest Ransomware Attacks Of 2020 (So Far) https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-?itc=refresh

Microsoft releases emergency update to fix two serious Windows flaws

Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.

Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker of the first flaw could obtain information to further compromise the user’s system, while successful exploitation of the second flaw could enable attackers to execute arbitrary code on the targeted machine.

Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.

Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks using iCalendar. iCalendar is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks.

Whilst this is evidence of a new campaign, this is not a new technique. A similar attack cropped up last June, when researchers found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

REvil Ransomware Gang Adds Auction Feature for Stolen Data

The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.

The auction capability appeared at the beginning of June and in announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.

A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).

Other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).

As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.

Criminals set 'return to work' traps

Just because workers are returning to their offices, that doesn't mean criminals can't still abuse Covid-19 to spread malware and steal sensitive data.

According to a new report criminals are setting “return to work traps”, taking advantage of the training employees need to go through as they return to the office in its new form.

Many workers now need to go through various tutorials, webinars and training sessions, to ensure they are compliant with new workplace rules set up to prevent viral transmission. Sensing an opportunity, cybercriminals are disguising malware as webinar recordings and other educational material.

According to the report, these new practices are mostly reserved for businesses in North America and Europe, where lockdown measures are slowly being eased up and people are being allowed to return to work.

This new botnet has recruited an army of Windows devices

A new botnet is exploiting close to a dozen high and critical-severity vulnerabilities in Windows systems to turn them into cryptomining clients as well as to launch DDoS attacks.

The malware behind the botnet has been given the name Satan DDoS though security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.

A security firm began looking into the botnet after discovering it while following multiple incidents involving the exploitation of a critical vulnerability in a component of a web framework which can lead to remote code execution.

At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, it later become apparent that the malware also contains a DDoS component as well as a self-spreading mechanism that uses severe vulnerabilities and brute-forcing to its advantage.

Cisco SMB routers hit with another major security flaw

Security researchers have discovered a significant cross-site scripting (XSS) vulnerability in the web admin interface of two small business routers from Cisco.

The XSS vulnerability exists in the company's RVO42 and RV042G routers and it provides attackers with an easy way to take control of the devices' web configuration utility.

This could allow an attacker to perform a number of admin actions from viewing and modifying sensitive information to taking control of the router or even having the ability to move laterally and gain access to other systems on the network.

Xerox apparently victim of Maze attack

It appears that Xerox is the latest victim of Maze ransomware attackers, if screenshots posted by the ransomware’s operators are legitimate.

The hackers claim to have obtained more than 100GB of information and are threatening to publish it, according to a reports.

Maze has hit a number of high-profile targets and in recent months has joined forces with other ransomware groups.

FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps

Android mobile device users are being targeted in a new SMS phishing campaign that’s spreading the FakeSpy infostealer. The malware, which is disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from the victims’ devices.

The campaign was first discovered several weeks ago targeting South Korean and Japanese speakers, but it has now expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States. The attacker uses text messages as an initial infection vector, prompting the Android recipients to click on a malicious link, in a practice known as SMS phishing or “smishing.”

New Mac Ransomware Is Even More Sinister Than It Appears

There haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced four years ago but new findings published this week have highlighted a new example of Mac ransomware called ThiefQuest.

In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 17/04/2020 Black Arrow Admin 17/04/2020

Cyber Weekly Flash Briefing for 17 April 2020 – More Top Companies Ban Zoom, Microsoft fixes 3 zero-days, 2 being actively exploited, 500,000 Zoom accounts sold online, Sinister new Botnet

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60 second video version of this week’s flash briefing

More top companies ban Zoom following security fears

As usage of Zoom rises amidst the global pandemic, more companies are telling their staff to stay off the video conferencing service due to security concerns.

Among the latest organisations to block the use of Zoom are German industrial giant Siemens, which sent out an internal circular urging its employees to not use the tool for video conferencing, with Standard Chartered Bank also issuing a similar note to its staff.

The latter has told employees to avoid Google Hangouts, which has also emerged as another popular teleconferencing application in recent weeks.

Over 500,000 Zoom accounts sold on hacker forums, the dark web

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Microsoft April 2020 Patch Tuesday fixes 3 zero-days – 2 of which being actively exploited, 15 critical flaws

Microsoft's April 2020 Patch Tuesday fell this week, and with everything going on, it is going to be particularly stressful for Windows administrators.

With the release of the April 2020 security updates, Microsoft has released fixes for 113 vulnerabilities in Microsoft products. Of these vulnerabilities, 15 are classified as Critical, 93 as Important, 3 as Moderate, and 2 as Low.

Of particular interest, Microsoft patched three zero-day vulnerabilities, with two of them being seen actively exploited in attacks.

Users should install these security updates as soon as possible to protect Windows from known security risks.

Hackers Are Selling a Critical Zoom Zero-Day Exploit for £400,000

Hackers are selling two critical vulnerabilities for the video conferencing software Zoom, one for Windows and one for MacOS that would allow someone to hack users and spy on their calls.

The two flaws are so-called zero-days, and are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale.

Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they’re in, they can be sold for thousands or even millions of dollars.

Phishing kit prices skyrocketed in 2019 by 149%

The average price of a phishing kit sold on cybercrime markets has gone up in 2019 by 149% according to new findings released this week based on analysis of ads posted on known cybercrime markets and hacking forums.

The average price for phishing kits sold on the cybercrime underground in 2019 has skyrocketed to $304 on average last year, up from only $122 recorded in 2018.

Phishing kit prices rose despite an increase in the number of kit sellers (up by 120%) and the number of phishing kit ads (doubled in 2019).

Of the 16,200 phishing kits identified and tracked in 2019, the most targeted login pages were for Amazon, Google, Instagram, Office 365, and PayPal.

Amazon and PayPal are known targets of phishing operations, as access to both accounts can allow hackers to make fraudulent transactions with victims' funds.

More here: https://www.zdnet.com/article/phishing-kit-prices-skyrocketed-in-2019-by-149/

A Sinister New Botnet Could Prove Nearly Impossible To Stop

Security researchers have discovered an emerging threat that they fear could be nearly unstoppable. This growing botnet has already managed to enslave nearly 20,000 computers.

It is known as DDG, and it’s been lurking in the shadows for at least two years. DDG was first discovered in early 2018.

Back then the nascent botnet had control of just over 4,000 so-called zombies and used them to mine the Monero cryptocurrency. Much has changed since then.

Today’s incarnation of DDG isn’t just five times larger. It’s also much more sophisticated.

One of its distinguishing features is its command and control system. Most botnets are designed around a client/server model. Infected machines listen for instructions from the servers and then carry out their orders.

MSC Data Centre Closes Following Suspected Cyber-Attack

A container shipping company has said malware could be to blame for the closure of one of its data centres last week.

The Mediterranean Shipping Company (MSC) took to Twitter on Good Friday to report a network outage issue affecting the website msc.com, which was still down at time of writing.

The incident, which is thought to have occurred on Thursday, April 9, also brought down the shipping company's myMSC portal.

A message posted from the Twitter account MSC Cargo on April 10 stated: "We are sorry to inform you that http://MSC.com and myMSC are currently not available as we've experienced a network outage in one of our data centers. We are working on fixing the issue."

As a result of the outage, self-service tools for making and managing bookings on MSC ships have ceased to be operational. Alternative booking platforms are available, and customers can still book via email and over the phone.

Read the original article here: https://www.infosecurity-magazine.com/news/msc-suffers-suspected-cyberattack/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 11/04/2020 Black Arrow Admin 11/04/2020

Cyber Weekly Flash Briefing for 11 April 2020 – NCSC advisory on COVID activity, Travelex pays $2.3M ransom, Zoom tries to get better, Shadow IT risks, Unkillable Android malware, Bot traffic up

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

60 second video flash briefing

UK NCSC and US CISA issue joint Advisory: COVID-19 exploited by malicious cyber actors

A joint advisory was put out from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) relating to information on exploitation by cyber criminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.

Download the advisory notice here: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf

Travelex paid $2.3M in Bitcoin to get its systems back from hackers

Travelex paid hackers $2.3 million worth of Bitcoin to regain access to its computer systems after a devastating ransomware attack on New Year’s Eve.

The London-based company said it decided to pay the 285 BTC based on the advice of experts, and had kept regulators and partners in the loop throughout the recovery process.

Although Travelex, which manages the world’s largest chain of money exchange shops and kiosks, did confirm the ransomware attack when it happened, it hadn’t yet disclosed a Bitcoin ransom had been paid to restore its systems.

Travelex previously blamed the attack on malware known as Sodinokibi, a ‘Ransomware-as-a-Service’ tool-kit that has recently begun publishing data stolen from companies that don’t pay up.

Travelex‘ operations were crippled for almost all of January, with its public-facing websites, app, and internal networks completely offline. It also reportedly interrupted cash deliveries to major banks in the UK, including Barclays and Lloyds.

At the time, BBC claimed that Travelex‘ attackers had demanded $6 million worth of Bitcoin to unlock its systems.

Zoom sets up CISO Council and hires ex-CSO of Facebook to clean up its privacy mess

The ongoing coronavirus pandemic has seen people relying on work collaboration apps like Teams and Slack to talk to others or conduct meetings. Zoom, in particular, has seen incredible growth over the past few weeks but it came at a cost. The company has been under a microscope after various researchers discovered a number of security flaws in the app. To Zoom’s credit, the company responded immediately and paused feature updates to focus on security issues.

The company announced that it’s taking help from CISOs to improve the security and patch the flaws in the app. Zoom will be taking help from CISOs from HSBC, NTT Data, Procore, and Ellie Mae, among others. Moreover, the company is also setting up an Advisory Board that will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others. Lastly, the company has also asked Alex Stamos, ex-CSO of Facebook to join as an outside advisor. Alex is a well-known personality in the cybersecurity world who left Facebook after an alleged conflict of interest with other executives about how to address the Russian government’s use of its platform to spread disinformation during the 2016 U.S. presidential election.

Researchers discover IoT botnet capable of launching various DDoS attacks

Cyber security researchers have found a new botnet comprised of more than a thousand IoT devices, capable of launching distributed denial of service (DDoS) attacks.

According to a report, researchers have named the botnet Dark Nexus, and believe it was created by well-known malware developer greek.Helios - a group that has been selling DDoS services and botnet code for at least the past three years.

Analysing the botnet through a honeypot, the researchers found it is comprised of 1,372 bots, but believe it could grow extremely quickly.

Dark Nexus is based on Mirai and Qbot, but has seen some 40 iterations since December 2020, with improvements and new features added almost daily.

Read the original article here: https://www.itproportal.com/news/researchers-discover-iot-botnet-capable-of-launching-various-ddos-attacks/

Microsoft: Cyber-Criminals Are Targeting Businesses Through Vulnerable Employees

Microsoft has warned that cyber-criminals are preying on people’s vulnerable psychological states during the COVID-19 pandemic to attack businesses. During a virtual press briefing, the multinational technology company provided data showing how home working and employee stress during this period has precipitated a huge amount of COVID-19-related attacks, particularly phishing scams.

Working from home at this time is very distracting for a lot of people, particularly if they are looking after children. Additionally, many individuals are in a stressful state with the extra pressures and worries as a result of COVID-19. This environment is providing new opportunities for cyber-criminals to operate.

“We’re seeing a significant increase in COVID-related phishing lures for our customers,” confirmed Microsoft. “We’re blocking roughly 24,000 bad emails a day with COVID-19 lures and we’ve also been able to see and block through our smart screen 18,000 malicious COVID-themed URLs and IP addresses on a single day, so the volume of attacks is quite high.”

Read the original article here: https://www.infosecurity-magazine.com/news/cybercriminals-targeting/

Stolen Zoom account credentials are freely available on the dark web

Loved, hated, trusted and feared in just about equal measure, Zoom has been all but unavoidable in recent weeks. Following on from a combination of privacy and security scandals, credentials for numerous Zoom account have been found on the dark web.

The credentials were hardly hidden -- aside from being on the dark web. Details were shared on a popular forum, including the email address, password, meeting ID, host key and host name associated with compromised accounts.

Shadow IT Represents Major #COVID19 Home Working Threat

Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data.

A poll of over 400 respondents from global organisations with over 500 employees was conducted to better understand the current challenges facing security teams.

It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.

These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.

Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.

These challenges are only going to grow, according to the research.

'Unkillable' Android malware gives hackers full remote access to your phone

Security experts are warning Android users about a particularly nasty strain of malware that's almost impossible to remove.

A researcher has written a blog post explaining how the xHelper malware uses a system of nested programs, not unlike a Russian matryoshka doll, that makes it incredibly stubborn.

The xHelper malware was first discovered last year, but the researcher has only now established exactly how it gets its claws so deeply into your device, and reappears even after a system restore.

Although the Google Play Store isn't foolproof, unofficial third party app stores are much more likely to harbour malicious apps. App-screening service Google Play Protect blocked more than 1.9 million malware-laced app installs last year, including many side-loaded or installed from unofficial sources, but it's not foolproof.

xHelper is often distributed through third-party stores disguised as a popular cleanup or maintenance app to boost your phone's performance, and once there, is amazingly stubborn.

More here: https://www.techradar.com/uk/news/beware-the-unkillable-android-malware-lurking-on-third-party-app-stores

Decade of the RATs (Remote Access Trojan): Novel APT Attacks Targeting Linux, Windows and Android

BlackBerry researchers have released a new report that examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade.

The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative.

The BlackBerry report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead” for operations. Given the profile of the five APT groups involved and the duration of the attacks, it is likely the number of impacted organisations is significant.

The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the Covid-19 outbreak, intellectual property remains in enterprise data centres, most of which run on Linux.

Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020).

More here: https://blogs.blackberry.com/en/2020/04/decade-of-the-rats

Bot traffic fueling rise of fake news and cybercrime

The coronavirus pandemic has disrupted daily life around the world and the WHO recently warned that an overabundance of information about the virus makes it difficult for people to differentiate between legitimate news and misleading information.

At the same time, EU security services have warned that Russia is aggressively exploiting the coronavirus pandemic to push disinformation and weaken Western society through its bot army.

A cyber security firm has been using its bot manager to monitor internet traffic in an attempt to track the “infodemic” that both the WHO and EU security services have issued warnings on.

According to the data, bots have upped their game and organisations in the social media, ecommerce and digital publishing industries have experienced a surge in bad bot traffic following the coronavirus outbreak.

The bots have been found to be executing various insidious activities including spreading disinformation, spam commenting and more. In February, 58.1 percent of bots had the capability to mimic human behaviour. This means that they can disguise their identities, create fake accounts on social media sites and post their masters' propaganda while appearing as a genuine user.

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Black Arrow Admin 19/01/2020 Black Arrow Admin 19/01/2020

Week in review 19 January 2020 – hacker leaks IoT passwords, WordPress plugin vulns, Oracle record patch haul, 25% of users fall for phishing, quarter of PCs vulnerable now Windows 7 unsupported

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.

The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

According to experts, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

WordPress plugin vulnerability can be exploited for total website takeover

A WordPress plugin has been found to contain "easily exploitable" security issues that can be exploited to completely take over vulnerable websites.

The plugin at the heart of the matter, WP Database Reset, is used to reset databases -- either fully or based on specific tables -- without the need to go through the standard WordPress installation process.

According to the WordPress library, the plugin is active on over 80,000 websites.

The two severe vulnerabilities were found on January 7 and either of the vulnerabilities can be used to force a full website reset or takeover.

Tracked as CVE-2020-7048, the first critical security flaw has been issued a CVSS score of 9.1. As none of the database reset functions were secured through any checks or security nonces, any user was able to reset any database tables they wished without authentication.

More here: https://www.zdnet.com/article/wordpress-plugin-vulnerability-can-be-exploited-for-full-website-hijacking/

Oracle Issues Record Critical Patch Update cycle with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly.

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

Read the original article here: https://www.infosecurity-magazine.com/news/oracle-issues-record-cpu-with-334/

Giant botnet has just sprung back to life pushing a big phishing campaign

One of the world's most prolific botnets has returned and is once again attempting to deliver malware to victims via phishing attacks.

Emotet started life as a banking trojan before evolving into a botnet, which its criminal operators leased out to other hackers as a means of delivering their own malware to previously compromised machines.

Such was the power of the botnet that at one point last year it accounted for almost two-thirds of of malicious payloads delivered in phishing attacks.

But after seemingly disappearing towards the end of 2019, Emotet has now returned with a giant email-spamming campaign, as detailed by researchers at cybersecurity company Proofpoint.

A quarter of users will fall for basic phishing attacks

Slightly more than a quarter of people will fall for a phishing scam that claims to be an urgent message prompting them to change a password, according to statistics gathered by a cyber security testing and training firm.

The security firm studied tens of thousands of email subject lines both from simulated phishing tests and those found in the wild, and found many of the most-clicked emails related either to security or urgent work-related matters.

It revealed its top 10 most effective simulated subject lines to be: Change of Password Required Immediately (26% opened); Microsoft/Office 365: De-activation of Email in Process (14% opened); Password Check Required Immediately (13% opened); HR: Employees Raises (8% opened); Dropbox: Document Shared With You (8% opened); IT: Scheduled Server Maintenance – No Internet Access (7% opened); Office 365: Change Your Password Immediately (6% opened); Avertissement des RH au sujet de l’usage des ordinateurs personnels (6% opened); Airbnb: New device login (6% opened); and Slack: Password Reset for Account (6% opened).

In the wild, subject lines often tended to relate to Microsoft, with emails about SharePoint and Office 365 particularly likely to be opened, as well as notifications about Google and Twitter accounts. People were also likely to fall for emails pretending to be related to problems with a shipping company, with FedEx the most widely impersonated, as well as the US Postal Service.

Read the full article here: https://www.computerweekly.com/news/252476845/A-quarter-of-users-will-fall-for-basic-phishing-attacks

Business Disruption Attacks Most Prevalent in Last 12 Months

Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.

According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.

Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.

Quarter of PCs could now be more at risk from ransomware

Last week saw the day when Windows 7 reached end of life. That means that Microsoft will no longer issue regular patches or updates for the famed operating system. From now on, any flaw or vulnerability discovered will remain unpatched, and the machines running the old system will remain at risk.

Any businesses or individuals running legacy and unsupported operating systems will be at a greater risk of ransomware than before.

WannaCry, one of the most devastating ransomwares of all time, was successful mostly because of unpatched systems. Roughly 200,000 devices in 150 countries around the world will be vulnerable to similar malware, now that Windows 7 is no longer receiving security updates from Microsoft.

From this month, a quarter of all PCs are going to fall into this unsupported category so it is vital that any organisations that rely on Windows 7 are aware of the risks and what they need to mitigate them.

Read the original article here: https://www.itproportal.com/news/quarter-of-pcs-could-now-be-more-at-risk-from-ransomware/

5 tips to avoid spear-phishing attacks

Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.

The good news is that most of us have learned to spot obvious phishing attacks these days.

The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.

You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.

Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims such as the Burismas of the world.

Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.

So here are Sophos’ 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:

1. Don’t be swayed just because a correspondent seems to know a lot about you

2. Don’t rush to send out data just because the other person tells you it’s urgent

3. Don’t rely on details provided by the sender when you check up on them

4. Don’t follow instructions on how to view an email that appear inside the email itself

5. Don’t be afraid to get a second opinion

Read the full article here: https://nakedsecurity.sophos.com/2020/01/17/5-tips-to-avoid-spear-phishing-attacks/

Organized cybercrime -- not your average mafia

Does the common stereotype for "organised crime" hold up for organisations of hackers? Research from a University in US is one of the first to identify common attributes of cybercrime networks, revealing how these groups function and work together to cause an estimated $445-600 billion of harm globally per year.

"It's not the 'Tony Soprano mob boss type' who's ordering cybercrime against financial institutions," said Thomas Holt, MSU professor of criminal justice and co-author of the study. "Certainly, there are different nation states and groups engaging in cybercrime, but the ones causing the most damage are loose groups of individuals who come together to do one thing, do it really well - and even for a period of time - then disappear."

In cases like New York City's "Five Families," organised crime networks have historic validity, and are documented and traceable. In the online space, however, it's a very difficult trail to follow, Holt said.

Cybercrime Statistics in 2019

It doesn’t make for cheery reading but a researcher has compiled a list of statistics for cyber crime, here are few choice headlines:

Cybercrime will cost as much as $6 trillion annually by 2021
Financial losses reached $2.7 billion in 2018
The total cost of cybercrime for each company in 2019 reached US$13M
The total annual cost of all types of cyberattacks is increasing

Read the full article here: https://securityaffairs.co/wordpress/96531/cyber-crime/cybercrime-statistics-in-2019.html

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Threat Intelligence Blog

Black Arrow Cyber Threat Briefing 23 July 2021

Top Cyber Stories of the Last Week

40% Fell Victim To A Phishing Attack In The Past Month

Traditional Ransomware Defences Are Failing Businesses

Cyber Security Risk: The Number Of Employees Going Around IT Security May Surprise You

740 ransomware victims named on data leak sites in Q2 2021: report

A More Dynamic Approach Is Needed To Tackle Today’s Evolving Cyber Security Threats

Law Firm For Ford, Boeing, Exxon, Marriott, Walgreens, And More Hacked In Ransomware Attack

UK And Allies Accuse China Of 'Reckless' Cyber Extortion And Microsoft Hack

Even after Emotet takedown, Office docs deliver 43% of all malware downloads now

Gun Owners' Fears After Firearms Dealer Data Breach

Threats

Ransomware

BEC

Phishing

Malware

Mobile

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

Supply Chain

DoS/DDoS

OT, ICS, IIoT and SCADA

Nation State Actors

Cloud

Privacy

Other News

Black Arrow Cyber Threat Briefing 26 March 2021

Top Cyber Stories of the Last Week

Cyber Warfare Will Grind Britain’s Economy To A Halt

Almost $2 Billion Lost To BEC Scams In 2020

Ransomware Gang Says It Targets Firms Who Have Cyber Insurance

Three Billion Phishing Emails Are Sent Every Day

Ransomware Gang Demands $50 Million From Computer Maker Acer

Office 365 Phishing Attack Targets Financial Execs

Microsoft Exchange Hacking: Thousands Of Email Servers Still Compromised – Ransomware Operators Still Piling In On Already Hacked Servers

Average Ransom Payment Surged 171% in 2020

Phishers’ Perfect Targets: Employees Getting Back To The Office

Nasty Malware Stealing Amazon, Facebook And Google Passwords

Threats

Ransomware

Phishing

Malware

IOT

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

OT, ICS, IIoT and SCADA

Nation State Actors

Privacy

Other News

Black Arrow Cyber Threat Briefing 19 March 2021

Top Cyber Stories of the Last Week

Tens Of Thousands Of Microsoft Exchange Customers Are Under Assault From Hackers, Experts Warning Of Unprecedented Damage, Exploits Being Targeted By "At Least 10 Hacker Groups"

Over $4.2 Billion Officially Lost To Cyber Crime In 2020

Cyber Attacks Multiply On Wealthy Investors

Cyber Strength Now Key To National Security, Says UK

Largest Ransomware Demand Now Stands At $30 Million As Crooks Get Bolder

Mimecast: SolarWinds Attackers Stole Source Code

71 Percent Of Office 365 Users Suffer Malicious Account Takeovers

More Than 16 Million Covid-Themed Cyber Attacks Launched In 2020

“Expert” Hackers Used 11 0-Days To Infect Windows, iOS, And Android Users

Cyber Attacks: Is The ‘Big One’ Coming Soon?

Threats

Ransomware

Phishing

Malware

IOT

Vulnerabilities

Data Breaches

Organised Crime & Criminal Actors

OT, ICS, IIoT and SCADA

Nation-State Actors

Denial of Service

Privacy

Other News

Black Arrow Cyber Threat Briefing 29 January 2021

Top Cyber Headlines of the Week

Phishing Attacks Show High-Ranking Execs May Be ‘Most Valuable Asset,’ and ‘Greatest Vulnerability’