Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week 

Half of Regulated Firms See Pandemic Spike in Financial Crime

Around half of firms in the financial services, property and legal sectors have reported rising levels of financial crime over the past 12 months, according to new data from an anti-money laundering (AML) specialist which polled 500 regulated businesses in the UK to better understand the levels of risk facing players in each vertical.

Overall, 48% of respondents said they’d seen a rise in financial crime, and a quarter (26%) admitted they’d been a victim of attacks. Legal firms, including conveyancers, experienced the most significant number of compromises, with a third (33%) saying they had been a victim of financial crime.

The sector is an increasingly attractive target for both state-backed and financially motivated cyber-criminals, given the wealth of sensitive client information that legal practices typically hold. https://www.infosecurity-magazine.com/news/half-firms-pandemic-spike/  

Large Ransom Demands And Password-Guessing Attacks Escalate

ESET released a report that summarizes key statistics from its detection systems and highlights notable examples of its cyber security research.

The latest issue of the report highlights several concerning trends that were recorded by ESET telemetry, including increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns targeting people working from home who have gotten used to performing many administrative tasks remotely.

Ransomware, showing three major detection spikes during T2, saw the largest ransom demands to date. The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software, sent shockwaves that were felt far beyond the cybersecurity industry. https://www.helpnetsecurity.com/2021/10/05/large-ransom-demands/

Malicious Hackers Are Exploiting Known Vulnerabilities Because Organizations Aren’t Quick Enough To Patch – Report

Organizations are urged to be more proactive when it comes to protecting against vulnerabilities, after a report found that malicious attackers routinely exploit unpatched systems.

The 2021 Trustwave SpiderLabs Telemetry Report, released this week, found that a huge number of companies are falling foul to cyber-attacks despite having ready access to suitable fixes.

This is happening because malicious actors are using Shodan to scan for networks that are exposed to known vulnerabilities and exploit them before the victim can apply the patch. https://portswigger.net/daily-swig/malicious-hackers-are-exploiting-known-vulnerabilities-because-organizations-arent-quick-enough-to-patch-report  

Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now

Some of the cyber security vulnerabilities most commonly exploited by cybercriminals to help distribute ransomware are years old -- but attackers are still able to take advantage of them because security updates aren't being applied.

Cybersecurity researchers at Qualys examined the Common Vulnerabilities and Exposures (CVEs) most used in ransomware attacks in recent years. They found that some of these vulnerabilities have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain vulnerable to ransomware attacks. https://www.zdnet.com/article/ransomware-cyber-criminals-are-still-exploiting-years-old-vulnerabilities-to-launch-attacks/

How Insurers Play a Big Role in Spurring Cyber Crime

Ransomware extracted $18 billion in payments last year, and it’s expected there will be an attack every 11 seconds by this year’s end, a problem that some security experts and academic researchers say is exacerbated by the system meant to protect against cybercrime: the insurance industry.

Organizations with cyber insurance are more than twice as likely to pay ransoms as those without, according to a global survey commissioned by UK-based cyber security and software firm Sophos of 1,823 companies, governments, health systems, and other organizations that had been hit by ransomware. This is one of the first times such data have been gathered that show the extent of the relationship between cyber insurance and ransomware payments. Critics say that relationship helps fuel a ransomware economy that the federal government estimates causes $445 billion in damages to the global economy every year. https://www.barrons.com/articles/ransomware-attack-cyber-insurance-industry-51633075202

Why Today’s Cyber Security Threats Are More Dangerous

Over the past two years, the rise of big-ticket ransomware attacks and revelations of harmful software supply chain infections have elevated cyber security to the top of governments’ and corporate agendas.

The opportunities for threat actors are growing faster than firms are able to mitigate them.

Unlike 20 years ago, when even extensive IT systems were comparatively standalone and straightforward, the interdependencies of systems now make dealing with and defending against threats a much more difficult proposition. The core problems being complexity and interdependence and neither are going away because that is what is providing organisations with the flexibility, functionality and all these other critical functions that they need. https://www.csoonline.com/article/3635097/why-today-s-cybersecurity-threats-are-more-dangerous.html

How Fraudsters Can Use The Forgotten Details Of Your Online Life To Reel You In

You may think you’ve been careful, but a determined scammer can probably find enough to manipulate you. https://www.theguardian.com/money/2021/oct/03/how-fraudsters-can-use-the-forgotten-details-of-your-online-life-to-reel-you-in  

One In Three IT Security Managers Don’t Have A Formal Cybersecurity Incident Response Plan

Regardless of industry, information security incidents have become more of a targeted threat for businesses, increasing in amount and efficacy, according to a new report.

Of all the security incidents identified by over 900 surveyed employees at U.S. businesses, the three most threatening incidents were: increasingly severe ransomware attacks, more effective phishing schemes, and rampant reusing of passwords.

·         Respondents reported phishing emails have nearly tripled in effectiveness over the past two years. Phishing emails are rapidly becoming more difficult to spot and thus far more destructive.

·         Over the past year, ransomware attacks have increased by 25%. Ransom demands were significantly higher than average for businesses in specific industries, such as banking and financial services and construction, with higher payouts.

·         The report found that password reuse is strongly associated with higher incidences of security breaches. Reported account takeovers were three times as common among people who reuse passwords as those who don’t.

Alarmingly, 23% of the IT security managers surveyed say their company doesn’t have protocols in place to report a suspected cyberattack and 33% don’t have a formal cybersecurity incident response plan. https://www.helpnetsecurity.com/2021/10/06/response-plan-cybersecurity/  

Cyber Security Best Practices Lagging, Despite People Being Aware Of The Risks

The National Cybersecurity Alliance and CybSafe announced the release of a report which polled 2,000 individuals across the U.S. and UK. The report examined key cybersecurity trends, attitudes, and behaviours ahead of Cybersecurity Awareness Month this month.

The daily headlines of data breaches and ransomware attacks is a testament to the problem getting worse, yet most people aren’t aware of the simple steps they can take to be a part of the solution. It’s critical to have a deeper understanding of both the challenges we face and the prevailing attitudes and behaviors among the public.

Too often people are forgotten in cybersecurity conversations and this is borne out by cyber crime being more common among Millenials and Gen Z, and the public not embracing cyber security best practices.

The report also found that many users had limited access to cyber training, with  64% of respondents having no access to cybersecurity training, while 27% of those who do have access choose not to use it. https://www.helpnetsecurity.com/2021/10/07/cybersecurity-best-practices-lagging/

Threats

Ransomware

• Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now | ZDNet

• Ransomware: Police Arrest Two In Operation Against 'Prolific' Gang That Targeted Big Businesses | ZDNet

• Revil Alone Accounts For A Significant Portion Of Q2 2021 Ransomware Attacks | Techspot

• Behind the Crypto Broker Accused of Enabling Ransomware Hackers - Bloomberg

• Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack – Sophos News

• US Ransomware Law Would Require Victims To Disclose Ransom Payments Within 48 Hours | ZDNet

• Ransomware Group FIN12 Aggressively Going After Healthcare Targets (thehackernews.com)

Other Social Engineering

• Smishing On The Rise - Infosecurity Magazine (Infosecurity-Magazine.Com)

Malware

• Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012 (thehackernews.com)

• 91.5% Of Malware Arrived Over Encrypted Connections During Q2 2021 - Help Net Security

IOT

• IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft | Threatpost

BYOD

• NCSC: Revoke Admin Access for BYOD Users Immediately - Infosecurity Magazine (infosecurity-magazine.com)

• BYOD Security Warning: You Can't Do Everything Securely With Just Personal Devices | ZDNet

Vulnerabilities

• Patch Apache HTTP Servers Now to Avoid Zero Day Exploit - Infosecurity Magazine (infosecurity-magazine.com)

Data Breaches/Leaks

• The Telegraph Exposed A 10tb Database With Subscriber Data - Security Affairs

Cryptocurrency/Cryptojacking

• Hackers Rob Thousands Of Coinbase Customers Using MFA Flaw (Bleepingcomputer.Com)

Insider Threats

• Fired IT Admin Revenge-Hacks School By Wiping Data, Changing Passwords (Bleepingcomputer.Com)

Dark Web

• Over A Billion Facebook Users Have Data Sold On The Dark Web | Techradar

Nation State Actors

• Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users (thehackernews.com)

• Microsoft: 58% of Nation-State Cyber Attacks Come From Russia (darkreading.com)

• Google Warns 14,000 Gmail Users Targeted By Russian Hackers (Bleepingcomputer.Com)

• Solarwinds Hack Saw Russia Steal Us Anti-Spy Probe Details • The Register

• A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries (thehackernews.com)

• New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers (thehackernews.com)

• Iranian APT Targets Aerospace And Telecom Firms With Stealthy ShellClient Trojan | CSO Online

Cloud

• How Should Banks Grapple With Regulation When Crafting Their Cloud Strategy? (finextra.com) 

Reports Published in the Last Week

• Russian Cyber Attacks Pose Greater Risk To Governments And Other Insights From Microsoft’s Annual Report - Microsoft On The Issues 

Other News

• Patch Management Complexity Increased By Remote Work Is Putting Organizations At Risk - Help Net Security

• The Cyber Security Issues Organizations Deal With Remain Complex And Numerous - Help Net Security

• Security Experts Aghast At The Scale Of Twitch Hack: 'This Is As Bad As It Could Possibly Be' | PC Gamer

• Botnet Abuses TP-Link Routers For Years In SMS Messaging-As-A-Service Scheme - The Record By Recorded Future

• Company That Routes SMS For All Major US Carriers Was Hacked For Five Years | Ars Technica

• New £5 Billion GCHQ Digital Warfare Centre Capable Of 'Cyber Attacks' Set For Lancashire - Lancslive

• Superhero Passwords Pose Serious Risk to Personal, Enterprise Accounts | SecurityWeek.Com

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Second Only To Climate Change As Biggest Global Risk

Cyber security has been ranked as the second largest threat to our way of life in a major new survey of 23,000 people, comprised of both experts and members of the public. Cyber came second only to climate change on the world stage, but was ranked as the number one risk in the Americas and second in Asia, Africa, and Europe. https://www.infosecurity-magazine.com/news/cyber-second-biggest-global-risk/

Businesses Unsure Which Tech Is Essential Against Ransomware

As ransomware attacks grow in number, a new report finds that many organisations are under the impression they have things in hand but most are unsure what protections they should have in place. The report, based on a survey of 455 business leaders and cyber security professionals, claims businesses are on top of employee training, risk assessments and cyber insurance. Where firms fall flat however is their “clear gap” in thinking, in what many respondents see as “essential tech” in the fight against ransomware – nearly half of respondents (49%) thought paying up was their best option. https://www.techradar.com/news/businesses-unsure-which-tech-is-essential-against-ransomware

Cyber Crime Awareness Heightened, Yet People Still Engage In Risky Online Behaviours

A survey of over 2,000 adults suggests that 76% of respondents recognise the severity of data breaches. This heightened awareness may be driven by constant news of major consumer, enterprise and infrastructural breaches over the last year alone. https://www.helpnetsecurity.com/2021/10/01/risky-online-behaviors/

Attacks Against Remote Desktop Protocol Endpoints Have Exploded This Year

A recent report warns of a huge increase in attacks on the Remote Desktop Protocol (RDP), an almost universal protocol used by nearly every business in operation today. The figures show attacks on RDP have jumped 103.9% since its T1 report in June and represents around 55 billion devices. The RDP protocol is leveraged by threat actors to deploy ransomware and has become a popular target due to both heavy use by IT service providers and common misconfigurations.  https://www.theregister.com/2021/09/30/eset_threat_report/

Ransomware Attacks Up 1,070% Year Over Year

The prevalence of ransomware is growing rapidly, according to the 2021 Ransomware Survey Report. The report shockingly found many of the ransom demands are paid, and comes as a result in the rise of “ransomware as-a-service”. The report found 94% of businesses are concerned about ransomware, with 49% stating they would simply pay the ransom outright. Respondents in Europe were more concerned than those in North America, and around 67% felt they had already been the target of ransomware.  https://www.msspalert.com/cybersecurity-research/fortinet-report-ransomware-attacks-up-1070-year-over-year/

Baby’s Death Alleged To Be Linked To Ransomware

A US hospital paralyzed by ransomware in 2019 will be defending itself in court this November over the death of a newborn. The baby was born amid the hospital’s eighth day of fending off the attack. Court filings show the hospital – Springhill Medical Center in Alabama – believes wireless tracking systems and heartbeat monitoring equipment were compromised by the ransomware, leading to the death.

https://threatpost.com/babys-death-linked-ransomware/175232/

Ransomware Shame: More Than Half Of Business Owners Conceal Cyber-Breach

Around a third (32%) of enterprises experienced a six-figure breach last year, but well over half (61%) admitted to concealing it. The findings come as a global survey of 1,400 decision makers in cyber is released. https://www.foxbusiness.com/technology/ransomware-cyber-breach-concealed

More Than 90% Of Q2 Malware Was Hidden In Encrypted Traffic

Around 91.5% of malware detections in Q1 2021 were concealed in HTTPS-encrypted connections. A ubiquitous protocol – used to secure traffic any time you open a web page – only 20% of organisations have mechanisms in place to scan the arriving HTTPS traffic. The terrifying result found that most firms are missing over nine-tenths of malware hitting their networks every day. https://www.darkreading.com/perimeter/more-than-90-of-q2-malware-was-hidden-in-encrypted-traffic

Cyber Attack Floors British Payroll Firm

A "sophisticated" cyber attack has forced a British payroll company to shut down its entire network, leaving some contractors without pay.  Giant Group confirmed on September 24 that it had taken its network, fully integrated IT infrastructure, phone, and email systems offline last Wednesday after detecting suspicious activity. https://www.infosecurity-magazine.com/news/cyberattack-floors-british-payroll/#.YVQiuXlCjOA.twitter

GriftHorse Malware Infected More Than 10 Million Android Phones From 70 Countries

A malicious trojan has been making its way through the Google Play Store since at least November of 2020. The app, purportedly harmless on the surface, hijacks payments on the victim device, resulting in a series of hidden charges and a nasty surprise at the end of the month. Researchers who discovered the malware estimate its impact to be over 10 million victims in 70 countries, and several hundreds of millions of Euros in losses. https://securityaffairs.co/wordpress/122730/malware/grifthorse-malware-campaign.html

50% Of Servers Have Weak Security Long After Patches Are Released

Over 50% of servers scanned still have weak security, a new study suggests, even after patches have been issued. Researchers found that servers were still vulnerable weeks and even months after critical updates, leaving many businesses wide open to attack. https://www.darkreading.com/vulnerabilities-threats/50-of-servers-have-weak-security-long-after-patches-are-released

Threats

Ransomware

• United Health Centres Reportedly Compromised By Ransomware Attack

• JVCKenwood Hit By Conti Ransomware Claiming Theft Of 1.5TB Data

• Ransomware Gangs Are Complaining That Other Crooks Are Stealing Their Ransoms

• Ransomware Gangs Are Starting More Drama On Cyber Crime Forums, Upending 'Honor Among Thieves' Conventions

• Conti Ransomware Expands Ability To Blow Up Backups

• United Health Centers Reportedly Compromised By Ransomware Attack

• REvil Customers Complain Ransomware Gang Uses Backdoors To Filch Ransoms

• The Biggest Problem With Ransomware Is Not Encryption, But Credentials

Phishing

• 75K Email Inboxes Hit in New Credential Phishing Campaign

• Credential Spear-Phishing Uses Spoofed Zix Encrypted Email

• LinkedIn URLs are being hijacked For phishing

Other Social Engineering

• Scammers Capitalize on Release of New Bond Movie

Malware

• FinSpy Surveillance Kit Re-Emerges Stronger Than Ever

• Thousands Of Online Gaming Accounts Hit In Major Cyber Attack

• Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers

• New Malware Steals Steam, Epic Games Store, And EA Origin Accounts

Vulnerabilities

• Google Emergency Update Fixes Two Chrome Zero Days

• Threat Actors Use Recently Discovered CVE-2021-26084 Atlassian Confluence

• Apple AirTag Zero-Day Weaponizes Trackers

• New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught

• Thousands of University Wi-Fi Networks Expose Log-In Credentials

• Exploit Released For VMware Vulnerability After CISA Warning

• Apple Pay Users ‘Vulnerable To Security Hack’

• Outsourced Software Poses Greater Risks to Enterprise Application Security

• Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw

• Apple Responds To Security Researcher Who Found Multiple iOS 15 Zero-Day Flaws

• Windows 10 Emergency Update Resolves KB5005565 App Freezes, Crashes

• Cyber Security Vulnerability Could Affect Millions Of Hikvision Cameras

Data Breaches/Leaks

• Mental Healthcare Providers Report Data Breaches

• Anonymous: We've Leaked Disk Images Stolen From Far-Right-Friendly Web Host Epik

• 3.8 Billion Users’ Combined Clubhouse, Facebook Data Up for Sale

• Emails, Chat Logs, More Leaked Online From Far-Right Militia Linked To US Capitol Riot

Cryptocurrency/Cryptojacking

• Ethereum Dev Admits Helping North Korea Mine Crypto-Bucks, Faces 20 Years Jail

• China Says All Crypto Currency-Related Transactions Are Illegal And Must Be Banned

Insider Threats

• 10 Recent Examples of How Insider Threats Can Cause Big Breaches and Damage

Dark Web

• Computer Scientist Jailed Over Dark Web Conspiracy

DoS/DDoS

• Bandwidth.com Is Latest Victim Of DDoS Attacks Against VoIP Providers

Nation State Actors

• APT Focus: ‘Noisy’ Russian Hacking Crews Are Among The World’s Most Sophisticated

• APT29 Targets Active Directory Federation Services With Stealthy Backdoor

• GhostEmperor Hackers Use New Windows 10 Rootkit In Attacks

• Nation-State Attacks Fears Grow, Execs Don’t Trust Governments To Protect Them From Cyber Threats

• APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated

Cloud

• Huawei Cloud Services: U.S. Lawmakers Express Security Concerns

• Cloud Security is the Weak Link

• Why CEOs Should Absolutely Concern Themselves With Cloud Security

• Cloud Security: Report Finds 68% of Malware Delivered From Cloud Apps

Privacy

• Which? Survey Finds People Would Actually Pay The Online Giants Not To Take Their Data

Reports Published in the Last Week

ESET Threat Report T2 2021

Other News

• Revealed: How To Steal Money From Victims' Contactless Apple Pay Wallets

• Threat Actors Weaponize Telegram Bots to Compromise PayPal Accounts

• Cyber Security Experts Have Discovered A New Hacker Group

• The Return Of The Hacktivists

• Report Highlights Cyber Security Dangers Of Elastic Stack Implementation Mistakes

• Russian Authorities Arrest Cyber Security Giant Group-IB’s CEO On Treason Charges

• US Deports Convicted Cyber Criminal to Russia

• OWASP Toasts 20th Anniversary With Revised Top 10 For 2021

• New Emergency Fraud Hotline Launched in UK

• Corporate Attack Surface Exploding As A Result Of Remote Work 

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

91% Of IT Teams Have Felt 'Forced' To Trade Security For Business Operations

A new survey suggests that most IT staff have felt pressured to ignore security concerns in favour of business operations. On Thursday, a new study report was released, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers. In total, 91% of those surveyed said that they have felt "pressured" to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a "ticking time bomb" for corporate security incidents. https://www.zdnet.com/article/91-of-it-teams-have-felt-forced-to-trade-security-for-business-operations/

Ransomware Attacks Increased Exponentially In 2021

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. https://www.ehackingnews.com/2021/09/ransomware-attacks-increased.html

Phishing Attacks: One In Three Suspect Emails Reported By Employees Really Are Malicious

All the time spent ticking boxes in cyber security training sessions seems to be paying off after all: according to a new report, about a third of emails reported by employees really are malicious or highly suspect, demonstrating the effectiveness of the well-established maxim "Think before you click".  Researchers analysed over 200,000 emails that were flagged by employees from organisations across the globe in the first half of 2021 and found that 33% of the reports could be classified as phishing. https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious/

Hackers Shift From Malware To Credential Hijacking

Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report conducted by researchers. “According to data from our customer base indexed by Threat Graph, 68% of detections from the last three months were not malware-based,” reads the report released Wednesday. “Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land)—which are deliberate efforts to evade detection by traditional antivirus products.” https://www.nextgov.com/cybersecurity/2021/09/report-hackers-shift-malware-credential-hacking/185209/

Attacker Breakout Time Now Less Than 30 Minutes

The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to researchers. The findings come from researchers own investigations with customers across around 248,000 unique global endpoints. For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes. https://www.infosecurity-magazine.com/news/attacker-breakout-time-now-less/

Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company said in a statement on Wednesday. https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html

53% Find It Difficult To Prevent An Insider Attack During Data Aggregation

Recent data from researchers found that 53% of companies find it impossible or very difficult to prevent an insider attack when data is being aggregated, a key indicator of intent of an attack. The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception. To fully understand any insider incident, visibility into the entire kill chain of an attack is imperative to preventing the exfiltration of critical data. https://venturebeat.com/2021/09/02/53-find-it-difficult-to-prevent-an-insider-attack-during-data-aggregation/

The Impact Of Ransomware On Cyber Insurance Driving The Need For Broader Cyber Security Knowledge

Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber Insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets. https://www.helpnetsecurity.com/2021/09/10/cyber-insurance-ransomware/

Hackers Exploit Camera Vulnerabilities To Spy On Parents

Various zero day vulnerabilities in home baby monitor could be compromised that lets threat actors hack into camera feed and put malicious codes like malware. The security issues were found in the IoT gadgets, made by China based developer Victure, that were found by researchers. In a security report, researchers revealed about the stack-based buffer flaw present in ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When compromised, hacker can discover cameras (not owned by them) and command devices to broadcast camera feeds to third party and exploit the camera firmware. https://www.ehackingnews.com/2021/09/hackers-exploit-camera-vulnerabilities.html

39% Of All Internet Traffic Is From Bad Bots

Automated traffic takes up 64% of internet traffic – and whilst just 25% of automated traffic was made up by good bots, such as search engine crawlers and social network bots, 39% of all traffic was from bad bots, a Barracuda report reveals.

These bad bots include both basic web scrapers and attack scripts, as well as advanced persistent bots. These advanced bots try their best to evade standard defences and attempt to perform their malicious activities under the radar. The report revealed that the most common of these persistent bots were ones that went after e-commerce applications and login portals. https://www.helpnetsecurity.com/2021/09/07/bad-bots-internet-traffic/

Threats

Ransomware

• REvil Ransomware Group Returns Following Kaseya Attack

• Ragnar Locker Gang Warns Victims Not To Call The FBI

• This Is The Perfect Ransomware Victim, According To Cyber Criminals

• 5 Surefire Things That’ll Get You Targeted By Ransomware

• Hive Is Dangerous New Ransomware Threat, FBI Says

• Why Ransomware Hackers Love A Holiday Weekend

BEC

Phishing

• Microsoft Outlook Shows Real Person’s Contact Info For IDN Phishing Emails

Other Social Engineering

• 'Bitcoin Fraud Cost Me £500,000'

Malware

• Traffic Exchange Networks Distributing Malware Disguised As Cracked Software

• New Malware Uses Novel Fileless Technique To Evade Detection

Mobile

• Dangerous New Cable Can Hack iPhones From One Mile Away

• This Android Security Flaw Could Let Hackers Follow All Your Movements

IOT

• IoT Attacks Skyrocket, Doubling In 6 Months

Vulnerabilities

• Zoho ManageEngine Password Manager Zero-Day Gets A Fix, Amid Attacks

• New CPU Side-Channel Attack Takes Aim At Chrome’s Site Isolation Feature

• Microsoft, CISA Urge Mitigations For Zero-Day RCE Flaw In Windows

• Atlassian CISO Defends Company's Confluence Vulnerability Response, Urges Patching

• PoC Released For GhostScript Vulnerability That Exposed Airbnb, Dropbox

• Netgear Smart Switches Open To Complete Takeover

• New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

• Cisco Patches Critical Authentication Bug With Public Exploit

Data Breaches/Leaks

• Guntrader Breach Perp: I Don't Think It's A Crime To Dump 111k People's Details Online In Google Earth Format

Organised Crime & Criminal Actors

• TrickBot Gang Developer Arrested At The Seoul International Airport

• The Secret Vulnerability Of Cyber Criminals: Burnout

Cryptocurrency/Cryptojacking

• Financial Cyber Crime: Why Crypto Currency Is The Perfect ‘Getaway Car’

Insider Threats

• Enterprises Are Missing The Warning Signs Of Insider Threats

DoS/DDoS

• Yandex Is Battling The largest DDoS In Russian Internet history

Nation State Actors

• Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack

Cloud

• Organisations Struggling To Develop Cloud Applications That Meet Security Requirements

Privacy

• WhatsApp “End-To-End Encrypted” Messages Aren’t That Private After All

• ProtonMail Logs Activist's IP Address With Authorities After Swiss Court Order

Other News

• OWASP Shakes Up Web App Threat Categories With Release Of Draft Top 10

• SIEM Market Size To Reach $6436.2 Million By 2027

• A Zero-Trust Future: Why Cyber Security Should Be Prioritized For The Hybrid Working World

• Microsoft Has A $20 Billion Hacking Plan, But Cyber Security Has A Big Spending Problem

• Misbehaving Microsoft Teams Ad Brings Down The Entire Windows 11 Desktop

• This Seemingly Normal Lightning Cable Will Leak Everything You Type

• HSE Cyber Attack: Irish Health Service Still Recovering Months After Hack

• Brute-Force Attacks Target Inboxes For Gift Card Data

• Glasgow Firm Fined £150k After Half A Million Nuisance Calls, Spoofing Phone Number, Using False Trading Names

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Ransomware Now Ranks As UK’s Top Cyber Security Danger

Ransomware hackers are now the biggest cyber security threat in the UK for the majority of individuals and businesses in the region, Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC), said in a speech. “For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals,” Cameron said in the speech at the second annual cyber security meeting at the Royal United Services Institute (RUSI), the oldest independent defense and security think tank worldwide.

https://www.pymnts.com/news/security-and-risk/2021/ransomware-now-ranks-as-uks-top-cybersecurity-danger/

54% of all employees reuse passwords across multiple work accounts

Results of a study into current attitudes and adaptability to at-home corporate cyber security, employee training, and support in the current global hybrid working era revealed some interesting results. The report surveyed 3,006 employees, business owners, and C-suite executives at large organisations (250+ employees), who have worked from home and use work issued devices in the UK, France and Germany.

According to the findings 54% of all employees use the same passwords across multiple work accounts. 22% of respondents still keep track of passwords by writing them down, including 41% of business owners and 32% of C-level executives.

42% of respondents admit to using work-issued devices for personal reasons daily while working from home. Of these, 29% are using work devices for banking and shopping, and 7% admit to watching illegal streaming services. Senior workers are among the biggest offenders, as 44% of business owners and 39% of C-level executives admit to performing personal tasks on work-issued devices every day since working from home, with 23% of business owners and 15% of C-level respondents using them for illegal streaming/watching TV.

A year after the pandemic began and work-from-home policies were implemented, 37% of all employees across all sectors are yet to receive cyber security training to work from home, leaving businesses largely exposed to evolving risks. 43% of all employees suggest that cyber security isn’t the responsibility of the workforce, with 60% believing this should be handled by IT teams.

https://www.helpnetsecurity.com/2021/06/10/employees-reuse-passwords-across-multiple-work-accounts/

VPN Attacks Up Nearly 2000% As Companies Embrace A Hybrid Workplace

In Q1 2021, there was a 1,916% increase in attacks against Fortinet’s SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN. These vulnerabilities allow a threat actor to gain access to a network. Once they are in, they can exfiltrate information and deploy ransomware. “2020 was the era of remote work and as the workforce adjusted, information technology professionals scrambled to support this level of remote activity by enabling a wide variety of remote connectivity methods,” said J.R. Cunningham, CSO at Nuspire. “This added multiple new attack vectors that enabled threat actors to prey on organisations, which is what we started to see in Q1 and are continuing to see today.”

https://www.helpnetsecurity.com/2021/06/15/vpn-attacks-up/

Most Firms Face Second Ransomware Attack After Paying Off First

Most businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack. And almost half of those that pay up say some or all their data retrieved were corrupted. Some 80% of organisations that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers. Amongst those that paid to regain access to their systems, 46% said at least some of their data was corrupted, according to a survey released Wednesday. The study polled 1,263 security professionals in seven markets worldwide, including 100 in Singapore, as well as respondents in Germany, France, the US, and UK.

https://www.zdnet.com/article/most-firms-face-second-ransomware-attack-after-paying-off-first/

Over 65,000 Ransomware Attacks Expected In 2021: Former Cisco CEO

U.S. companies are expected to endure over 65,000 ransomware attacks this year — and that's “a conservative number,” according to John Chambers, former CEO of Cisco Systems. With McDonald’s, JBS, and Colonial Pipeline Co. all recently coming under cyber attacks, Chambers does not foresee an end to the onslaught of cyber security threats anytime soon. He estimated that the number of ransomware attacks in 2021 could end up being as high as 100,000, with each one costing companies an average of $170,000. In the case of Colonial, just one password was needed for hackers to compromise the entire company’s IT infrastructure. This led to Colonial and JBS paying a combined $15 million in ransom against FBI advice.

https://finance.yahoo.com/news/over-65000-ransomware-attacks-expected-in-2021-former-cisco-ceo-125100793.html

Business Leaders Now Feel More Vulnerable To Cyber Attacks

Geographically speaking, 55% of US and 49% of UK respondents have experienced the most severe impact to their network security due to these attacks (suggesting that their businesses are more of a target than those in continental Europe) which, in turn, has resulted in a clear majority of respondents (60%) increasing their investment in this area. A sizeable 68% of leaders said their company has experienced a DDoS attack in the last 12 months with the UK (76%) and the US (73%) experiencing a significantly higher proportion compared to 59% of their German and 56% French counterparts. Additionally, over half of the leaders who participated in the survey confirmed that they specifically experienced a DDoS ransom or extortion attack in that time, with a large number of them (65%) targeted at UK companies, compared with the relatively low number in France (38%).

https://www.helpnetsecurity.com/2021/06/14/business-leaders-feel-vulnerable-cyber-attacks/

Ransomware Gang Turns To Revenge Porn

At least one ransomware gang has taken a rare and highly invasive step in order to convince its victims to pay: leaking nude images allegedly uncovered as part of their hack of a target company. The news presents an escalation in the world of ransomware and digital extortion, and comes as the U.S. government and other countries discuss new measures to curb the spike in ransomware incidents. Ransomware groups have recently targeted, and in some cases extracted payment from, the Colonial Pipeline Company, meat producer JBS, and the Irish healthcare system. Locking down computers with ransomware can already have a substantial impact on business operations; leaking information on top of that can present victims with another risk. But posting nude images publicly on the internet threatens to make extortion of organisations a much more personal matter.

https://www.vice.com/en/article/z3xzby/ransomware-gang-revenge-porn-leaks-nude-images

Bank Of America Spends Over $1 Billion Per Year On Cyber Security

Bank of America CEO Brian Moynihan said Monday that the company has ramped its cyber security spending to over $1 billion a year. “I became CEO 11 and a half years ago, and we probably spent three to $400 million [per year] and we’re up over a billion now,” Moynihan said on CNBC’s “Squawk Box.” “The institutions around us, other institutions and my peers, spend like amounts, and our contracting parties spend like amounts,” he added. “In other words, we cause spending in third parties that provide services to us to protect us in the same way. So there’s a lot of money being spend on this, and I think one of the things our industry has done a great job of is work together.”

https://www.cnbc.com/2021/06/14/bank-of-america-spends-over-1-billion-per-year-on-cybersecurity.html

Bad Cyber Security Behaviours Plaguing The Remote Workforce

According to the report, younger employees are most likely to admit they cut cyber security corners, with 51% of 16-24 year olds and 46% of 25-34 year olds reporting they’ve used security workarounds. In addition, 39% say the cyber security behaviours they practice while working from home differ from those practiced in the office, with half admitting it’s because they feel they were being watched by IT departments. IT leaders are optimistic about the return to office, with 70% believing staff will more likely follow company security policies around data protection and privacy. However, only 57% of employees think the same.

https://www.helpnetsecurity.com/2021/06/16/cybersecurity-behaviors/

Threats

Ransomware

• Why Backups Are Not The Panacea For Recovery From A Ransomware Attack

• Microsoft Systems Targeted By 'Black Kingdom' Ransomware

• Takeaways From The Colonial Pipeline Ransomware Attack

• Police Bust Major Ransomware Gang Cl0p

• Ryuk Ransomware Recovery Cost Us $8.1m And Counting, Says Baltimore School Authority

• Paradise Ransomware Source Code Released On A Hacking Forum

• Experts Shed Light On Distinctive Tactics Used By Hades Ransomware

• How Remote Work Opened The Floodgates To Ransomware

• The latest Revil Ransomware Victim? Sol Oriens. Oh, A US Nuclear Weapons Contractor

• Ransomware Attackers Are Leveraging Old SonicWall SRA Flaw

BEC

• Microsoft Takes Down Large‑Scale BEC Operation

• Behind The Scenes Of Business Email Compromise: Using Cross-Domain Threat Data To Disrupt A Large BEC Campaign

• Microsoft: Scammers Bypass Office 365 MFA In BEC Attacks

Phishing

• Threat Actors Use Google Docs To Host Phishing Attacks

Malware

• Malicious PDFs Flood the Web, Lead To Password-Snarfing

• Alarming Malware Discovery Reveals 1.2 TB Data Theft From Millions Of Windows PCs

Vulnerabilities

• Update Your Chrome Browser To Patch Yet Another 0-Day Exploited In-The-Wild

• Vulnerability In Microsoft Teams Granted Attackers Access To Emails, Messages, And Personal Files

• McAfee Finds Security Vulnerability In Peloton Products

• Critical Remote Code Execution Flaw In Thousands Of VMWare vCenter Servers Remains Unpatched

Data Breaches

• UK Listed Law Firm Gateley Admits Client Data Lost Through Cyber Attack

• Alibaba Suffers Billion-Item Data Leak Of Usernames And Mobile Numbers

• Maritime Firm HMM Suffers Security Breach And Cyber Attack On Its Email Systems

• Mensa Data Spillage Was Due to 'Unauthorised Internal Download'

• Volkswagen, Audi Disclose Data Breach Impacting Over 3.3 Million Customers, Interested Buyers

Organised Crime & Criminal Actors

• Police Grab Slilpp, Biggest Stolen-Logins Market

Cryptocurrency

• Criminals Are Mailing Altered Ledger Devices To Steal Crypto Currency

Supply Chain

• NoxPlayer Supply-Chain Attack Is Likely The Work Of Gelsemium Hackers

OT, ICS, IIoT and SCADA

• Utilities ‘Concerningly’ At Risk from Active Exploits

Nation State Actors

• Biden Says He Told Putin U.S. Will Hack Back Against Future Russian Cyber Attacks

• Little-Noticed Cyber Spying Campaign Blamed On China Was Much Wider Than Thought

Denial of Service

• 100% Increase In Daily DDoS Traffic In 2020 As Potential Grows For 10 TBPS Attack

Cloud

• Unsecured Servers And Cloud Services: How Remote Work Has Increased The Attack Surface That Hackers Can Target

• Complexity Is The Biggest Threat To Cloud Success And Security

Privacy

• Amazon To Let Customers Sue After Thousands Of Alexa Complaints

Other News

• Airline And Bank Websites Go Down In Another Major Internet Failure

• Corporate Attack Surfaces Growing Concurrently With A Dispersed Workforce

• This Secretive Firm Has Powerful New Hacking Tools

• Vigilante Malware Rats Out Software Pirates While Blocking The Pirate Bay

• Fallout Of EA Source Code Breach Could Be Severe, Cyber Security Experts Say

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Two Thirds Of CISOs Across World Expect Damaging Cyber Attack In Next 12 Months

More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic. One hundred CISOs from the US, Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cyber security landscape.

https://www.zdnet.com/article/two-thirds-of-cisos-across-world-expect-damaging-cyberattack-in-next-12-months/

Ransomware: Don't Pay Up, It Just Shows Cyber Criminals That Attacks Work, Warns Home Secretary

For victims of ransomware attacks, paying the ransom does not guarantee that their network will be restored – and handing money to criminals only encourages them to try their luck infecting more companies with the file-encrypting malware. The impact of ransomware attacks continues to rise as cyber criminals encrypt networks, while also blackmailing victims with the prospect of stolen data being published, to generate as much money as possible from extortion.

https://www.zdnet.com/article/ransomware-dont-pay-the-ransom-it-just-encourage-cyber-criminals-that-attacks-work-warns-home-secretary/

The Most Significant Cyber Attacks From 2006-2020, By Country

Committing a cyber crime can have serious consequences. In the US, a cyber criminal can receive up to 20 years in prison for hacking into a government institution if it compromises national security. Yet, despite the consequences, cyber criminals continue to wreak havoc across the globe. But some countries seem to be targeted more than others. Using data from SpecOps Software, this graphic looks at the countries that have experienced the most significant cyber attacks over the last two decades.

https://www.visualcapitalist.com/cyber-attacks-worldwide-2006-2020/

The Shape Of Fraud And Cyber Crime: 10 Things We Learned From 2020

While it remains true that the older you are, the greater the financial loss, why would fraudsters target the young, who are arguably less well off? The answer lies in volume. Criminals have been offsetting higher monetary gain for higher attack rates, capitalising on the fact that the young are perhaps both more liberal with personal information (and privacy in general) and, at the same time, heavy digital users (social media, surveys, games, and so on). In fact, it is scary to see how much value the humble email address can have for criminals. We often forget that once obtained, it can be used further down the line to commit more fraud.

https://www.computerweekly.com/opinion/The-shape-of-fraud-and-cyber-crime-10-things-we-learned-from-2020

Is Third-Party Software Leaving You Vulnerable To Cyber Attacks?

When companies buy digital products, they expect them to be secure. In most cases, they do not test for vulnerabilities down the digital supply chain — and do not even have adequate processes or tools to do so. Hackers have taken note, and incidents of supply chain cyber attacks, which exploit weaknesses within the digital supply chain to break into organisations’ internal networks, are on the rise. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure.

https://hbr.org/2021/05/is-third-party-software-leaving-you-vulnerable-to-cyberattacks

US Pipeline Ransomware Attack Serves As Fair Warning To Persistent Corporate Inertia Over Security

Organisations that continue to disregard the need to ensure they have adopted basic cyber security hygiene practices should be taken to task. This will be critical, especially as cyber criminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. In many of my conversations with cyber security experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old.

https://www.zdnet.com/article/us-pipeline-ransomware-attack-serves-as-fair-warning-to-persistent-corporate-inertia-over-security/

Ransomware Attackers Are Now Using Triple Extortion Tactics

The number of organisations affected by ransomware so far this year has more than doubled, compared with the same period in 2020, according to the report. Since April, Check Point researchers have observed an average of 1,000 organisations impacted by ransomware every week. For all of 2020, ransomware cost businesses worldwide around $20 billion, more than 75% higher than the amount in 2019. The healthcare sector has been seeing the highest volume of ransomware with around 109 attacks per organization each week. Amid news of a ransomware attack against gas pipeline company Colonial Pipeline, the utilities sector has experienced 59 attacks per organization per week. Organisations in the insurance and legal sector have been affected by 34 such attacks each week.

https://www.techrepublic.com/article/ransomware-attackers-are-now-using-triple-extortion-tactics/

AXA Pledges To Stop Reimbursing Ransom Payments For French Ransomware Victims

Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cyber criminals. While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organisations across the world.

https://www.zdnet.com/article/axa-pledges-to-stop-reimbursing-ransom-payments-for-french-ransomware-victims/

The Dystopic Future Of Cyber Security And The Importance Of Empowering CISOs

Over a decade ago, in 2007, the first iPhone was released and with it emerged an ecosystem of apps that continues to expand to this day. This was a watershed moment, not solely for the technology industry, but civilization. It was a catalyst for what was to come. Suddenly, every consumer could access the internet at a touch of a button, and the accumulation of their data by private companies began en masse. It was at this point that data was established as an increasingly valuable commodity, and in turn, became a heightened exploitation risk. It also instigated a wave of innovation that has yet to break and is only growing rapidly in pace. In this state, technology providers, users, and manufacturers get excited about new functionalities, new features, new developments, while little thought is given to the negative consequences that could arise as a result. Indeed, fear has no place in the state of innovation as it is this primal thinking that inhibits creativity.

https://www.infosecurity-magazine.com/blogs/the-dystopic-future-of/

Cyber Security Experts Warn Over Online Wine Scams

Online wine scams became a bigger threat as cyber criminals sought to take advantage of more people and businesses organising virtual drinks and ordering bottles on the internet in the wake of Covid-19 restrictions, suggests the report. So-called ‘phishing emails’ were a particular concern, according to findings published in April by US-based group Recorded Future in partnership with Area 1 Security. From January 2020 onwards, the authors found a significant rise in legitimate wine-themed web domain registrations using terms like Merlot, Pinot, Chardonnay or Vino.

https://www.decanter.com/wine-news/cyber-security-experts-warn-over-online-wine-scams-457647/

Threats

Ransomware

• New Ransomware: CISA Warns Over Fivehands File-Encrypting Malware Variant

• Energy Companies Are The Firms Most Likely To Pay Cyber Attack Ransoms

• A Student Pirating Software Led To A Full-Blown Ryuk Ransomware Attack

• MTR In Real Time: Pirates Pave Way For Ryuk Ransomware

• Ransomware Going For $4K On The Cyber Underground

• Foreign Secretary Issues Warning To Russia On Ransomware

• Anatomy Of A $2 Million Darkside Ransomware Breach

BEC

• Business Email Compromise Attack Targeted Dozens Of Orgs

Phishing

• Phishing Attacks Exploit Cognitive Biases, Research Finds

• AI Discovers A Complex Phishing Crypto Currency Scam Campaign

Other Social Engineering

• Coronavirus-Related Cyber Crime Contributes To 15-Fold Surge In Scam Takedowns

• She Responded To A Smishing Scam. Then The Spam Texts Got Worse.

Malware

• Emails Reveal 128 Million iOS Users Were Affected By ‘Xcodeghost’ Malware

Mobile

• A New Smishing Trojan Is Out And About

• New Android Malware Targeting Banks In Italy, Spain, Germany, Belgium, And The Netherlands

IOT

• How To Apply A Zero Trust Approach To Your IoT Solutions

• Troy Hunt At Black Hat Asia: ‘We’re Making It Very Difficult For People To Make Good Security Decisions’

Vulnerabilities

• Don’t Delay Installing Your Windows 10 May Patch Tuesday Update – It Fixes 3 Zero-Day Exploits

• Patch Adobe Reader Now Or Risk A Major Security Attack

• WiFi Vulnerability May Leave Millions Of Devices Open To 'Frag Attacks'

• Remote Mouse Mobile App Contains Raft Of Zero-Day RCE Vulnerabilities

• Lemon Duck Hacking Group Adopts Microsoft Exchange Server Vulnerabilities In New Attacks

Data Breaches

• Hackers release personal info of 22 DC Police officers

• Anatomy Of A $2 Million Darkside Ransomware Breach

Organised Crime & Criminal Actors

• Bulletproof Hosting Admins Plead Guilty To Running Cyber Crime Safe Haven

Supply Chain

• Rapid7 Source Code, Credentials Accessed In Codecov Supply-Chain Attack

Nation State Actors

• Russian Hackers Are Targeting These Vulnerabilities, So Patch Now

• NCSC Warns British Start-Ups Of Threat From Chinese And Russian Hackers

• NCSC, CISA publish new information on Russia’s Cozy Bear

Privacy

• Your Employer May Be Spying On You — Here Are 3 Ways To Stop It

Reports Published in the Last Week

• DDOS Attacks In Q1 2021

• Verizon 2021 Data Breach Investigations Report (DBIR)

Other News

• University Cancels Exams After Cyber Attack

• Your Old Mobile Phone Number Could Compromise Your Cyber Security

• Microsoft's New Security Feature Locks Hackers Out With GPS

• Biden Signs Executive Order Aiming To Prevent Future Cyber Security Disasters

• Cyber Security And Compliance For Healthcare Organizations

• Train Firm’s ‘Worker Bonus’ Email Is Actually Cyber Security Test

• Half Of Government Security Incidents Caused By Missing Patches

• 90% Of Security Leaders View Bot Management As A Top Priority

• 'Everyone Had To Rethink Security': What Microsoft Learned In Last Year

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

‘Really Messy’: Why The Hack of Microsoft’s Email System Is Getting Worse, With Attacks Doubling Every Two Hours

The cyber security community sprang into action after Microsoft first announced a series of vulnerabilities that let hackers break into the company's Exchange email and calendar programs. China has used it to spy on a wide range of industries in the United States ranging from medical research to law firms to defence contractors, the company said. China has denied responsibility. In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours." The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.

https://www.nbcnews.com/tech/security/really-messy-hack-microsofts-email-system-getting-worse-rcna377

https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/

Trickbot Malware Is Now Your Biggest Security Headache

Trickbot malware has risen to fill the gap left by the takedown of the Emotet botnet, with a higher number of criminals shifting towards it to distribute malware attacks. Emotet was the world's most prolific and dangerous malware botnet before it was disrupted by an international law enforcement operation in January this year.

https://www.zdnet.com/article/this-trojan-malware-is-now-your-biggest-security-headache/

Cyber Criminals Are Increasingly Targeting Browser Zero Days

As more and more of our work is done within our browsers, cyber criminals have begun to leverage web browser exploits to compromise endpoint systems, according to new research from Menlo Security. At the same time, enterprises around the world were forced to make an almost overnight transition to remote work last year and this surge in employees working from home along with the shift to cloud computing have resulted in a greatly increased attack surface.

https://www.techradar.com/news/cybercriminals-are-increasingly-targeting-browser-zero-days

More Than 1m Small Businesses ‘At Risk Of Collapse’ Due To Cyber Threats

The research, commissioned by Vodafone, also showed that 16 per cent of firms would likely be forced to lay off staff in the event of a hack. As a result, the report called on ministers to beef up the country’s corporate cyber defences, warning that a failure to do so could hamper the post-pandemic economic recovery. It urged the government to expand a dedicated business cyber security within the National Cyber Security Centre (NCSC), which is part of GCHQ, and introduce a five per cent VAT cut on cybersecurity products for small companies.

Number Of Ransomware Attacks Grew By More Than 150%

By the end of 2020, the ransomware market, fueled by the pandemic turbulence, had turned into the biggest cyber crime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, researchers estimate that the number of ransomware attacks grew by more than 150% in 2020.

https://www.helpnetsecurity.com/2021/03/08/ransomware-attacks-grew-2020/

Hackers Are Using Home Office Selfies To Steal Your Personal Data

The pandemic has been the source of plenty of memes and new internet trends, not least the remote working selfie, which involves people taking photos of their home office setup or video conferencing sessions. However, a new blog suggests cyber criminals are capitalizing on this new genre of selfie to steal a range of personal data that could be used to execute identity or financial fraud.

https://www.techradar.com/uk/news/hackers-are-using-home-office-selfies-to-steal-your-personal-data

Massive Supply-Chain Cyber Attack Breaches Several Airlines

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a “highly sophisticated attack.” The affected servers are in Atlanta, and belong to the SITA Passenger Service System (SITA PSS).

https://threatpost.com/supply-chain-cyberattack-airlines/164549/

Millions Of Windows Devices Are Still Infested With Malware

Over 100 million Windows consumer and business devices across the world were infected with malware last year, new analysis has found. While examining the recent Malwarebytes "State of Malware" report, Atlas VPN noted that whilst the number of infected Windows machines seems high, this landmark figure was actually 12% drop when compared to 2019.

https://www.techradar.com/uk/news/millions-of-windows-devices-are-still-infested-with-malware

Did You Know Browser Extensions Are Looking at Your Bank Account?

Browser extensions have full access to all the web pages you visit. It can see which web pages you are browsing, read their contents, and watch everything you type. It could even modify the web pages—for example, by inserting extra advertisements. If the extension is malicious, it could gather all that private data of yours—from web browsing activity and the emails you type to your passwords and financial information—and send it to a remote server on the internet.

https://www.howtogeek.com/716771/did-you-know-browser-extensions-are-looking-at-your-bank-account/

Threats

Ransomware

• Capcom reportedly forced employees to work in the office following ransomware attack

• Fake Ad Blocker Delivers Hybrid Cryptominer/Ransomware Infection

• New ransomware only decrypts victims who join their Discord server

Phishing

• Fake Google reCAPTCHA Phishing Attack Swipes Office 365 Passwords

Malware

• Nim-Based Malware Loader Spreads Via Spear-Phishing Emails

• Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks

Mobile

• Malicious apps on Google Play dropped banking Trojans on user devices

Vulnerabilities

• Microsoft's March Patch Tuesday: Critical remote code execution flaws, IE zero-day fixed

• F5 issues BIG-IP patches to tackle unauthenticated remote code execution, critical flaws

• Hackers Exploit QNAP Vulnerabilities to Turn NAS Devices Into Crypto Miners

• Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks

• Adobe releases batch of security fixes for Framemaker, Creative Cloud, Connect

• Critical 0-day that targeted security researchers gets a patch

• Intel CPU interconnects can be exploited by malware to leak encryption keys and other info

• Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws

Organised Crime

• Police raids across Europe after encrypted phone network shut down

Dark Web

• Dark Web Markets for Stolen Data See Banner Sales

OT, ICS, IIoT and SCADA

• Hack of '150,000 cameras' investigated by camera firm

Nation-State Actors

• Researchers Unveil New Linux Malware Linked to Chinese Hackers

• United States considering cyber war on Russia in retaliation for SolarWinds hack

Privacy

• The UK is secretly testing a controversial web snooping tool

Other News

• This Unassuming Little Device Can Hack Your Smart Home

• Did You Know Browser Extensions Are Looking at Your Bank Account?

• White hat bounty hackers become millionaires

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Ransomware is now the biggest Cyber Security concern for CISOs

Ransomware is the biggest cyber security concern facing businesses, according to those responsible for keeping organisations safe from hacking and cyberattacks. A survey of chief information security officers (CISOs) and chief security officers (CISOs found that ransomware is now viewed as the main cyber security threat to their organisation over the course of the next year. Almost half – 46% – of CISOs and CISOs surveyed said that ransomware or other forms of extortion by outsiders represents the biggest cyber security threat.

https://www.zdnet.com/article/ransomware-is-now-the-biggest-cybersecurity-concern-for-cisos/

Crypto ransomware payments grew 311% in 2020

Crypto payments associated with ransomware grew at least 311% in 2020. “Ransomware” refers to a category of malicious computer programs that force users into paying ransoms. Just 0.34% of all cryptocurrency transactions last year were criminal, down from 2.1% in 2019. But that number is bound to go up, said the firm.

https://decrypt.co/54648/crypto-crime-ransomware-chainalysis-report-2020

The SolarWinds hackers used tactics other groups will copy

One of the most chilling aspects of Russia's recent hacking spree—which breached numerous United States government agencies among other targets—was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this was not the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims' networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.

https://www.wired.com/story/solarwinds-hacker-methods-copycats/

Global Cyber Security spending to soar in 2021

The worldwide cyber security market is set to grow by up to 10% this year to top $60bn, as the global economy slowly recovers from the pandemic. Double-digit growth from $54.7bn in 2020 would be its best-case scenario. However, even in the worst case, cyber security spending would reach 6.6%. That would factor in a deeper-than-anticipated economic impact from lockdowns, although the security market has proven to be remarkably resilient thus far to the pandemic-induced global economic crisis. That said, SMB spending was hit hard last year, along with certain sectors like hospitality, retail and transport.

https://www.infosecurity-magazine.com/news/global-cybersecurity-spending-to/

Cyber criminals publish more than 4,000 stolen Sepa files

Sepa rejected a ransom demand for the attack, which has been claimed by the international Conti ransomware group. Contracts, strategy documents and databases are among the 4,000 files released. The data has been put on the dark web - a part of the internet associated with criminality and only accessible through specialised software.

https://www.bbc.co.uk/news/uk-scotland-55757884

Ransomware provides the perfect cover for other attacks

Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes

https://www.helpnetsecurity.com/2021/01/21/ransomware-cover/

Popular PDF reader has database of 77 million users hacked and leaked online

A threat actor has leaked a 14 GB database online containing over 77 million records relating to thousands of users of the Nitro PDF reader software, with users' email addresses, full names, hashed passwords, company names, IP addresses, and other system-related information.

https://www.techradar.com/au/news/popular-pdf-reader-has-database-of-77-miliion-users-hacked-and-leaked-online

Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data

Some organisations that fall victim to ransomware attacks are paying ransoms to cyber-criminal gangs despite being able to restore their own networks from backups, in order to prevent hackers publishing stolen data. Over the course of the past year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn't received.

https://www.zdnet.com/article/ransomware-victims-that-have-backups-are-paying-ransoms-to-stop-hackers-leaking-their-stolen-data/

GDPR fines skyrocket as EU gets tough on data breaches

Europe’s new privacy protection regime has led to a surge in fines for bad actors, according to research published today. Law firm DLA Piper says that, since January 28th, 2020, the EU has issued around €158.5 million (around $192 million) in financial penalties. That’s a 39-percent increase on the previous 20-month period Piper examined in its report, published this time last year. And as well as the increased fines, the number of breach notifications has shot up by 19 percent across the same 12-month period.

https://www.engadget.com/gdpr-fines-dla-piper-report-144510440.html

Malware incidents on remote devices increase

Devices compromised by malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage, highlighting a need for organizations to better determine how to configure business tools to ensure fast and safe connectivity for all users in 2021.

https://www.helpnetsecurity.com/2021/01/18/malware-incidents-remote-devices/

Threats

Phishing

• Phishing scam had all the bells and whistles—except for one

• Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight

Malware

• Malware found on laptops given out by government

• Macs Do Get Malware And This Nasty Cryptomining Payload Has Been In Hiding For 5 Years

Vulnerabilities

• Signal and other video chat apps found to have some major security flaws

• Automated exploit of critical SAP SolMan vulnerability detected in the wild

• List of DNSpooq vulnerability advisories, patches, and update

• Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning

• Critical Cisco SD-WAN Bugs Allow RCE Attacks

• New FreakOut botnet targets Linux systems running unpatched software

Data Breaches

• Health Insurer Fined $5.1m Over Data Breach

• Ubiquiti breach, and other IoT security problems

Denial of Service

• Windows RDP servers are being abused to amplify DDoS attacks

Cloud

• Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years

Privacy

• Is your boss spying on you as you work from home? One in five firms admit using secret software

Other News

• Last-minute Trump order adds new security regulation to cloud providers

• FBI warns of voice phishing attacks targeting employees at large companies

• Microsoft Defender is boosting its response to malware attacks by changing a key setting

• Hacker posts 1.9 million Pixlr user records for free on forum

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

SolarWinds hack may be much worse than originally feared

The Russia-linked SolarWinds hack which targeted US government agencies and private corporations may be even worse than officials first realized, with some 250 federal agencies and business now believed affected.

Microsoft has said the hackers compromised SolarWinds’ Orion monitoring and management software, allowing them to “impersonate any of the organisation’s existing users and accounts, including highly privileged accounts.” The Times reports that Russia exploited layers of the supply chain to access the agencies’ systems.

https://www.theverge.com/2021/1/2/22210667/solarwinds-hack-worse-government-microsoft-cybersecurity

Threat actor is selling 368.8 million records from 26 data breaches

Security experts reported that a threat actor is selling user records allegedly stolen from twenty-six companies on a hacker forum.

The total volume of data available for sale is composed of 368.8 million stolen user records.

For some of these companies, the data breaches have not been previously disclosed, including Teespring.com, MyON.com, Chqbook.com, Anyvan.com, Eventials.com, Wahoofitness.com, Sitepoint.com, and ClickIndia.com.

https://securityaffairs.co/wordpress/112842/data-breach/data-breaches-records-sale.html

The Worst Hacks of 2020, a Surreal Pandemic Year

WHAT A WAY to kick off a new decade. 2020 showcased all of the digital risks and cybersecurity woes you've come to expect in the modern era, but this year was unique in the ways Covid-19 radically and tragically transformed life around the world. The pandemic also created unprecedented conditions in cyberspace, reshaping networks by pushing people to work from home en masse, creating a scramble to access vaccine research by any means, generating new fodder for criminals to launch extortion attempts and scams, and producing novel opportunities for nation-state espionage.

https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/

A Nasty Strain of malware is back and hits 100K recipients per day

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

https://securityaffairs.co/wordpress/112650/malware/december-emotet-redacted.html

Ransomware in 2020: A Banner Year for Extortion

From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020. Remote learning platforms shut down. Hospital chemotherapy appointments cancelled. Ransomware attacks in 2020 dominated as a top threat vector this past year. Couple that with the COVID-19 pandemic, putting strains on the healthcare sector, and we witnessed ransomware exact a particularly cruel human toll as well. Attacks had an impact on nearly all sectors of the global economy – costing business $20 billion collectively and creating major cybersecurity headaches for others.

https://threatpost.com/ransomware-2020-extortion/162319/

Ransomware Is Headed Down a Dire Path

AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. "It is a life-or-death situation," the technician said at the time.

The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.

https://www.wired.com/story/ransomware-2020-headed-down-dire-path/

Russia’s global hacking efforts are going to unwind in 2021

Russia has become adept at using cyberattacks and digital-media manipulation to influence events in other countries. We know there was Russian digital interference in the 2016 US general election and the 2017 presidential election in France: both involved fake social-media accounts and “hack-and-leak” operations to steal emails. The UK government has not investigated whether, as must be probable, Russia had also been using its tools of covert subversion during the Scottish independence and Brexit referenda, but it has said that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online dissemination of illicitly acquired government documents, thought to relate to US/UK trade negotiations.

https://www.wired.co.uk/article/uk-us-russia-hacking

Threats

IOT

FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’

Malware

New Golang worm turns Windows and Linux servers into monero miners

Emotet malware hits Lithuania's National Public Health Centre

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic

Vulnerabilities

Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk

Windows Zero-Day Still Circulating After Faulty Fix

Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways

Data Breaches

T-Mobile warns customers of second data breach in less than a year

Kawasaki discloses security breach, potential data leak

Finland says hackers accessed MPs' emails accounts

Organised Crime

21 arrests in nationwide cyber crackdown

Nation State Actors

India: A Growing Cyber Security Threat

Denial of Service

Citrix devices are being abused as DDoS attack vectors

Privacy

Mapped: The Top Surveillance Cities Worldwide

Cryptocurrency

Voyager cryptocurrency broker halted trading due to cyber attack

Other News

Brexit deal mentions Netscape browser and Mozilla Mail

6 Questions Attackers Ask Before Choosing an Asset to Exploit

Deepfake queen to deliver Channel 4 Christmas message

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

The Cyber Threat Is Real and Growing

The SolarWinds breach could be one of the most significant cyber incidents in history. Russian intelligence—likely the SVR, the foreign-intelligence branch—infiltrated and sat undetected on U.S. and other government networks for nearly 10 months. It was a sophisticated, smart and savvy attack that should alarm the public and private sectors.

We may not know the full extent of the damage for some time. Don’t be surprised if more government entities disclose that they too were victims of this attack. Don’t be surprised either if it emerges that private companies were hit. SolarWinds says it has more than 300,000 customers, including 400 companies in the Fortune 500. That’s a lot of potential victims.

https://www.wsj.com/articles/the-cyber-threat-is-real-and-growing-11608484291

Ransomware Attacks Surge in Q3 as Cyber Criminals Shift Tactics

A record growth in ransomware attacks took place in Q3 of 2020 compared to Q2, from 39% to 51% of all malware attempts according to a new study. The study also found that hacking accounted for 30% of all attacks during Q3, with cyber criminals reducing their emphasis on social engineering tactics compared with earlier this year. The researchers noted that the percentage of social engineering attacks using COVID-19 as a lure fell from 16% in Q2 to just 4% in Q3, which they attribute to people becoming more accustomed to this crisis. Additionally, social engineering attacks targeting organizations fell from 67% of all attempts in Q1 to under half (45%) in Q3.

https://www.infosecurity-magazine.com/news/ransomware-attacks-surge-q3/

In 2021, there will be a cyber attack every 11 seconds. Here’s how to protect yourself

Experienced outdoor athletes know that with winter rapidly approaching, the secret to success lies in protecting the core. That is, the body’s core temperature through layering, wicking and a host of ever-improving technical fabrics that prevent the cold, snow and ice from affecting performance. The same could be said for cyber security. With organizations and workers now in their ninth month of COVID-19, the time has come to prepare as the threat of cyber attacks becomes even more menacing.

https://theprint.in/tech/in-2021-there-will-be-a-cyberattack-every-11-seconds-heres-how-to-protect-yourself/565616/

The US, and much of the West, has suffered a massive cyber breach. It's hard to overstate how bad it is

Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but that’s wrong on two accounts. It wasn’t a cyber-attack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk – and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.

https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols

Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack

Last week, news broke that IT management company SolarWinds had been hacked, possibly by the Russian government, and the US Treasury, Commerce, State, Energy, and Homeland Security departments have been affected — two of which may have had emails stolen as a result of the hack. Other government agencies and many companies are investigating due to SolarWinds’ extensive client list. The Wall Street Journal is now reporting that some big tech companies have been infected, too.

Cisco, Intel, Nvidia, Belkin, and VMware have all had computers on their networks infected with the malware. There could be far more: SolarWinds had stated that “fewer than 18,000” companies were impacted, as if that number is supposed to be reassuring, and it even attempted to hide the list of clients who used the infected software. Today’s news takes some of SolarWinds’ big-name clients from “possibly affected’’ to “confirmed affected.”

https://www.theverge.com/2020/12/21/22194183/intel-nvidia-cisco-government-infected-solarwinds-hack

Researchers share the lists of victims of SolarWinds hack

Security experts started analyzing the DGA mechanism used by threat actors behind the SolarWinds hack to control the Sunburst/Solarigate backdoor and published the list of targeted organizations. Researchers from multiple cybersecurity firms published a list that contains major companies, including Cisco, Deloitte, Intel, Mediatek, and Nvidia. The researchers decoded the DGA algorithm used by the backdoor to assign a subdomain of the C2 for each of the compromised organizations.

https://securityaffairs.co/wordpress/112555/hacking/solarwinds-victims-lists.html

Threats

Ransomware

Ransomware: Attacks could be about to get even more dangerous and disruptive

IOT

New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices

Malware

Emotet Returns to Hit 100K Mailboxes Per Day

Microsoft has discovered yet more SolarWinds malware

3 million users hit with infected Google Chrome and Microsoft Edge extensions

Vulnerabilities

Windows zero-day with bad patch gets new public exploit code

Script for detecting vulnerable TCP/IP stacks released

New SUPERNOVA backdoor found in SolarWinds cyberattack analysis

Smart Doorbell Disaster: Many Brands Vulnerable to Attack

Zero-day exploit used to hack iPhones of Al Jazeera employees

Signal: Cellebrite claimed to have 'cracked' chat app's encryption

Data Breaches

There's been a Nintendo Switch data leak, according to reports

Data breach hits 30,000 signed up to workplace pensions provider

Thousands of customer records exposed after serious data breach

Organised Crime

Cyber criminals have started indexing the dark web

Joker’s Stash Carding Site Taken Down

International sting shuts down 'favourite' VPN of cyber criminals

Dark Web Pricing Skyrockets for Microsoft RDP Servers, Payment-Card Data

NSA Warns of Hacking Tactics That Target Cloud Resources

Denial of Service

Cloudflare has identified a new type of DDoS attack inspired by an acoustic beat

Privacy

The pandemic has taken surveillance of workers to the next level

Other News

Dozens of Al Jazeera journalists allegedly hacked using Israeli firm's spyware

Cyber Insurance Market Expected to Surge in 2021

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

Cyber crime is 'a constant threat' to SMEs

Criminals are diversifying and growing more dangerous, while SMEs remain complacent and mostly oblivious to the threats.

With a quarter of small and medium-sized enterprises (SME) falling victim to a cyberattack in the last 12 months, the threat towards these organizations is constant. This is according to a new report from Direct Line – Business, which claims that businesses aren't doing all they can to stay safe.

The report states that, if a cyber attack were to occur, many organisations would find themselves in a seriously dangerous position given they hold less than $13,000 in cash reserves. Besides financial damage, many should also expect damaged client and customer relationships due to eroded trust.

With cybercriminals diversifying into different methods of attack, SMEs need to stay vigilant on multiple fronts. Phishing is still the most popular weapon for criminals, the report states, but malware and ransomware, as well as DDoS attacks, are also notable mentions.

https://www.itproportal.com/features/cybercrime-is-a-constant-threat-to-smes/

The most common passwords of 2020 are atrocious

Bottom line: Choosing secure passwords has never been humanity’s strong suit and let’s face it, it’s never going to be. People simply have too many accounts to protect these days, leading to poor practices such as simplifying passwords to make them easier to remember and reusing the same password across multiple accounts.

https://www.techspot.com/news/87657-most-common-passwords-2020-atrocious.html#Share

Why ransomware is still so successful: Over a quarter of victims pay the ransom

Over a quarter of organisations that fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now more than $1 million.

https://www.zdnet.com/article/why-ransomware-is-still-so-successful-over-a-quarter-of-victims-pay-the-ransom/

Cyber crime is maturing. Here are 6 ways organisations can keep up

In 2020, the world has experienced many challenges. Among them, hastened digitalisation has brought new opportunities but also new risks. According to the World Economic Forum Global Risks Report 2020, cyber attacks rank first among global human-caused risks and RiskIQ predicts that by 2021 cyber crime will cost the world $11.4 million each minute.

https://www.weforum.org/agenda/2020/11/how-to-protect-companies-from-cybercrime/

Ransomware-as-a-service: The pandemic within a pandemic

Ransomware is a massive problem. But you already knew that.

Technical novices, along with seasoned cyber security professionals, have witnessed over the past year a slew of ransomware events that have devastated enterprises around the world. Even those outside of cyber security are now familiar with the concept: criminals behind a keyboard have found a way into an organization’s system, prevented anyone from actually using it by locking it up, and won’t let anyone resume normal activity until the organization pays a hefty fee.

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

CISOs say a distributed workforce has critically increased security concerns

73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.

The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.

https://www.helpnetsecurity.com/2020/11/18/distributed-workforce-security/

Threats

Ransomware

Capcom confirms Ragnar Locker ransomware attack, data exposure

Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records.

This week, the Japanese gaming giant confirmed that the company had fallen prey to "customized ransomware" which gave attackers unauthorised access to its network -- as well as the data stored on Capcom Group systems.

https://www.zdnet.com/article/capcom-confirms-ransomware-attack-potential-theft-of-customer-employee-data/

Ransomware attack forces web hosting provider Managed.com to take servers offline

One of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack.

The ransomware impacted the company's public facing web hosting systems, resulting in some customer sites having their data encrypted.

The incident only impacted a limited number of customer sites, which the company said it immediately took offline.

https://www.zdnet.com/article/web-hosting-provider-managed-shuts-down-after-ransomware-attack/

Phishing

Office 365 phishing campaign detects sandboxes to evade detection

Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defence evasion and social engineering," Microsoft said.

"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."

https://www.bleepingcomputer.com/news/security/office-365-phishing-campaign-detects-sandboxes-to-evade-detection/

Malware

Adult site users targeted with ZLoader malware via fake Java update

A malware campaign ongoing since the beginning of the year has recently changed tactics, switching from exploit kits to social engineering to target adult content consumers.

The operators use an old trick to distribute a variant of ZLoader, a banking trojan that made a comeback earlier this year after an absence of almost two years, now used as an info stealer.

https://www.bleepingcomputer.com/news/security/adult-site-users-targeted-with-zloader-malware-via-fake-java-update/

Lazarus malware strikes South Korean supply chains

Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.

Cyber security researchers reported the abuse of the certificates, stolen from two separate, legitimate South Korean companies.

https://www.zdnet.com/article/lazarus-malware-strikes-south-korean-supply-chains/

Malware activity spikes 128%, Office document phishing skyrockets

The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.

https://www.helpnetsecurity.com/2020/11/13/malware-activity-q3-2020/

Cloud

Attackers can abuse a misconfigured IAM role across 16 Amazon services

Researchers at Palo Alto’s Unit 42 have confirmed that they have compromised a customer’s AWS cloud account with thousands of workloads using a misconfigured identity and access management (IAM) role.

https://www.scmagazine.com/home/security-news/cloud-security/attackers-can-abuse-a-misconfigured-iam-role-across-16-aws-services/

Vulnerabilities

More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug

A year and a half after Microsoft disclosed the BlueKeep vulnerability impacting the Windows RDP service, more than 245,000 Windows systems still remain unpatched and vulnerable to attacks.

The number represents around 25% of the 950,000 systems that were initially discovered to be vulnerable to BlueKeep attacks during a first scan in May 2019.

https://www.zdnet.com/article/more-than-245000-windows-systems-still-remain-vulnerable-to-bluekeep-rdp-bug/

Windows Kerberos authentication breaks due to security updates

Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month's Patch Tuesday, on November 10.

https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-due-to-security-updates/

Cisco Patches Critical Flaw After PoC Exploit Code Release

A critical path-traversal flaw exists in Cisco Security Manager that lays bare sensitive information to remote, unauthenticated attackers.

A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.

https://threatpost.com/critical-cisco-flaw-sensitive-data/161305/

Widespread Scans Underway for RCE Bugs in WordPress Websites

WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.

Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers.

According to the Wordfence Threat Intelligence team, more than 7.5 million probes targeting these vulnerabilities have been observed, against more than 1.5 million WordPress sites, just since Tuesday.

https://threatpost.com/widespread-scans-rce-bugs-wordpress-websites/161374/

Webex fixed some seriously spooky security flaws

Cisco has patched several troubling security vulnerabilities in its Webex video conferencing service.

The flaws in the video conferencing software were flagged. Researchers took a deeper look at the collaboration tools being used for day-to-day work to better understand how they could impact sensitive meetings now being held virtually. During its investigation, the company's security researchers discovered three vulnerabilities in Webex.

https://www.techradar.com/news/cisco-webex-had-some-very-spooky-security-flaws

Data Breaches

Animal Jam was hacked, and data stolen; here’s what parents need to know

WildWorks,  the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.

Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.

https://techcrunch.com/2020/11/16/animal-jam-data-breach/

Crown Prosecution Service guilty of ‘serious’ data breaches

Prosecutors are routinely guilty of “serious” data breaches that can endanger the public by disclosing addresses of people who report crimes, a watchdog has revealed.

Independent assessors of the Crown Prosecution Service found that prosecutors in England and Wales were responsible for “a significant number of data security breaches”.

https://www.thetimes.co.uk/article/crown-prosecution-service-guilty-of-serious-data-breaches-k7vhl0hnf

Privacy

MacOS Big Sur reveals Apple secretly hates your VPN and firewall

If you're using a Mac VPN and recently updated your device to Big Sur, your privacy may be at risk as it was discovered that Apple apps are able to bypass both firewalls and VPN services in the company's latest version of macOS.

Twitter user mxswd first spotted the issue back in October and provided more details in a tweet which reads: “Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running”.

https://www.techradar.com/uk/news/macos-big-sur-reveals-apple-secretly-hates-your-vpn-and-firewall

Server failure unearths massive macOS tracking plans

More serious doubts have been raised about Apple's snooping tactics following fresh revelations about the company's macOS software. We’ve already reported how apps in the latest release of macOS can bypass firewalls and VPNs and how the release was bricking some older MacBook Pro machines.

https://www.techradar.com/news/server-failure-unearths-massive-macos-tracking-plans

Employee surveillance software demand increased as workers transitioned to home working

As people hunkered down to work from home during COVID-19, companies turned to employee surveillance software to track their staff.

What does the rise of intrusive tools such as employee surveillance software mean for workers at home?

A new study shows that the demand for employee surveillance software was up 55% in June 2020 compared to the pre-pandemic average. From webcam access to random screenshot monitoring, these surveillance software products can record almost everything an employee does on their computer.

https://www.zdnet.com/article/employee-surveillance-software-demand-increased-as-workers-transitioned-to-home-working/

Los Angeles police ban facial recognition software and launch review after officers accused of unauthorized use

The Los Angeles police department (LAPD) has banned commercial facial recognition software and launched a review after 25 officers were accused of using it unofficially to try to identify people.

https://www.theregister.com/2020/11/19/lapd_facial_recogntion/

Nation State Actors

More than 200 systems infected by new Chinese APT 'FunnyDream'

A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.

The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.

https://www.zdnet.com/article/more-than-200-systems-infected-by-new-chinese-apt-funnydream/

Massive, China-state-funded hack hits companies around the world, report says

Attacks are linked to Cicada, a group believed to be funded by the Chinese state.

Researchers have uncovered a massive hacking campaign that’s using sophisticated tools and techniques to compromise the networks of companies around the world.

The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon, the name given to a Windows server vulnerability, patched in August, that can give attackers instant administrator privileges on vulnerable systems.

https://arstechnica.com/information-technology/2020/11/massive-china-state-funded-hack-hits-companies-around-the-word-report-says/

Other News

Hackers are leaning more heavily on cloud resources

Underground cloud services may seem like an oxymoron, but they are quite real, and criminals are using them to speed up attacks and leave very little room for compromised businesses to react.

This is according to a new report from cybersecurity firm Trend Micro, which found terabytes of internal business data and logins - including for Google, Amazon and PayPal - for sale on the dark web.

https://www.itproportal.com/news/hackers-are-leaning-more-heavily-on-cloud-resources/

CEOs Will Be Personally Liable for Cyber-Physical Security Incidents by 2024

Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined.

https://www.tripwire.com/state-of-security/risk-based-security-for-executives/ceo-personally-liable-cyber-physical-security-incidents/

Reports Published in the Last Week

Sophos 2021 Threat Report: Navigating cybersecurity in an uncertain world

https://nakedsecurity.sophos.com/2020/11/18/sophos-threat-report-2021/

Verizon Releases First Cyber-Espionage Report

https://www.infosecurity-magazine.com/news/verizon-releases-first-cyber/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest of open source intelligence (OSINT), collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.

Top Cyber Headlines of the Week

2020 could be 'the worst year in cyber security history'

Businesses around the world are severely unprepared to face the sheer scale of cyber threats facing us today, new research has claimed.

The latest 2020 Business Threat Landscape report from security firm Bitdefender has said that this could be the worst year in cyber security history, as despite multiple warnings, many firms still aren't ready to protect themselves.

Bitdefender's report found that the "new normal" of remote working had led many businesses to face difficulties in ensuring their online protection, with 50% of organisations "completely unprepared" to face a scenario in which they had to migrate their entire workforce in a working from home environment.

https://www.techradar.com/news/2020-could-be-the-worst-year-in-cybersecurity-history

Two-Thirds of Financial Services Firms Suffered Cyber-Attack in the Past Year

Almost two-thirds (65%) of large financial services companies have suffered a cyber attack in the past year, while 45% have experienced a rise in attack attempts since the start of the COVID-19 pandemic.

This is according to new research from HelpSystems, which surveyed 250 CISOs and CIOs in global financial services firms about the impact of the pandemic on their cybersecurity.

It highlighted that these organisations are taking cybersecurity increasingly seriously, with 92% stating that they have increased investment in this area over the past 12 months, with 26% doing so by a significant amount. The main targets of this investment have included secure file transfer (64%), protecting the remote workforce (63%) and cloud/office365 (56%).

https://www.infosecurity-magazine.com/news/two-thirds-financial-services/

Proofpoint survey: IT security leaders worry about and are ill-prepared to defeat cyber-attacks

IT security leaders say they are ill-prepared for a cyber attack and believe that human error and a lack of security awareness are major risk factors for their organisations, according to a series of reports and surveys from cyber security vendor Proofpoint. But there are some marked variations in both the rates and the types of cyber attack between the regions surveyed.

It’s a dynamic attack landscape: in the DACH countries of Germany, Austria and Switzerland 67 per cent of IT security leaders say they have suffered at least one attack in the last 12 months, while in Benelux 72 per cent of respondents say their business has suffered at least one cyber attack in the same time period. In Sweden 59 per cent of businesses have been attacked at least once, while in the UAE the figure is much higher at 82 per cent - with 51 per cent of IT security leaders in the UAE saying their business has been targeted multiple times.

https://www.theregister.com/2020/11/05/proofpoint_survey_it_security_leaders/

Akamai sees doubling in malicious internet traffic as remote world’s bad actors boom, too

Akamai Technologies’ CEO said he is impressed by the amazing traffic levels on the internet during the coronavirus pandemic, and the world technology infrastructure’s ability to handle it. But during the stay-at-home boom, the web and cyber security expert also has been closely watching a boom in bad actors.

With so many people working from home, hackers are taking advantage, and massively increasing the number of attacks as daily routine changes caused by the pandemic are prolonged, and become potentially permanent.

“I think the threat actors are trying to take advantage of the pandemic, and of course, the prize is greater now that so much business has moved online”

Quarter-over-quarter — Akamai reported its Q3 results this week — the cyber security and cloud computing company has tracked a doubling of malicious traffic as telecommuting makes for easier targets.

https://www.cnbc.com/2020/10/29/akamai-malicious-net-traffic-doubles-as-remote-world-bad-actors-boom.html

Attacks Against Microsoft’s Remote Desktop Protocol Soar Under Work From Home Measures

The number of Remote Desktop Protocol (RDP) attacks soared by 140% in Q3 compared with the previous quarter, as cyber criminals looked to take advantage of companies relying on remote access while working from home.

RDP makes it possible for one computer to connect to another over a network and control it as though the individual was sat at the keyboard themselves. While the Microsoft tool is useful for businesses and popular among IT administrators, it has increasingly been targeted by hackers who try to gain administrator access to company servers. Once inside they are able to disable security software, steal files, delete data and install malicious software.

Slovak internet security firm ESET detected the surge between July and September, with the number of separate companies reporting brute-force attacks against their RDP connection increasing by 37% quarter-over-quarter.

https://www.verdict.co.uk/rdp-attacks-eset/

Threats

Ransomware

Ransomware gangs that steal your data don't always delete it

Ransomware gangs that steal a company's data and then get paid a ransom fee to delete it don't always follow through on their promise.

The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.

https://www.zdnet.com/article/ransomware-gangs-that-steal-your-data-dont-always-delete-it/

Spike in Emotet activity could mean big payday for ransomware gangs

There's been a massive increase in Emotet attacks and cyber criminals are taking advantage of machines compromised by the malware to launch more malware infections as well as ransomware campaigns.

The October 2020 HP-Bromium Threat Insights Report reports a 1,200% increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.

https://www.zdnet.com/article/spike-in-emotet-activity-could-mean-big-payday-for-ransomware-gangs/

Italian beverage vendor Campari knocked offline after ransomware attack

Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.

The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.

https://www.zdnet.com/article/italian-beverage-vendor-campari-knocked-offline-after-ransomware-attack/

Hackney Council still working to restore services as IT boss describes horror at cyber attack

Hackney’s director of information communication technology (ICT) Rob Miller was playing football with his family on a Sunday morning early in October when he got a message letting him know there was a systems outage being investigated at the Town Hall.

By the end of Sunday, the council had moved swiftly to shut down its systems, declared an emergency and notified national agencies after Miller’s team found “clear markers” that the local authority had been hit by a serious cyber attack.

https://www.hackneycitizen.co.uk/2020/11/04/council-still-working-restore-services-boss-horror-cyber-attack/

Leading toy maker Mattel hit by ransomware

Toy industry giant Mattel disclosed that they suffered a ransomware attack in July that impacted some of its business functions but did not lead to data theft.

Mattel is the second-largest toymaker in the world with 24,000 employees and $5.7 billion in revenue for 2019. Mattel is known for its popular brands, including Barbie, Hot Wheels, Fisher-Price, American Girl, and Thomas & Friends.

https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

Business Email Compromise (BEC)

BEC attacks increase in most industries, invoice and payment fraud rise by 155%

BEC attacks increased 15% quarter-over-quarter, driven by an explosion in invoice and payment fraud, Abnormal Security research reveals.

“As the industry’s only measure of BEC attack volume by industry, our quarterly BEC research is important for CISOs to prepare and stay ahead of attackers,” said Evan Reiser, CEO of Abnormal Security.

“Not only are BEC campaigns continuing to increase overall, they are rising in 75% of industries that we track. Since these attacks are targeted and sophisticated, these increases could indicate an ability for threat actors to scale that may overwhelm some businesses.”

For this research, BEC campaigns across eight major industries were tracked, including retail/consumer goods and manufacturing, technology, energy/infrastructure, services, medical, media/tv, finance and hospitality.

https://www.helpnetsecurity.com/2020/11/03/bec-attacks-increase-quarter-over-quarter/

Phishing

Sneaky Office 365 phishing inverts images to evade detection

A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites.

These inverted backgrounds are commonly used as part of phishing kits that attempt to clone legitimate login pages as closely as possible to harvest a target's credentials by tricking them into entering them into a fake login form.

https://www.bleepingcomputer.com/news/security/sneaky-office-365-phishing-inverts-images-to-evade-detection/

The BBC Experiences Over 250,000 Malicious Email Attacks Per Day

The British Broadcasting Corporation (BBC), the UK’s public service broadcaster, faces in excess of a quarter of a million malicious email attacks every day, according to data obtained following a Freedom of Information (FoI) request.

The corporation blocked an average of 283,597 malicious emails per day during the first eight months of 2020.

According to the data, every month the BBC receives an average of 6,704,188 emails that are classified as scam or spam as well as 18,662 malware attacks such as viruses, ransomware and spyware. In total, 51,898,393 infected emails were blocked in the period from January to August 2020.

The month which contained the highest amount of recorded incidents was July, when the BBC received 6,787,635 spam and 13,592 malware attempts. The next highest was March, when the COVID-19 first struck the UK, with 6,768,632 spam emails and 14,089 malware attacks.

https://www.infosecurity-magazine.com/news/bbc-experiences-malicious-email/

Malware

US Cyber Command exposes new Russian malware

US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks

Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).

Both ComRAT and Zebrocy are malware families that have been used by Russia hacking groups for years, with ComRAT being deployed in attacks for more than a decade, having evolved from the old Agent.BTZ malware.

https://www.zdnet.com/article/us-cyber-command-exposes-new-russian-malware/

IoT

New data shows just how badly home users overestimate IoT security

A new survey from the National Cyber Security Alliance (NCSA) shows adult workers vastly overestimate the security of the internet devices in their homes.

The survey polled 1,000 adults – 500 aged 18-34 and 500 aged 50-75 – and found that the overwhelming majority of both believed the internet of things devices they owned were secure.

IoT devices, particularly those that are cheap, outdated and hard to upgrade, are widely considered to be an easy target for hackers.  Yet 87 percent of the younger group and 77 percent of the older group said they were either “somewhat” or “very confident” in the security of their connected things

https://www.scmagazine.com/home/security-news/with-work-from-home-booming-new-data-shows-just-how-badly-home-users-overestimate-iot-security/

Vulnerabilities

Windows 10 zero-day could allow hackers to seize control of your computer

A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer.

The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company. 

https://www.techradar.com/uk/news/windows-10-zero-day-could-allow-hackers-to-seize-control-of-your-computer

Adobe warns Windows, MacOS users of critical acrobat and reader flaws

Adobe has fixed critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader family of application software services. The vulnerabilities could be exploited to execute arbitrary code on affected products.

These critical flaws include a heap-based buffer overflow, out-of-bounds write glitch and two use-after free flaws. The bugs are part of Adobe’s regularly scheduled patches, which overall patched critical-, important- and moderate-severity vulnerabilities tied to 14 CVEs.

https://threatpost.com/adobe-windows-macos-critical-acrobat-reader-flaws/160903/

Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed

Cisco has disclosed a zero-day vulnerability, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code.

The flaw resided in the inter-process communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.

https://securityaffairs.co/wordpress/110414/security/zero-day-cisco-anyconnect-secure-mobility-client.html

Critical bug actively used to deploy Cobalt Strike on Oracle servers

Threat actors are actively exploiting Oracle WebLogic servers unpatched against CVE-2020-14882 to deploy Cobalt Strike beacons which allow for persistent remote access to compromised devices.

Cobalt Strike is a legitimate penetration testing tool also used by threat actors in post-exploitation tasks and to deploy so-called beacons that enable them to gain persistent remote access.

This later allows them to access the compromised servers to harvest data and to deploy second stage malware payloads.

https://www.bleepingcomputer.com/news/security/critical-bug-actively-used-to-deploy-cobalt-strike-on-oracle-servers/

Oracle Solaris Zero-Day Attack Revealed

A previously known threat group, called UNC1945, has been compromising telecommunications companies and targeting financial and professional consulting industries, by exploiting a security flaw in Oracle’s Solaris operating system.

Researchers said that the group was exploiting the bug when it was a zero-day, long before a patch arrived.

The bug, was recently addressed in Oracle’s October 2020 Critical Patch Update. The vulnerability exists in the Oracle Solaris Pluggable Authentication Module (PAM) and allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system. Threat actors utilized a remote exploitation tool, which researchers call “EVILSUN,” to exploit the flaw.

https://threatpost.com/oracle-solaris-zero-day-attack/160929/

Data Breaches

Marriott Hotels fined £18.4m for data breach that hit millions

The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.

The Information Commissioner's Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.

The breach included seven million guest records for people in the UK.

The ICO said the company failed to put appropriate safeguards in place but acknowledged it had improved.

https://www.bbc.co.uk/news/technology-54748843

23,600 hacked databases have leaked from a defunct 'data breach index' site

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.

The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.

Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.

Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.

https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/

Other News

Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file

Suspended sentence for bank IT worker who hacked his boss's webcam because he didn't get a payrise

APT Groups Finding Success with Mix of Old and New Tools

Quantum computing may make current encryption obsolete, a quantum internet could be the solution

Reports Published in the Last Week

NCSC defends UK from more than 700 cyber attacks while supporting national pandemic response

The NCSC's fourth Annual Review reveals its ongoing work against cyber attacks, support for the UK during the coronavirus pandemic.

https://www.ncsc.gov.uk/news/ncsc-defends-uk-700-cyber-attack-national-pandemic

Ransomware Demands continue to rise as Data Exfiltration becomes common, and Maze subdues

The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q3 of 2020. Ransomware groups continue to leverage data exfiltration as a tactic, though trust that stolen data will be deleted is eroding as defaults become more frequent when exfiltrated data is made public despite the victim paying. In Q3, Coveware saw the Maze group sunset their operations as the active affiliates migrated to Egregor (a fork of Maze). We also saw the return of the original Ryuk group, which has been dormant since the end of Q1.

https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Ransomware attacks are increasing, do you have an emergency plan in place?

Cyber attacks and data breaches can have serious implications for organisations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread, yet 39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before.

The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.

21% of respondents to a recent survey said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organisations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.

In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.

Read more: https://www.helpnetsecurity.com/2020/07/01/ransomware-emergency-plan/

Further reading: The 11 Biggest Ransomware Attacks Of 2020 (So Far) https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-?itc=refresh

Microsoft releases emergency update to fix two serious Windows flaws

Microsoft on Tuesday released emergency security patches to plug a pair of serious vulnerabilities in its Windows Codecs library that impact several Windows 10 and Windows Server versions. Indexed as CVE-2020-1425 and CVE-2020-1457, the two remote-code execution (RCE) flaws are rated as ‘critical’ and ‘important’ in severity, respectively.

Both security loopholes have to do with how Microsoft Windows Codecs Library handles objects in memory. An attacker of the first flaw could obtain information to further compromise the user’s system, while successful exploitation of the second flaw could enable attackers to execute arbitrary code on the targeted machine.

Details are very sparse and there’s no word on specific attack vectors, but Microsoft said that exploitation of either vulnerability “requires that a program process a specially crafted image file”. This could, for example, involve luring the target into downloading and opening a malicious image file shared via email or a compromised website.

Read more: https://www.welivesecurity.com/2020/07/01/microsoft-releases-emergency-update-two-serious-windows-flaws/

Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks using iCalendar. iCalendar is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks.

Whilst this is evidence of a new campaign, this is not a new technique. A similar attack cropped up last June, when researchers found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

Read more: https://www.infosecurity-magazine.com/news/calendar-phishing-campaign/

REvil Ransomware Gang Adds Auction Feature for Stolen Data

The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.

The auction capability appeared at the beginning of June and in announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.

A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).

Other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).

As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.

Read more here: https://threatpost.com/revil-ransomware-gang-auction-stolen-data/157006/

Criminals set 'return to work' traps

Just because workers are returning to their offices, that doesn't mean criminals can't still abuse Covid-19 to spread malware and steal sensitive data.

According to a new report criminals are setting “return to work traps”, taking advantage of the training employees need to go through as they return to the office in its new form.

Many workers now need to go through various tutorials, webinars and training sessions, to ensure they are compliant with new workplace rules set up to prevent viral transmission. Sensing an opportunity, cybercriminals are disguising malware as webinar recordings and other educational material.

According to the report, these new practices are mostly reserved for businesses in North America and Europe, where lockdown measures are slowly being eased up and people are being allowed to return to work.

Read more here: https://www.itproportal.com/news/criminals-set-return-to-work-traps/

This new botnet has recruited an army of Windows devices

A new botnet is exploiting close to a dozen high and critical-severity vulnerabilities in Windows systems to turn them into cryptomining clients as well as to launch DDoS attacks.

The malware behind the botnet has been given the name Satan DDoS though security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.

A security firm began looking into the botnet after discovering it while following multiple incidents involving the exploitation of a critical vulnerability in a component of a web framework which can lead to remote code execution.

At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, it later become apparent that the malware also contains a DDoS component as well as a self-spreading mechanism that uses severe vulnerabilities and brute-forcing to its advantage.

Read more here: https://www.techradar.com/news/this-new-botnet-has-recruited-an-army-of-windows-devices

Cisco SMB routers hit with another major security flaw

Security researchers have discovered a significant cross-site scripting (XSS) vulnerability in the web admin interface of two small business routers from Cisco.

The XSS vulnerability exists in the company's RVO42 and RV042G routers and it provides attackers with an easy way to take control of the devices' web configuration utility.

This could allow an attacker to perform a number of admin actions from viewing and modifying sensitive information to taking control of the router or even having the ability to move laterally and gain access to other systems on the network.

Read more here: https://www.techradar.com/news/cisco-smb-routers-hit-with-another-major-security-flaw

Xerox apparently victim of Maze attack

It appears that Xerox is the latest victim of Maze ransomware attackers, if screenshots posted by the ransomware’s operators are legitimate.

The hackers claim to have obtained more than 100GB of information and are threatening to publish it, according to a reports.

Maze has hit a number of high-profile targets and in recent months has joined forces with other ransomware groups.

Read more: https://www.scmagazine.com/home/security-news/ransomware/xerox-apparent-victim-of-maze-attack/

FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps

Android mobile device users are being targeted in a new SMS phishing campaign that’s spreading the FakeSpy infostealer. The malware, which is disguised as legitimate global postal-service apps, steals SMS messages, financial data and more from the victims’ devices.

The campaign was first discovered several weeks ago targeting South Korean and Japanese speakers, but it has now expanded that targeting to China, Taiwan, France, Switzerland, Germany, the United Kingdom and the United States. The attacker uses text messages as an initial infection vector, prompting the Android recipients to click on a malicious link, in a practice known as SMS phishing or “smishing.”

Read more here: https://threatpost.com/fakespy-android-malware-spread-via-postal-service-apps/157102/

New Mac Ransomware Is Even More Sinister Than It Appears

There haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced four years ago but new findings published this week have highlighted a new example of Mac ransomware called ThiefQuest.

In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Read more here: https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.