Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

As Ukraine Tensions Rise, UK Organisations Should Protect Themselves From Cyber Threats

In a world that is so dependent on digital assets, cyber resilience is more important than ever. At the National Cyber Security Centre – a part of GCHQ – the mission is to make the UK the safest place to live and work online, but they have said they cannot do it alone. 

Now, at a time of heightened cyber threats, the NCSC is urging all organisations to follow their advice on the steps they should take to improve their resilience.

The UK is closer to the crisis in Ukraine than you might think. While 2,000-odd miles separate us physically from their borders with Russia, that distance is much shorter in cyber space – and attacks targeting Ukraine’s digital infrastructure could be felt here in Britain.

Cyber attacks do not respect geographic boundaries. On a daily basis, businesses in the UK are targeted by ransomware attacks from criminals overseas.

And as tensions have risen in Ukraine in recent weeks, authorities have already seen a number of cyber attacks occurring. On Friday evening, the UK government judged that the Russian Main Intelligence Directorate (GRU) was involved in last week’s distributed denial of service attacks against the financial sector in Ukraine.

If the situation continues to escalate, we could see cyber attacks that have international consequences, intentional or not. Rising tensions in the region, with the risk of overspill, are why the National Cyber Security Centre (NCSC) has said that the UK’s cyber risk has heightened in the last month, although there is no evidence of the UK being specifically targeted.

https://www.telegraph.co.uk/news/2022/02/19/uk-organisations-should-protect-now-unintended-consequences/

Small Businesses Facing Upwards of 11 Cyber Threats Per Day Per Device

BlackBerry's 2022 Threat Report highlights growing threats to SMBs, calls on government to make cyber security top priority

BlackBerry Limited has released the 2022 BlackBerry Annual Threat Report, highlighting a cybercriminal underground which it says has been optimised to better target local small businesses. Small businesses will continue to be an epicentre for cybercriminal focus as SMBs facing upward of 11 cyber threats per device per day, which only stands to accelerate as cybercriminals increasingly adopt collaborative mindsets.

The report also uncovered cyber breadcrumbs from some of last year’s most notorious ransomware attacks, suggesting some of the biggest culprits may have simply been outsourced labour.  In multiple incidents BlackBerry identified threat actors leaving behind playbook text files containing IP addresses and more, suggesting the authors of this year’s sophisticated ransomware are not the ones carrying out attacks. This highlights the growing shared economy within the cyber underground.

https://www.itsecurityguru.org/2022/02/15/small-businesses-facing-upwards-of-11-cyberthreats-per-day-per-device/

Microsoft Teams Targeted With Takeover Trojans

Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.

Researchers began tracking the campaign in January, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user’s computer, according to a report published Thursday.

Using an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer. By attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.

Cyber criminals long have targeted Microsoft’s ubiquitous document-creation and sharing suite – the legacy Office and its cloud-based version, Office 365 – with attacks against individual apps in the suite such as PowerPoint as well as business email compromise and other scams.

Now Microsoft Teams – a business communication and collaboration suite – is emerging as an increasingly popular attack surface for cybercriminals.

https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/

The European Central Bank is Warning Banks of Possible Russia-Linked Cyber Attack Amid the Rising Crisis With Ukraine

The European Central Bank is warning banks of possible Russia-linked cyber attack amid the rising crisis with Ukraine and is inviting them to step up defences.

The news was reported by Reuters, citing two unnamed sources. The ECB pointed out that addressing cyber security is a top priority for the European agency.

“The European Central Bank is telling euro zone banks zone to step up their defences against cyber attacks, also in the context of geopolitical tensions such as the stand-off between Russia and Ukraine, the ECB’s top supervisor said on Thursday.” reported Reuters.

ECB warned that the rising risk from cyber attacks begun in 2020.

https://securityaffairs.co/wordpress/128004/breaking-news/european-central-bank-warns-russia-cyberattacks.html

Companies Face Soaring Prices For Cyber Insurance

The cost of cyber insurance has risen steeply over the past year. According to Marsh, the price of cover in the US grew by 130 per cent in the fourth quarter of 2021 alone, while in the UK it grew by 92 per cent. That has increased pressure on companies who are facing cost inflation in other parts of their business.

The steep hikes in the cost of cyber insurance come against a backdrop of rising prices more broadly. According to Marsh, commercial insurance prices rose 13 per cent in the final quarter of 2021.

The hardening market from reduced capacity allied with increasing cyber fraud are potent forces. Pricing becomes more challenging, reinsurance appetite reduced whilst costs increasing and fraudsters have as much access to the latest technologies as do enterprises, the government sector and the insurance industry.

There may be limits to what insurers can cover. Speaking to the Financial Times last week the chief executive of Zurich said: “A connected economy offers lots of opportunities for cyber attacks.” A major cyber risk, he added, “is something only governments can manage”.

Companies will have to do more themselves to fight cyber fraud with technology partners. Meanwhile brokers and insurers must review underwriting data and practices and government raise effectiveness at prosecuting criminals.

https://www.ft.com/content/60ddc050-a846-461a-aa10-5aaabf6b35a5

Even When Warned, Businesses Ignore Critical Vulnerabilities And Hope For The Best

A Bulletproof research found the extent to which businesses are leaving themselves open to cyber attack. When tested, 28% of businesses had critical vulnerabilities – vulnerabilities that could be immediately exploited by cyber attacks.

A quarter of businesses neglected to fix those critical vulnerabilities, even though penetration testing had highlighted them to the business after a retest was completed.

The research analyzed data from over 3,800 days’ worth of penetration testing services. These tests are a means of identifying vulnerabilities within an organisation’s security systems by simulating how malicious actors would seek to exploit such shortcomings.

https://www.helpnetsecurity.com/2022/02/18/businesses-critical-vulnerabilities/

Ransomware-Related Data Leaks Nearly Doubled in 2021: Report

There was a significant increase in ransomware-related data leaks and interactive intrusions in 2021, according to the 2022 Global Threat Report released on Tuesday by endpoint security firm CrowdStrike.

The number of ransomware attacks that led to data leaks increased from 1,474 in 2020 to 2,686 in 2021, which represents an 82% increase. The sectors most impacted by data leaks in 2021 were industrial and engineering, manufacturing, and technology.

The growth and impact of big game hunting in 2021 was a palpable force felt across all sectors and in nearly every region of the world. Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased,” CrowdStrike said in its report.

https://www.securityweek.com/ransomware-related-data-leaks-nearly-doubled-2021-report

Online Fraud Skyrocketing: Gaming, Streaming, Social Media, Travel and Ecommerce Hit the Most

An Arkose Labs report is warning UK commerce that it faces its most challenging year ever. Experts analyzed over 150 billion transaction requests across 254 countries and territories in 2021 over 12 months to discover that there has been an 85% increase in login attacks and fake consumer account creation at businesses.

Alongside this, it identified that one in four new online accounts created were fake. A further 21% of all traffic was confirmed as a fraudulent cyber attack.

From the earliest days of online information to the rapid evolution of today’s metaverses, the internet has come a long way. However, this latest data shows that it is more under attack than ever before.

Your digital identity is a currency for fraudsters and wherever there is online commerce, cyber criminals are quick to identify vulnerabilities.

https://www.helpnetsecurity.com/2022/02/14/fake-consumer-account/

Poor Security Hygiene Organisations and Ransomware Attacks: Painful Math

Poor cyber security hygiene is widely considered to be a major influencing factor for exposure to a ransomware attack. But is that an accurate assessment?

In a new study, RiskRecon, a security best practices specialist, investigated 600+ cyber hijacks to determine if companies victimized by a “detonation” had poor cyber security hygiene at the time and which factors, such as web encryption, application security and email security, are key gaps in coverage.

The answer: Cyber security hygiene does in fact play a large role in an organisation’s vulnerability to a ransomware attack. RiskRecon analyzed the cyber security hygiene on the day of ransomware incident for 622 organisations spanning 633 ransomware events occurring between 2017 and 2021. Based on a comparison population of cyber security ratings and assessments of some 100,000 entities, companies that have very poor cyber security hygiene in their internet-facing systems (a ‘D’ or ‘F’ RiskRecon rating) have about a 40 times higher rate of destructive ransomware events as compared to those with clean cyber security hygiene. Only .03 percent of ‘A-rated’ companies were victims of a destructive ransomware attack, compared with 1.08 percent of ‘D-rated’ and 0.91 percent of ‘F-rated’ companies.

The cyber security conditions underlying the RiskRecon rating reveal just how poor the cyber security hygiene is of companies, on average, that fall victim to a material system-encrypting ransomware attack. For example, ransomware victims have an average of 11 material software vulnerabilities in their internet-facing systems, in comparison with only one issue in the general population. Looking at network services that criminals commonly exploit, ransomware victims expose 3.3 times more unsafe network services to the internet than the general population.

https://www.msspalert.com/cybersecurity-research/poor-security-hygiene-organisations-and-ransomware-attacks-painful-math/

Security Teams Expect Attackers to Go After End Users First

Phishing, malware, and ransomware have spurred organisations to increase their investments in endpoint security, according to Dark Reading’s Endpoint Security Survey.

The shift to a more distributed work environment and an increase in digital transformation initiatives have motivated organisations to bolster their endpoint security defences. However, end users continue to be a major source of worry for IT and security decision-makers, according to the latest Dark Reading survey.

Phishing, malware, and ransomware pose major threats to organisations, as do attacks involving credential theft. An overwhelming 93% of IT and security professionals in Dark Reading’s "2022 Endpoint Security Survey" cite the growing number of ransomware attacks as the reason behind increased investments in endpoint security. Similarly, 83% say the increase in attacks using end-user credentials spurred their endpoint investments.

End users pose one of the biggest threats to the organisation, as 87% expect that if attackers wanted to steal the organisation’s data, they would begin by targeting a single end user.

Concerns about the end user are not new. Verizon’s "2021 Data Breach Investigations Report" found that 85% of the breaches it investigated in 2020 involved end users in some way – such as stolen account credentials, incorrectly assigned privileges or elevated privileges, social engineering, and user error.

https://www.darkreading.com/edge-threat-monitor/end-users-remain-one-of-the-biggest-headaches-in-it-security

US Warns of Imminent Russian Invasion of Ukraine With Tanks, Jet Fighters, Cyber Attacks

President Biden said Friday he is convinced Russian President Vladimir Putin has decided to invade Ukraine and that he expects an attack in the coming days, with targets including the Ukrainian capital, Kyiv.

US officials said a Russian attack could involve a broad combination of jet fighters, tanks, ballistic missiles and cyberattacks, with the ultimate intention of rendering Ukraine’s leadership powerless.

The officials said Mr. Putin has laid the groundwork in recent days through a series of destabilizing activities and false-flag operations, long predicted by U.S. and allied officials and intended to make it look as if Ukraine has provoked Russia into a conflict, thus justifying the Russian invasion.

https://www.wsj.com/articles/ukraine-troops-told-to-exercise-restraint-to-avoid-provoking-russian-invasion-11645185631

TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020

The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.

TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand.

In addition to being both prevalent and persistent, TrickBot has continually evolved its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code.

Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-control (C2) servers to retrieve fresh web injects.

https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.html

Threats

Ransomware

• Ransomware’s Savage Reign Continues As Attacks Increase 105% - Help Net Security

• SonicWall CEO on ransomware: Every good vendor was hit in past 2 years - The Register

• Are You Prepared for 2022's More Destructive Ransomware? | SecurityWeek.Com

• CISA Advisory Cautions MSPs: Beware More Ransomware Attacks - MSSP Alert

• Conti Ransomware Gang Takes Over Trickbot Malware Operation (bleepingcomputer.com)

• Ransomware Gangs Are Changing Their Tactics. That Could Prove Very Expensive For Some Victims | ZDNet

• FBI Eyes Ransomware Profits With New Cryptocurrency Crimes Unit | TechCrunch

• FBI Warns BlackByte Ransomware Is Targeting US Critical Infrastructure | TechCrunch

• Ransomware Is A Clear And Present Danger. So Why Rely On Legacy DR To Recover From It? • The Register

BEC – Business Email Compromise

• FBI Warns of BEC Scams Abusing Virtual Meeting Platforms | SecurityWeek.Com

Phishing & Email

• LinkedIn Phishing Attacks Up 232% | Phishing | Egress

• Half Of All Emails In 2021 Were Spam- IT Security Guru

• Microsoft Warns of 'Ice Phishing' Threat on Web3 and Decentralized Networks (thehackernews.com)

Malware

• Emotet Now Spreading Through Malicious Excel Files | Threatpost

• A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies - Check Point Research

• PseudoManuscrypt Malware Spreading the Same Way as CryptBot Targets Koreans (thehackernews.com)

• Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators | Threatpost

• 25 Years On, Microsoft Makes Another Stab At Stopping Macro Malware • Graham Cluley

• Three-Fifths of Cyber-Attacks in 2021 Were Malware-Free - Infosecurity Magazine

Data Breaches/Leaks

• Millions of Internet Society Personal Files Exposed In Data Leak | Laptop Mag

Organised Crime & Criminal Actors

• 74% of Ransomware Revenue Goes to Russia-Linked Hackers - BBC News

• Interpol Must Change With Cyber Crime, Says Director • The Register

• Attackers Hone Their Playbooks, Become More Agile (darkreading.com)

• Cyber Criminals Have Changed Tactics (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking

• ‘Heist Of The Century’: US Bitcoin Case Tests Ability To Crack Down On Cyber Crime | Law (US) | The Guardian

• SIM-Swapping Attacks, Many Aimed at Crypto Accounts, Are on the Rise - WSJ

• FBI Says Crypto Payments Are a 'Huge Challenge' Amid Rise in Ransomware Attacks - Decrypt

Insider Risk and Insider Threats

• The Rise Of The Super Malicious Insider: Yes, We Need To Worry - Help Net Security

• Finance Officer Jailed After Stealing £200,000 from Charity - Infosecurity Magazine

• Ex IT Tech Jailed For Wiping School Network During Lockdown • The Register

Fraud, Scams & Financial Crime

• Barclays: Scams Surged in Final Quarter of 2021 - Infosecurity Magazine

• Fraud and Scam Activity Hits All-Time High - Help Net Security

• Soaring Losses Accelerate Investments In Anti-Fraud Tech - Help Net Security

• Threat Actors Still Love a Romance Scam - Infosecurity Magazine

• Singapore Introduces Strong Measures To Stop Online Scams • The Register

• 7 Tips for How To Spot a Scammer and Protect Yourself | Well+Good

DoS/DDoS

• Ukraine Defence and Bank Networks DDoS-ed - Infosecurity Magazine

• Carpet Bombing Attacks on the Rise - Infosecurity Magazine

Nation State Actors

• Russia’s Offensive Cyber Actions Should Be A Cause For Concern For CISOs | CSO Online

• Russia Stole US Defense Data From IT Systems, Says CISA • The Register

• Cyber Security: These Countries Are The New Hacking Threats To Fear As Offensive Campaigns Escalate | ZDNet

• Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA (thehackernews.com)

• Chinese MI6 Informant Gave Information To MPs About Huawei Threat | Huawei | The Guardian

• Red Cross Attributes Server Breach To Nation-State Actor - CyberScoop

• Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware (thehackernews.com)

Cloud

• Report: 63% of IT Pros Say Cyber Threats Are Top Obstacle To Cloud Adoption Strategy | VentureBeat

• EU Watchdog To Probe Public Sector's Love Affair With Cloud • The Register

Privacy

• Facebook Agrees to Pay $90 Million to Settle Decade-Old Privacy Violation Case (thehackernews.com)

Spyware, Espionage & Cyber Warfare

• How a Russia Cyber Attack On The UK Would Target Online Shopping, Card Payments And NHS Records (inews.co.uk)

• The Conflict In Ukraine Proves Cyber-Attacks Are Now Weapons Of War (thenextweb.com)

• Cyber, War and Ukraine: What Does Recent History Teach Us To Expect? | Science & Tech News | Sky News

• Cyber Warfare In Ukraine Poses A Threat To The Global System | Financial Times (ft.com)

• EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware (thehackernews.com)

• More Polish Opposition Figures Found To Have Been Targeted By Pegasus Spyware | Poland | The Guardian

• Using Mobile Networks For Cyber Attacks As Part Of A Warfare Strategy - Help Net Security

• Moses Staff Hackers Targeting Israeli Organisations for Cyber Espionage (thehackernews.com)

Vulnerabilities

• Squirrelwaffle, Microsoft Exchange Server Vulnerabilities Exploited For Financial Fraud | ZDNet

• Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails (thehackernews.com)

• New Chrome 0-Day Bug Under Active Attack – Update Your Browser ASAP! (thehackernews.com)

• Multiple Vulnerabilities Put 40 Million Ubuntu Users At Risk | TechRadar

• Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites (thehackernews.com)

• High-Severity Vulnerability Found in Apache Database System Used by Major Firms | SecurityWeek.Com

• VMware Fixes Holes That Could Allow Virtual Machine Escapes – Naked Security (sophos.com)

• Another Critical RCE Discovered in Adobe Commerce and Magento Platforms (thehackernews.com)

• T2 Mac Security Vulnerability: Passwords Can Now Be Cracked - 9to5Mac

Sector Specific

Financial Services Sector

• Open Banking Innovation: A Race Between Developers And Cyber Criminals - Help Net Security

• Canada's Major Banks Go Offline In Mysterious Hours-Long Outage (bleepingcomputer.com)

Defence

• US Says Russian State Hackers Lurked In Defense Contractor Networks For Months | Ars Technica

Transport and Aviation

• Warning Over Mysterious Hackers That Have Been Targeting Aerospace And Defence Industries For Years | ZDNet

• Unskilled Hacker Linked To Years Of Attacks On Aviation, Transport Sectors (bleepingcomputer.com)

Energy & Utilities

• Energy, Oil And Utility Sector Most Likely To Pay Ransoms - Help Net Security

Reports Published in the Last Week

• 2022 Global Threat Report: A Year of Adaptability and Perseverance (crowdstrike.com)

• Threat Intelligence Report 2022: Cyber Security Priorities - Truesec

• The Year of Living Dangerously: Details from the BlackBerry 2022 Threat Report

Other News

• Over 28,000 Vulnerabilities Disclosed in 2021: Report | SecurityWeek.Com

• Web Application Firewalls (WAFs) Can't Give Organisations The Security They Need - Help Net Security

• How Challenging Is Corporate Data Protection? - Help Net Security

• Local Authority Sets Aside £380k for Cyber-Attack Recovery - Infosecurity Magazine

• Traditional MFA Is Creating A False Sense Of Security - Help Net Security

• Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry | Threatpost

• Be Flexible About Where People Work — But Not on Data Privacy (darkreading.com)

• Researchers Block “Largest Ever” Bot Attack - Infosecurity Magazine

• BadUSB: The Cyber Threat That Gets You To Plug It In – CloudSavvy IT

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

 UK, US, Australia Issue Joint Advisory: Ransomware on the Loose, Critical National Infrastructure Affected

Firms shelled out $5bn in Bitcoin in 6 months

Ransomware attacks are proliferating as criminals turn to gangs providing turnkey post-compromise services, Britain's National Cyber Security Centre (NCSC) has warned.

In a joint UK-US-Australia advisory issued this week, the three countries said they had "observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organisations globally."

The warning comes hot on the heels of several high-profile attacks against oil distribution companies and also businesses that operate ports in the West – though today's note insists there was a move by criminals away from "big game hunting" against US targets.

Among the main threats facing Western organisations were the use of "cybercriminal services-for-hire". These, as detailed in the advisory, include "independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals."

https://www.theregister.com/2022/02/09/uk_us_au_ransomware_warning/

Ransomware Groups and APT Actors Laser-Focused on Financial Services

Trellix released a report, examining cybercriminal behaviour and activity related to cyber threats in the third quarter (Q3) of 2021. Among its findings, the research reports that despite a community reckoning to ban ransomware activity from online forums, hacker groups used alternate personas to continue to proliferate the use of ransomware against an increasing spectrum of sectors – hitting the financial, utilities and retail sectors most often, accounting for nearly 60% of ransomware detections.

“While we ended 2021 focused on a resurgent pandemic and the revelations around the Log4j vulnerability, our third-quarter deep dive into cyber threat activity found notable new tools and tactics among ransomware groups and advanced global threat actors,” said Trellix.

https://www.helpnetsecurity.com/2022/02/07/cyber-threats-q3-2021/

Why the C-Suite Should Focus on Understanding Cyber Security and Investing Appropriately

Trend Micro has published a research revealing that persistently low IT/C-suite engagement may imperil investments and expose organisations to increased cyber risk. Over 90% of the IT and business decision makers surveyed expressed particular concern about ransomware attacks.

Despite widespread concern over spiralling threats, the study found that only 57% of responding IT teams discuss cyber risks with the C-suite at least weekly.

Vulnerabilities used to go months or even years before being exploited after their discovery.

“Now it can be hours, or even sooner. More executives than ever understand that they have a responsibility to be informed, but they often feel overwhelmed by how rapidly the cyber security landscape evolves. IT leaders need to communicate with their board in such a way that they can understand where the organisation’s risk is and how they can best manage it.”

https://www.helpnetsecurity.com/2022/02/10/c-suite-engagement/

Almost $1.3bn Paid to Ransomware Actors Since 2020

Cryptocurrency experts have identified $602m of ransomware payments made in 2021, but warned the real figure will likely surpass the $692m paid to cybercrime groups in 2020.

The findings come from the Ransomware Crypto Crime Report produced by blockchain investigations and analytics company Chainalysis. It reveals some fascinating insight into current industry trends.

Average payment size has soared over recent years, from $25,000 in 2019 to $88,000 a year later and $118,000 in 2021. That’s due in part to a surge in targeted attacks on major organisations, known as “big-game hunting,” which can net threat actors tens of millions in a single compromise.

“This big-game hunting strategy is enabled in part by ransomware attackers’ usage of tools provided by third-party providers to make their attacks more effective,” the report explained. “Usage of these services by ransomware operators spiked to its highest ever levels in 2021.”

https://www.infosecurity-magazine.com/news/almost-13bn-paid-to-ransomware/

Cyber Crooks Frame Targets by Planting Fabricated Digital Evidence

The ‘ModifiedElephant’ threat actors are technically unimpressive, but they’ve evaded detection for a decade, hacking human rights advocates’ systems with dusty old keyloggers and off-the-shelf RATs.

Threat actors are hijacking the devices of India’s human rights lawyers, activists and defenders, planting incriminating evidence to set them up for arrest, researchers warn.

The actor, dubbed ModifiedElephant, has been at it for at least 10 years, and it’s still active. It’s been shafting targets since 2012, if not sooner, going after hundreds of groups and individuals – some repeatedly – according to SentinelLabs researchers.

The operators aren’t what you’d call technical prodigies, but that doesn’t matter. Threat researchers at SentinelOne, said that the advanced persistent threat (APT) group – which may be tied to the commercial surveillance industry – has been muddling along just fine using rudimentary hacking tools such as commercially available remote-access trojans (RATs)

https://threatpost.com/cybercrooks-frame-targets-plant-incriminating-evidence/178384/

Highly Evasive Adaptive Threats (HEAT) Bypassing Traditional Security Defences

Menlo Security announced it has identified a surge in cyberthreats, termed Highly Evasive Adaptive Threats (HEAT), that bypass traditional security defences.

HEAT attacks are a class of cyber threats targeting web browsers as the attack vector and employs techniques to evade detection by multiple layers in current security stacks including firewalls, Secure Web Gateways, sandbox analysis, URL Reputation, and phishing detection. HEAT attacks are used to deliver malware or to compromise credentials, that in many cases leads to ransomware attacks.

In an analysis of almost 500,000 malicious domains, the research team discovered that 69% of these websites used HEAT tactics to deliver malware. These attacks allow bad actors to deliver malicious content to the endpoint by adapting to the targeted environment. Since July 2021, there was a 224% increase in HEAT attacks.

“With the abrupt move to remote working in 2020, every organisation had to pivot to a work from an anywhere model and accelerate their migration to cloud-based applications. An industry report found that 75% of the working day is spent in a web browser, which has quickly become the primary attack surface for threat actors, ransomware and other attacks. The industry has seen an explosion in the number and sophistication of these highly evasive attacks and most businesses are unprepared and lack the resources to prevent them,” said Menlo Security.

https://www.helpnetsecurity.com/2022/02/08/cyberthreats-bypass-security-defences/

LockBit, BlackCat, Swissport, Oh My! Ransomware Activity Stays Strong

However, groups are rebranding and recalibrating their profiles and tactics to respond to law enforcement and the security community’s focus on stopping ransomware attacks.

Law enforcement, C-suite executives and the cyber security community at-large have been laser-focused on stopping the expensive and disruptive barrage of ransomware attacks — and it appears to be working, at least to some extent. Nonetheless, recent moves from the LockBit 2.0 and BlackCat gangs, plus this weekend’s hit on the Swissport airport ground-logistics company, shows the scourge is far from over.

It’s more expensive and riskier than ever to launch ransomware attacks, and ransomware groups have responded by mounting fewer attacks with higher ransomware demands, Coveware has reported, finding that the average ransomware payment in the fourth quarter of last year climbed by 130 percent to reach $322,168. Likewise, Coveware found a 63 percent jump in the median ransom payment, up to $117,116.

“Average and median ransom payments increased dramatically during Q4, but we believe this change was driven by a subtle tactical shift by ransomware-as-a-service (RaaS) operations that reflected the increasing costs and risks previously described,” Coveware analysts said. “The tactical shift involves a deliberate attempt to extort companies that are large enough to pay a ‘big game’ ransom amount but small enough to keep attack operating costs and resulting media and law enforcement attention low.”

https://threatpost.com/lockbit-blackcat-swissport-ransomware-activity/178261/

2021 Was The Most Prolific Year On Record For Data Breaches

Spirion released a guide which provides a detailed look at sensitive data breaches in 2021 derived from analysis conducted against the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States.

The guide is based on the analysis of more than 1,500 data incidents that occurred in the United States during 2021 that specifically involved sensitive data, including personally identifiable information (PII). The report identifies the top sensitive data breaches by the number of individuals impacted, number of records compromised, threat actor, exposure vector, and types of sensitive data exposed by industry sector.

2021 was the most prolific year on record for data breaches, surpassing 2017’s all-time high. Last year a total of 1,862 data compromises were reported by US organisations—a 68 percent increase over 2020. ITRC data revealed that 83% of the year’s incidents exposed 889 million sensitive data records that impacted more than 150 million individuals.

https://www.helpnetsecurity.com/2022/02/09/2021-sensitive-data-breaches/

$1.3 Billion Lost to Romance Scams in the Past Five Years

Romance scams are reaching record-highs, regulators warn.

Netflix's new documentary, The Tinder Swindler, is a wild ride.

The show examines how an alleged fraudster impacted the lives of multiple women, matching with them on Tinder and treating them to expensive dates to gain their trust -- and eventually asking for huge sums of money.

While you may watch the show and wonder how someone -- no matter their gender -- could allow themselves to be swindled out of their savings, romance scams are common, breaking hearts and wiping bank balances around the world every day. 

We've moved on from the days of "lonely hearts" columns to dating apps, and they're popular channels to conduct fraud.

Fake profiles, stolen photos and videos, and sob stories from fraudsters (their car has broken down, they can't afford to meet a match, or, in The Tinder Swindler's case, their "enemies" are after them) are all weapons designed to secure interest and sympathy.

https://www.zdnet.com/article/1-3-billion-lost-to-romance-scams-in-the-past-five-years-ftc/

Cyber Security Compliance Still Not A Priority For Many

IBM survey suggests that cyber security still isn't a priority for many companies

The most consistent data point in the IBM i Marketplace Survey Results over recent years has been the ever-present cyber security threat. This year is no exception. The study shows that 62% of organisations consider cyber security a number one concern as they plan their IT infrastructure. 22% cite regulations and compliance in their top five. While companies that prioritise security seem to be implementing multiple solutions, it’s still alarming that nearly half of them do not plan to implement them.

The complexity of cyber security often leaves industry leaders confused and overwhelmed, unable to produce the sound, proactive stance that is so essential.

Cyber security standards can be confusing, but they are necessary. Tighter security can be encouraged with an understanding of cyber security guidelines

For many organisations, cyber security standards are just too complex to wrap their hands around, but that doesn’t mean it’s not necessary. Understanding how cyber security guidelines affect companies’ legal standing can help encourage tighter security.

https://www.itsecurityguru.org/2022/02/07/cybersecurity-compliance-still-not-a-priority-for-many/

The World is Falling Victim to the Growing Trickbot Attacks in 2022

The malware goons are back again. The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defence to slip past antimalware products.

TrickBot, which started out as a banking trojan, has evolved into a multi-purpose crimeware-as-a-service (CaaS) that’s employed by a variety of actors to deliver additional payloads such as ransomware. Over 100 variations of TrickBot have been identified to date, one of which is a “Trickboot” module that can modify the UEFI firmware of a compromised device. In the fall of 2020, Microsoft along with a handful of U.S. government agencies and private security companies teamed up to tackle the TrickBot botnet, taking down much of its infrastructure across the world in a bid to stymie its operations. But TrickBot has proven to be impervious to takedown attempts, what with the operators quickly adjusting their techniques to propagate multi-stage malware through phishing and malspam attacks, not to mention expanding their distribution channels by partnering with other affiliates like Shathak (aka TA551) to increase scale and drive profits.

Russian-based criminals behind the notorious malware known as Trickbot appear to be working overtime to upgrade the threat’s capabilities. Researchers announced last week the discovery of new malware components that enable monitoring and intelligence gathering on victims. The research findings include the detection of a VNC module that uses a custom communications protocol to obfuscate any data being transmitted between the command-and-control (C2) servers and the victims, making the attacks harder to find. The module is in active development and is being updated by criminals at a rapid pace.

https://www.analyticsinsight.net/the-world-is-falling-victim-to-the-growing-trickbot-attacks-in-2022/

“We Absolutely Do Not Care About You”: Sugar Ransomware Targets Individuals

Ransomware tends to target organisations. Corporations not only house a trove of valuable data they can’t function without, but they are also expected to cough up a considerable amount of ransom money in exchange for their encrypted files. And while corporations struggle to keep up with attacks, ransomware groups have left the average consumer relatively untouched—until now.

Sugar ransomware, a new strain recently discovered by the Walmart Security Team, is a ransomware-as-a-service (RaaS) that targets single computers and (likely) small businesses, too. Sugar, also known to many as Encoded01, has been in operation since November 2021.

https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-about-you-sugar-ransomware-targets-individuals/

Threats

Ransomware

• NCSC Joins US and Australian Partners to Reveal Latest Ransomware Trends - NCSC.GOV.UK

• Russian Ransomware Attacks Increased During 2021, Joint Review Finds | Cybercrime | The Guardian

• You've Still Not Patched It? Hackers Are Using These Old Software Flaws To Deliver Ransomware | ZDNet

• FBI: Watch Out For LockBit 2.0 Ransomware, Here's How To Reduce The Risk To Your Network | ZDNet

• Law Enforcement Action Push Ransomware Gangs To Surgical Attacks (bleepingcomputer.com)

• Europe's Biggest Car Dealer Hit With Ransomware Attack | ZDNet

• Swissport Ransomware Incident Delayed Flights - Infosecurity Magazine

• How a Texas Hack Changed the Ransomware Business Forever - The Record by Recorded Future

• Puma Hit By Data Breach After Kronos Ransomware Attack (bleepingcomputer.com)

• Vodafone Portugal Hit By A Massive Cyber Attack - Security Affairs

• Fortune 500 Service Provider Says Ransomware Attack Led To Leak Of More Than 500k SSNs | ZDNet

Phishing

• Hackers Using Fake Job Offers in Latest Catfishing Scheme - ClearanceJobs

• Threat Actors Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks (darkreading.com)

• ICO Hit by 2650% Rise in Email Attacks - Infosecurity Magazine

Other Social Engineering

• Roaming Mantis SMSishing Campaign Now Targets Europe - Security Affairs

• FBI: SIM Swapping Attacks Have Surged Five-Fold - Infosecurity Magazine

Malware

• Qbot Needs Only 30 Minutes To Steal Your Credentials, Emails (bleepingcomputer.com)

• Linux Malware Attacks Are On The Rise, And Businesses Aren't Ready For It | ZDNet

• This Password-Stealing Malware Posed As A Windows 11 Download | ZDNet

• Several Malware Families Using Pay-Per-Install Service to Expand Their Targets (thehackernews.com)

• Qbot, Lokibot Malware Switch Back To Windows Regsvr32 Delivery (bleepingcomputer.com)

• Data Highlights Growing Threat From Intelligent Bots Operated at Scale by Cybercriminals | SecurityWeek.Com

Mobile

• Medusa Malware Joins Flubot's Android Distribution Network | Threatpost

• Critical Android 12 Bug Fixed In February Security Patches • The Register

Data Breaches/Leaks

• Croatian Phone Carrier Data Breach Impacts 200,000 Clients (bleepingcomputer.com)

Organised Crime & Criminal Actors

• Russian Government Continues Crackdown On Cyber Criminals - CyberScoop

Cryptocurrency/Cryptomining/Cryptojacking

• More Than $400 Million Drained From Hacked Blockchain Bridges In Little More Than A Week • Graham Cluley

• Wife of Couple Accused of $4.5 billion Bitcoin Swindle Gave Cyber Security Advice (theblockcrypto.com)

Insider Risk and Insider Threats

• Chinese Telecom Hytera Charged For Allegedly Recruiting Motorola Employees To Steal Trade Secrets | ZDNet

Fraud, Scams & Financial Crime

• Midlifers Bled Dry By Scam That Takes Two Months To Spot (telegraph.co.uk)

Supply Chain

• The Most Common Cyber Gaps Threatening Supply Chain Security - Help Net Security

DoS/DDoS

• DDoS Attacks Hit All-time High - Infosecurity Magazine

Nation State Actors

• Russian APT Steps Up Malicious Cyber Activity in Ukraine (darkreading.com)

• Iran Malware in HPE Server Stuns Cyber Security Experts - Bloomberg

• Iranian Hackers Using New Marlin Backdoor in 'Out to Sea' Espionage Campaign (thehackernews.com)

Cloud

• Organisations And The Cloud: How They Use It And How They Secure It - Help Net Security

Privacy

• Meta Threatens to Shut Down Facebook and Instagram in Europe | The Independent

• Facebook Exposes 'God Mode' Token Miscreants Could Use • The Register

Spyware, Espionage & Cyber Warfare

• MoleRats APT Flaunts New Trojan in Latest Cyber Espionage Campaign | Threatpost

Vulnerabilities

• Microsoft, Oracle, Apache and Apple vulnerabilities added to CISA catalog | ZDNet

• CISA Says 'HiveNightmare' Windows Vulnerability Exploited in Attacks | SecurityWeek.Com

• Microsoft Fixes Defender Flaw Letting Hackers Bypass Antivirus Scans (bleepingcomputer.com)

• Microsoft and Other Major Software Firms Release February 2022 Patch Updates (thehackernews.com)

• Apple Patches New Zero-Day Exploited To Hack iPhones, iPads, Macs (bleepingcomputer.com)

• CISA Urges Orgs To Patch Actively Exploited Windows SeriousSAM Bug (bleepingcomputer.com)

• CISA Warns Admins To Patch Maximum Severity SAP Vulnerability (bleepingcomputer.com)

• Adobe Patches 13 Vulnerabilities in Illustrator | SecurityWeek.Com

• PHP Everywhere RCE Flaws Threaten Thousands of WordPress Sites (bleepingcomputer.com)

Sector Specific

Financial Services Sector

• Ransomware Groups and APT Actors Laser-Focused On Financial Services - Help Net Security

Defence

• Defence Contractors Need to Check Their Six (darkreading.com)

Health/Medical/Pharma Sector

• FritzFrog P2P Botnet Attacking Healthcare, Education and Government Sectors (thehackernews.com)

Retail/eCommerce

• Wave of MageCart Attacks Target Hundreds Of Outdated Magento Sites (bleepingcomputer.com)

• Threat Actors Compromised +500 Magento-Based E-Stores With E-Skimmers - Security Affairs

Transport and Aviation

• Swissport Ransomware Incident Delayed Flights - Infosecurity Magazine

Education and Academia

• FritzFrog P2P Botnet Attacking Healthcare, Education and Government Sectors (thehackernews.com)

Other News

• A "light" February 2022 Patch Tuesday That Should Not Be Ignored - Help Net Security

• Organisations Still Struggling To Use APIs Effectively - Help Net Security

• Threat Hunting: Your Best Defence Against Unknown Threats - MSSP Alert

• UK Foreign and Commonwealth Office Suffered Serious Cyber Attack Earlier This Year | Reuters

• European Police Flag 500+ Pieces of “Terrorist” Content - Infosecurity Magazine

• A Quarter of New Online Accounts Are Fake – Report - Infosecurity Magazine

• Microsoft To Make Enabling 'Untrusted' Office Macros Tougher In The Name Of Security | ZDNet

• Cyber Terrorism Is a Growing Threat & Governments Must Take Action (darkreading.com)

• Hackers Have Begun Adapting To Wider Use Of Multi-Factor Authentication | TechRepublic

• The Race To Save The Internet From Quantum Hackers (nature.com)

• Disaster Recovery Is Critical For Business Continuity - Help Net Security

• CISOs Are Burned Out And Falling Behind | CSO Online

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Change Outpaces Boardroom Engagement

We all know the story of the past two years. Mass digital investments in SaaS collaboration suites, cloud infrastructure and other tools helped to keep organisations operational when they needed it most. The money continues to flow today, as those same companies realize they must keep on pumping funds into digital to stay competitive amidst rising customer expectations. Gartner predicted public cloud spending growth would hit 23% year-on-year in 2021 and increase 20% this year to top $397bn.

From a cyber security perspective, these business decisions are loaded with risk if protections are not built into projects from the start. A recent global poll revealed that of 90% of business and IT decision makers are concerned about the impact of ransomware. It also found generally poor levels of cyber-awareness among board members. Less than half (46%) of respondents claimed concepts like “cyber risk” and “cyber risk management” were known extensively in their organisation.

The truth is that many board leaders do understand the need for greater investment in security as a strategic growth driver. But they find it hard to keep pace with a threat landscape that moves at the speed of light. Vulnerabilities used to go months or years before they were exploited, for example, but today threat actors are working on exploits for bugs like Log4Shell within hours of their discovery. That makes the fast-changing risk landscape difficult to grasp for even tech-savvy C-suite leaders. As a result, cyber risk continues to be managed reactively, which puts the organisation perpetually on the back foot.

https://www.trendmicro.com/en_us/research/22/b/why-cyber-change-outpaces-boardroom-engagement.html

NCSC Alerts UK Orgs to Brace for Destructive Russian Cyber Attacks

The UK’s National Cyber Security Centre (NCSC) is urging organisations to bolster security and prepare for a potential wave of destructive cyber attacks after recent breaches of Ukrainian entities.

The NCSC openly warns that Russian state-sponsored threat actors will likely conduct the attacks and reminds of the damage done in previous destructive cyber attacks, like NotPetya in 2017 and the GRU campaign against Georgia in 2019.

These warnings come after Ukrainian government agencies and corporate entities suffered cyber attacks where websites were defaced, and data-wiping malware was deployed to destroy data and make Windows devices inoperable.

The cause for the resurgence of attacks is the tensions between Russia and Ukraine, and attempts to negotiate a way out of the Ukraine crisis have failed so far.

Ukraine and Russia have engaged in cyber warfare for many years, but recent Russian military mobilization was accompanied by new waves of attacks, with European countries and the USA expected to be targeted next.

https://www.bleepingcomputer.com/news/security/ncsc-alerts-uk-orgs-to-brace-for-destructive-russian-cyberattacks/

Over Half of Ransomware Attacks are Targeting Financial Services, Utilities and Retail

Three sectors have been the most common target for ransomware attacks, but researchers warn "no business or industry is safe".

Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail, according to analysis by cyber security researchers – but they've also warned that all industries are at risk from attacks.

The data has been gathered by Trellix – formerly McAfee Enterprise and FireEye – from detected attacks between July and September 2021, a period when some of the most high-profile ransomware attacks of the past year happened.

According to detections by Trellix, banking and finance was the most common target for ransomware during the reporting period, accounting for 22% of detected attacks. That's followed by 20% of attacks targeting the utilities sector and 16% of attacks targeting retailers. Attacks against the three sectors in combination accounted for 58% of all of those detected.

https://www.zdnet.com/article/ransomware-over-half-of-attacks-are-targeting-these-three-industries/

Third of Employees Admit to Exfiltrating Data When Leaving Their Job

Nearly one-third (29%) of employees admitted taking data with them when they leave their job, according to new research from Tessian.

The findings follow the ‘great resignation’ of 2021, when workers quit their jobs in huge waves following the COVID-19 pandemic. Unsurprisingly, close to three-quarters (71%) of IT leaders believe this trend has increased security risks in their organisations.

In addition, nearly half (45%) of IT leaders said they had seen incidents of data exfiltration increase in the past year due to staff taking data with them when they left.

The survey of 2000 UK workers also looked at employees' motives for taking such information. The most common reason was that the data would help them in their new job (58%). This was followed by the belief that the information belonged to them because they worked on the document (53%) and to share it with their new employer (44%).

The employees most likely to take data with them when leaving their job worked in marketing (63%), HR (37%) and IT (37%).

https://www.infosecurity-magazine.com/news/third-employees-exfiltrating-data/

Massive Social Engineering Waves Have Impacted Banks in Several Countries

A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança Informática publication, the malicious waves have impacted banking organisations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.

In short, criminal groups are targeting victims’ from different countries to collect their home banking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails.

Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.

The spear-phishing campaigns try to lure victims with fake emails that impersonate the banking institutions. The emails are extremely similar to the originals, exception their content, mainly related to debts or lack of payments.

https://securityaffairs.co/wordpress/127516/cyber-crime/massive-social-engineering-banks.html

Ransomware is Terrifying – But Never Underestimate the Damage an Employee with Unmonitored Access Can Do

Is the biggest threat to your data a mysterious ransomware merchant or an advanced persistent threat cartel?

Or is it a security system that will show you that data has been exfiltrated from your organisation – but only after the fact, leaving open the possibility that your valuable IP could have already been shared with unauthorized parties?

It was the latter scenario that allegedly resulted in 12,000 internal documents being lifted from Pfizer’s systems by a soon-to-depart employee last year. Those documents reportedly included details of COVID-19 vaccine research and a new melanoma drug.

The incident shows how today’s cloud infrastructure can exacerbate security gaps and why simply detecting a potential data leak isn’t enough. Companies need to have deep insight into what their employees are doing, as well as technology that can actively enforce policy and prevent unencrypted data from ever leaving the enterprise.

https://www.theregister.com/2022/02/03/ransomware_terrifying/

People Working in IT Related Roles Equally Susceptible to Phishing Attempts as the General Population

Phishing emails that mimic HR announcements or ask for assistance with invoicing get the most clicks from recipients, according to a study from F-Secure.

The study, which included 82,402 participants, tested how employees from four different organisations responded to emails that simulated one of four commonly used phishing tactics.

22% of recipients that received an email simulating a human resources announcement about vacation time clicked, making emails that mimic those sent by HR the most frequent source of clicks in the study.

An email asking the recipient to help with an invoice (referred to as CEO Fraud in the report) was the second most frequently engaged with email type, receiving clicks from 16% of recipients.

https://www.helpnetsecurity.com/2022/02/03/phishing-emails-clicks/

FBI Says More Cyber Attacks Come from China than Everywhere Else Combined

US Federal Bureau of Investigation director Christopher Wray has named China as the source of more cyber-attacks on the USA than all other nations combined.

In a Monday speech titled Countering Threats Posed by the Chinese Government Inside the US, Wray said the FBI is probing over 2,000 investigations of incidents assessed as attempts by China's government "to steal our information and technology."

"The Chinese government steals staggering volumes of information and causes deep, job-destroying damage across a wide range of industries – so much so that, as you heard, we're constantly opening new cases to counter their intelligence operations, about every 12 hours or so."

Wray rated China's online offensive as "bigger than those of every other major nation combined," adding it has "a lot of funding and sophisticated tools, and often joining forces with cyber criminals – in effect, cyber mercenaries."

https://www.theregister.com/2022/02/03/fbi_china_threat_to_usa/

Managing Detections is Not the Same as Stopping Breaches

Enterprises interested in managed detection and response (MDR) services to monitor endpoints and workloads should make sure the providers have rock-solid expertise in detecting and responding to threats.

The fundamental challenge in cyber security is that adversaries move quickly. We know from observation that attackers go from initial intrusion to lateral movement in a matter of a couple hours or less.

If security teams are going to successfully stop a breach, they need to operate within the same timeframe, containing and remediating threats within minutes, 24 hours a day, 7 days a week. Such constant vigilance can be challenging for in-house staff. This is why many organisations engage a provider of managed detection and response (MDR) security services, which monitors endpoints, workloads, and other systems to detect and monitor threats.

Unfortunately, even most managed services have several fundamental flaws that prevent them from executing on the core mission of stopping breaches.

https://www.darkreading.com/crowdstrike/managing-detections-is-not-the-same-as-stopping-breaches

From War to Web Security, Protect Your Attack Surface from the Weakest Link

With the rapid proliferation of data, increasing number of domains and subdomains as well as rise in third-party providers, the number of entry points through which attackers can infiltrate a company’s web environment is endless. Attacks are increasingly causing consequences felt beyond the perimeter of an organisation, as demonstrated earlier this year with the Colonial Pipeline breach, which caused fuel prices along the US East Coast to soar, and the attack on software provider Kaseya that forced hundreds of grocery stores in the Nordics to shut down business for days.

Security breaches often happen through an avenue that no one saw coming — a server no one knew existed, an old landing page, weak passwords or an application that was missing a patch. It’s perhaps never been clearer than today that a company is only as strong as the weakest link in its growing attack surface.

https://thenewstack.io/from-war-to-web-security-protect-your-attack-surface-from-the-weakest-link/

Number of Data Compromises Reaching All-Time High

According to an Identity Theft Resource Center (ITRC) report, the overall number of data compromises (1,862) is up more than 68 percent compared to 2020.

The new record number of data compromises is 23 percent over the previous all-time high (1,506) set in 2017. The number of data events that involved sensitive information (Ex: Social Security numbers) increased slightly compared to 2020 (83 percent vs. 80 percent). However, it remained well below the previous high of 95 percent set in 2017.

The number of victims continues to decrease (down five (5) percent in 2021 compared to the previous year) as identity criminals focus more on specific data types rather than mass data acquisition. However, the number of consumers whose data was compromised multiple times per year remains alarmingly high.

https://www.helpnetsecurity.com/2022/01/31/data-compromises-up/

Threats

Ransomware

• Inside Trickbot, Russia’s Notorious Ransomware Gang | WIRED

• Aggressive BlackCat Ransomware on the Rise (darkreading.com)

• A Look At The New Sugar Ransomware Demanding Low Ransoms (bleepingcomputer.com)

• BlackCat Ransomware - What You Need To Know | The State of Security (tripwire.com)

• KP Snacks Giant Hit By Conti Ransomware, Deliveries Disrupted (bleepingcomputer.com)

• Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks (thehackernews.com)

• Financially Motivated Hackers Use Leaked Conti Ransomware Techniques in Attacks | SecurityWeek.Com

• FBI Shares Lockbit Ransomware Technical Details, Defense Tips (bleepingcomputer.com)

• BlackCat (ALPHV) Ransomware Linked To BlackMatter, DarkSide Gangs (bleepingcomputer.com)

• Over 500,000 People Impacted By A Ransomware Attack That Hit Morley - Security Affairs

• Scottish Agency Still Recovering from 2020 Ransomware Attack - Infosecurity Magazine

• Conti Ransomware Encrypted 80% of Ireland's HSE IT Systems (bleepingcomputer.com)

• Ransomware Wants You to Like and Subscribe, Or Else (vice.com)

• Ransomware Means Your Database IS The Front Line. How Are You Defending It? • The Register

Phishing

• Low-Detection Phishing Kits Increasingly Bypass MFA | Threatpost

• MFA Adoption Pushes Phishing Actors To Reverse-Proxy Solutions (bleepingcomputer.com)

• Intuit Warns Of Phishing Emails Threatening To Delete Accounts (bleepingcomputer.com)

• Strong Authentication Protects Against Phishing. So Why Aren't More People Using It? | ZDNet

• Microsoft Blocked Billions Of Brute-Force And Phishing Attacks Last Year (bleepingcomputer.com)

Other Social Engineering

• FBI Warning: Scammers Are Posting Fake Job Ads On Networking Sites To Steal Your Money And Identity | ZDNet

Malware

• Malicious CSV Text Files Used To Install BazarBackdoor Malware (bleepingcomputer.com)

• New Malware Used by SolarWinds Attackers Went Undetected for Years (thehackernews.com)

• Microsoft: This Mac Malware Is Getting Smarter And More Dangerous | ZDNet

Data Breaches/Leaks

• The 3 Most Common Causes of Data Breaches in 2021 (darkreading.com)

• British Council Exposed More Than 100,000 Files With Student Records (bleepingcomputer.com)

Insider Risk and Insider Threats

• How Costly Is An Insider Threat? - Help Net Security

Fraud, Scams & Financial Crime

• Americans Lost $770 Million From Social Media Fraud In 2021, FTC Reports - Security Affairs

Supply Chain

• Supply Chain Security Is Not a Problem…It’s a Predicament | Threatpost

DoS/DDoS

• Reasons Why Every Business is a Target of DDoS Attacks (thehackernews.com)

CNI, OT, ICS, IIoT and SCADA

• Ransomware Often Hits Industrial Systems, With Significant Impact: Survey | SecurityWeek.Com

Nation State Actors

• Russian 'Gamaredon' Hackers Use 8 New Malware Payloads In Attacks (bleepingcomputer.com)

• State Hackers' New Malware Helped Them Stay Undetected For 250 Days (bleepingcomputer.com)

• Charming Kitten Sharpens Its Claws with PowerShell Backdoor | Threatpost

• FBI's Warning About Iranian Firm Highlights Common Cyber Attack Tactics | CSO Online

• Iranian APT Group Uses Previously Undocumented Trojan For Destructive Access To Organisations | CSO Online

Cloud

• If My Organisation Is Mostly in the Cloud, Do I Need a Firewall? (darkreading.com)

Passwords & Credential Stuffing

• The Account Takeover Cat-and-Mouse Game | Threatpost

• Reducing The Blast Radius Of Credential Theft - Help Net Security

Spyware, Espionage & Cyber Warfare

• Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers (thehackernews.com)

• Gamaredon (Primitive Bear) Russian APT Group Actively Targeting Ukraine (paloaltonetworks.com)

• Hackers Exploited 0-Day Vulnerability in Zimbra Email Platform to Spy on Users (thehackernews.com)

• Cyber Spies Linked To Memento Ransomware Use New PowerShell Malware (bleepingcomputer.com)

• NSO Group's Pegasus Spyware and Phantom Encryption Cracker Trigger Fresh Concerns - MSSP Alert

Vulnerabilities

• Apple, SonicWall, Internet Explorer Vulnerabilities Added To CISA List | ZDNet

• Samba 'Fruit' Bug Allows RCE, Full Root User Access | Threatpost

• Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in (darkreading.com)

• Cisco Fixes Critical Bugs In SMB Routers, Exploits Available (bleepingcomputer.com)

• UEFI Firmware Vulnerabilities Affect At Least 25 Computer Vendors (bleepingcomputer.com)

• Google Patches 27 Vulnerabilities With Release of Chrome 98 | SecurityWeek.Com

• Intel Patched 226 Vulnerabilities in 2021 | SecurityWeek.Com

• Public Exploit Released for Windows 10 Bug | Threatpost

• 600K WordPress Sites Impacted By Critical Plugin RCE Vulnerability (bleepingcomputer.com)

• Critical Log4j Vulnerabilities Are the Ultimate Gift for Cyber Criminals (darkreading.com)

• ESET Antivirus Bug Let Attackers Gain Windows SYSTEM Privileges (bleepingcomputer.com)

Sector Specific

Financial Services Sector

• Bank Executives Mostly Concerned About Cyber Crime - Help Net Security

Retail

• Why Buy Now, Pay Later Is The Next Big Fraud Risk For Retailers | CSO Online

Transport and Aviation

• Ransomware Spree Hitting European Oil, Transport Companies - CyberScoop
  

Reports Published in the Last Week

• Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises - ITRC (idtheftcenter.org)

Other News

• Hackers Went Wild in 2021 — Every Company Should Do These 5 Things in 2022 (darkreading.com)

• Rush To Remote Work Left Sysadmins Struggling To Keep Businesses Safe - Help Net Security

• Telco Fined €9 Million For Hiding Cyber Attack Impact From Customers (bleepingcomputer.com)

• Are There Holes In Your Cyber Security Map? | VentureBeat

• 90% of Security Leaders Warn of Skills Shortage - Infosecurity Magazine (infosecurity-magazine.com)

• The Real-World Impact of the Global Cyber Security Workforce Gap on Cyber Defenders (darkreading.com)

• Hundreds Of Thousands Of Routers Exposed To Eternal Silence Campaign Via UPnP - Security Affairs

• Social Security Numbers Most Targeted Sensitive Data - Infosecurity Magazine

• NIST's New Cyber-Resiliency Guidance: 3 Steps For Getting Started | CSO Online

• Organisations Neglecting Microsoft 365 Cyber Security Features - Help Net Security

• Microsoft Says MFA Adoption Remains Low, Only 22% Among Enterprise Customers - The Record by Recorded Future

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

UK Warned To Bolster Defences Against Cyber Attacks As Russia Threatens Ukraine - BBC News

UK organisations are being urged to bolster their defences amid fears cyber attacks linked to the conflict in Ukraine could move beyond its borders.

The National Cyber Security Centre (NCSC) has issued new guidance, saying it is vital companies stay ahead of a potential threat.

The centre said it was unaware of any specific threats to UK organisations.

It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.

In December 2015, engineers in Ukrainian power stations saw cursors on their computer screens moving by themselves. They had been hacked. Hundreds of thousands of people lost power for hours.

It was the first time a power station had been taken offline, a sign that cyber intrusions were moving beyond stealing information into disrupting the infrastructure on which everyday life depends. Russia was blamed.

"It was a complex operation," says John Hultquist, an expert on Russian cyber operations at the US security firm Mandiant. "They even disrupted the telephone lines so that the engineers couldn't make calls."

Ukraine has been on the front line of a cyber conflict for years. But if Russia does invade the country soon, tanks and troops will still be at the forefront.

https://www.bbc.co.uk/news/uk-60158874

Cyber Attacks And Ransomware Hit A New Record In 2021, Says Report

Ransomware attacks have doubled for the past two years, says a new report—but a lot of people aren’t bothering to change their passwords.

Hackers made up for some lost time last year.

After seeing the number of data breaches decline in 2020, the Identity Theft Resource Center’s 16th Annual Data Breach Report says the number of security compromises was up more than 68% in 2021. That tops the all-time high by a shocking 23%.

All told, there were 1,862 breaches last year, says the ITRC, 356 more than in 2017, the previous busiest year on record.

“Many of the cyber attacks committed were highly sophisticated and complex, requiring aggressive defences to prevent them,” Eva Velasquez, ITRC president and CEO, said in a statement. “If those defences failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

https://www.fastcompany.com/90715622/cyberattacks-ransomware-data-breach-new-record-2021

Ransomware Families Becoming More Sophisticated With Newer Attack Methods

Ivanti, Cyber Security Works and Cyware announced a report which identified 32 new ransomware families in 2021, bringing the total to 157 and representing a 26% increase over the previous year.

The report also found that these ransomware groups are continuing to target unpatched vulnerabilities and weaponize zero-day vulnerabilities in record time to instigate crippling attacks. At the same time, they are broadening their attack spheres and finding newer ways to compromise organisational networks and fearlessly trigger high-impact assaults.

https://www.helpnetsecurity.com/2022/01/28/new-ransomware-families/

More Than 90% Of Enterprises Surveyed Have Been Hit By Successful Cyber Attacks

Cyber attacks can impact any organisation, big or small. But large enterprises are often more tempting targets due to the vast amount of lucrative data they hold. A new report from cyber security firm Anomali reveals an increase in successful cyber attacks and offers ideas on how organisations can better protect themselves.

Published on Thursday, the "2022 Anomali Cyber security Insights Report" is based on a survey of 800 cyber security decision makers commissioned by Anomali and conducted by Harris between September 9 and October 13 of 2021. The survey elicited responses from professionals in the US, UK, Canada and other countries who work full time in such industries as manufacturing, telecommunications and financial services.

Among the respondents, 87% said that their organisations were victims of successful cyber attacks sometime over the past three years. In this case, a successful attack is one that caused damage, disruption or a data breach. Since the pandemic started almost two years ago, 83% of those polled have experienced an increase in attempted cyber attacks, while 87% have been hit with a rise in phishing emails, many of them exploiting coronavirus-related themes.

https://www.techrepublic.com/article/more-than-90-of-enterprises-surveyed-have-been-hit-by-successful-cyberattacks/

Ransomware Gangs Increase Efforts To Enlist Insiders For Attacks

A recent survey of 100 large (over 5,000 employees) North American IT firms shows that ransomware actors are making greater effort to recruit insiders in targeted firms to aid in attacks.

The survey was conducted by Hitachi ID, which performed a similar study in November 2021. Compared to the previous survey, there has been a 17% rise in the number of employees offered money to aid in ransomware attacks against their employer.

Most specifically, 65% of the survey respondents say that they or their employees were approached between December 7, 2021, and January 4, 2022, to help hackers establish initial access.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-increase-efforts-to-enlist-insiders-for-attacks/

Shipment-Delivery Scams Become the Favoured Way to Spread Malware

Attackers increasingly are spoofing the courier DHL and using socially engineered messages related to packages to trick users into downloading Trickbot and other malicious payloads.

Threat actors are increasingly using scams that spoof package couriers like DHL or the U.S. Postal Service in authentic-looking phishing emails that attempt to dupe victims into downloading credential-stealing or other malicious payloads, researchers have found.

Researchers from Avanan, a Check Point company, and Cofense have discovered recent phishing campaigns that include malicious links or attachments aimed at infecting devices with Trickbot and other dangerous malware, they reported separately on Thursday.

The campaigns separately relied on trust in widely used methods for shipping and employees’ comfort with receiving emailed documents related to shipments to try to elicit further action to compromise corporate systems, researchers said.

https://threatpost.com/shipment-delivery-scams-a-fav-way-to-spread-malware/178050/

Most Ransomware Infections Are Self-Installed

New research from managed detection and response (MDR) provider Expel found that most ransomware attacks in 2021 were self-installed.

The finding was included in the company’s inaugural annual report on cyber security trends and predictions, Great eXpeltations, published on Thursday.

Researchers found eight out of ten ransomware infections occurred after victims unwittingly opened a zipped file containing malicious code. Abuse of third-party access accounted for 3% of all ransomware incidents, and 4% were caused by exploiting a software vulnerability on the perimeter.

The report was based on the analysis of data aggregated from Expel’s security operations center (SOC) concerning incidents spanning January 1 2021 to December 31 2021.

Other key findings were that 50% of incidents were BEC (business email compromise) attempts, with SaaS apps a top target.

https://www.infosecurity-magazine.com/news/most-ransomware-infections-self/

Staff Negligence Is Now A Major Reason For Insider Security Incidents

Insider threats cost organisations approximately $15.4 million every year, with negligence a common reason for security incidents, new research suggests.

Enterprise players today are facing cyber security challenges from every angle. Weak endpoint security, unsecured cloud systems, vulnerabilities -- whether unpatched or zero-days -- the introduction of unregulated internet of things (IoT) devices to corporate networks and remote work systems can all become conduits for a cyber attack to take place.

When it comes to the human element of security, a lack of training or cyber security awareness, mistakes, or deliberate, malicious actions also needs to be acknowledged in managing threat detection and response.

https://www.zdnet.com/article/employee-contractor-negligence-is-now-a-major-reason-for-insider-security-incidents/

22 Cyber Security Myths Organisations Need To Stop Believing In 2022

Security teams trying to defend their organisations need to adapt quickly to new challenges. Yesterday’s buzzwords and best practices have become today’s myths.

The past few years have seen a dramatic shift in how organisations protect themselves against attackers. The hybrid working model, fast-paced digitalization, and increased number of ransomware incidents have changed the security landscape, making CISOs' jobs more complex than ever.

This convoluted environment requires a new mindset to defend, and things that might have held true in the past might no longer be useful. Can digital certificates' expiration dates still be managed in a spreadsheet? Is encryption 'magic dust'? And are humans actually the weakest link?

Security experts weigh in the 22 cyber security myths that we finally need to retire in 2022.

https://www.csoonline.com/article/3648048/22-cybersecurity-myths-organisations-need-to-stop-believing-in-2022.html

Android Malware Can Factory-Reset Phones After Draining Bank Accounts

A banking-fraud trojan that has been targeting Android users for three years has been updated to create even more grief. Besides draining bank accounts, the trojan can now activate a kill switch that performs a factory reset and wipes infected devices clean.

Brata was first documented in a post from security firm Kaspersky, which reported that the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play but also through third-party marketplaces, push notifications on compromised websites, sponsored links on Google, and messages delivered by WhatsApp or SMS. At the time, Brata targeted people with accounts from Brazil-based banks.

https://arstechnica.com/information-technology/2022/01/android-malware-can-factory-reset-phones-after-draining-bank-accounts/

GDPR Fines Surged Sevenfold to $1.25 Billion in 2021: Study

Fines issued for GDPR non-compliance increased sevenfold from 2020 to 2021, analysis shows

In its latest annual GDPR summary, international law firm DLA Piper focuses attention in two areas: fines imposed and the evolving effect of the Schrems II ruling of 2020. Fines are increasing and Schrems II issues are becoming more complex.

Fines issued for GDPR non-compliance increased significantly (sevenfold) in 2021, from €158.5 million (approximately $180 million) in 2020 to just under €1.1 billion (approximately $1.25 billion) in 2021. The largest fines came from Luxembourg against Amazon (€746 million / $846 million), and Ireland against WhatsApp (€225 million / $255 million). Both are currently being appealed.

The WhatsApp fine is interesting. The original fine proposed by the Irish Data Protection Commission (DPC) was for €30 million to €50 million. However, other European regulators objected, and the European Data Processing Board (EDPB) adjudicated – instructing Ireland to increase the fine by 350%.

https://www.securityweek.com/gdpr-fines-surged-sevenfold-125-billion-2021-study

Cyber Security In 2022 – A Fresh Look At Some Very Alarming Stats

Last year Forbes wrote a couple of articles  that highlighted some of the more significant cyber statistics associated with our expanding digital ecosystem.  In retrospect, 2021 was a very trying year for cyber security in so many areas. There were high profile breaches such as Solar Winds, Colonial Pipeline and dozens of others that had major economic and security related impact.  Ransomware came on with a vengeance targeting many small and medium businesses.  

Perhaps most worrisome was how critical infrastructure and supply chains security weaknesses were targeted and exploited by adversaries at higher rates than in the past.  Since it is only January, we are just starting to learn of some of the statistics that certainly will trend in 2022.  By reviewing the topics below, we can learn what we need to fortify and bolster in terms of cyber security throughout the coming year.

https://www.forbes.com/sites/chuckbrooks/2022/01/21/cybersecurity-in-2022--a-fresh-look-at-some-very-alarming-stats/

Buy now, pay later fraud, romance and cryptocurrency schemes top the list of threats this year

Experian released its annual forecast, which reveals five fraud threats for the new year. With consumers continuing to take a digital-first approach to everything from shopping, dating and investing, fraudsters are finding new and innovative ways to commit fraud.

The main areas they are predicting seeing rises in fraud are:

-Buy now, pay never

-Cryptocurrency scams

-Doubling ransomware attacks

-More increases in romance fraud

-Digital elder abuse will rise

https://www.helpnetsecurity.com/2022/01/26/fraud-threats-this-year/

Threats

Ransomware

• Ransomware: More Families, More Vulnerabilities, More Weaponry Dominate 2021 - MSSP Alert

• Linux Version Of LockBit Ransomware Targets VMware ESXi Servers (bleepingcomputer.com)

• BlackCat Ransomware Targeting US, European Retail, Construction And Transportation Orgs | ZDNet

• Conti Ransomware Hits Apple, Tesla Supplier - The Record by Recorded Future

Phishing

• There's Been A Big Rise In Phishing Attacks Using Microsoft Excel XLL Add-Ins | ZDNet

• Microsoft warns of multi-stage phishing campaign leveraging Azure AD (bleepingcomputer.com)

• Evolved phishing: Device Registration Trick Adds To Phishers’ Toolbox For Victims Without MFA - Microsoft Security Blog

Other Social Engineering

• Coronavirus SMS Scam Offers Home PCR Testing Devices – Don’t Fall For It! – Naked Security (sophos.com)

Malware

• Trickbot Injections Get Harder to Detect & Analyze (darkreading.com)

• Log4j: Mirai Botnet Found Targeting ZyXEL Networking Devices | ZDNet

• Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks (thehackernews.com)

• TrickBot Malware Using New Techniques to Evade Web Injection Attacks (thehackernews.com)

Mobile

• 105 Million Android Users Targeted By Subscription Fraud Campaign (bleepingcomputer.com)

• 2FA App With 10,000 Google Play Downloads Loaded Well-Known Banking Trojan | Ars Technica

• New FluBot And TeaBot Campaigns Target Android Devices Worldwide (bleepingcomputer.com)

• Latest Version Of Android RAT BRATA Wipes Devices After Stealing Data - Security Affairs

• Is Google Tracking Your Location Even When You Think You’ve Turned It Off? US States Sue Over “Deception” • Graham Cluley

IoT

• As IoT Attacks Increase, Experts Fear More Serious Threats (darkreading.com)

• Mirai Splinter Botnets Dominate IoT Attack Scene | ZDNet

• Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub (darkreading.com)

• 19-Year-Old Describes How He Remotely Hacked 25+ Teslas (businessinsider.com)

Data Breaches/Leaks

• 'We're Losing Control Of Our Data' As Breaches Reach An All-Time High | ZDNet

• Personal Identifying Information For 1.5 Billion Users Was Stolen In 2021, But From Where? - TechRepublic

Organised Crime & Criminal Actors

• Russia Makes More Arrests, But Cyber Crime-Harbouring Reputation Hard To Shake (scmagazine.com)

Cryptocurrency/Cryptomining/Cryptojacking

• People Are Still Getting Pwned a Week After a Crypto Hack Was ‘Contained’ (vice.com)

Supply Chain

• Aqua Security Reports Large Increase in Supply Chain Attacks (infoq.com)

DoS/DDoS

• Microsoft Mitigates Largest DDoS Attack 'Ever Reported In History' (bleepingcomputer.com)

• Nobel Foundation Site Hit By DDoS Attack On Award Day (bleepingcomputer.com)

CNI, OT, ICS, IIoT and SCADA

• Over 20,000 Data Center Management Systems Exposed To Hackers (bleepingcomputer.com)

• Energy Sector Still Needs to Shut the Barn Door (darkreading.com)

Nation State Actors

• North Korean Hackers Using Windows Update Service to Infect PCs with Malware (thehackernews.com)

• Russian APT29 Hackers' Stealthy Malware Undetected For Years (bleepingcomputer.com)

• North Korean Hackers Return with Stealthier Variant of KONNI RAT Malware (thehackernews.com)

• German Intel Warns Of APT27 Targeting Commercial Organisations - Security Affairs

• Threat Actors Use Microsoft OneDrive for Command-and-Control in Attack Campaign (darkreading.com)

• APTs Quiet Ahead Of Beijing Games, But Financially Motivated Hackers Are Still Lurking, Research Says - CyberScoop

Cloud

• Top 5 Cloud Security Data Breaches in Recent Years (makeuseof.com)

• Molerats Group Uses Public Cloud Services As Attack Infrastructure - Security Affairs

Privacy

• UK’s Privacy Tsar Mounts Fierce Defence of End-to-End Encryption - Infosecurity Magazine

Passwords & Credential Stuffing

• 65% Of Organisations Continue To Rely On Shared Logins - Help Net Security

• Strong Security Starts With The Strengthening Of The Weakest Link: Passwords - Help Net Security

• Has That Password Been Compromised? - IT Security Guru

Spyware, Espionage & Cyber Warfare

• DazzleSpy: Pro-Democracy Org Hijacked To Become macOS Spyware Distributor | ZDNet

Vulnerabilities

• Ubiquitous Linux Bug: ‘An Attacker’s Dream Come True’ | Threatpost

• Outlook Security Feature Bypass Allowed Sending Malicious Links | SecurityWeek.Com

• Attackers Now Actively Targeting Critical SonicWall RCE Bug (bleepingcomputer.com)

• Patching the CentOS 8 Encryption Bug is Urgent – What Are Your Plans? (thehackernews.com)

• Apple Fixes New Zero-Day Exploited To Hack macOS, iOS Devices (bleepingcomputer.com)

• F5 Fixes 25 Flaws In BIG-IP, BIG-IQ, and NGINX Products - Security Affairs

Sector Specific

Health/Medical/Pharma Sector

• Healthcare Industry Most Common Victim Of Third-Party Breaches Last Year - Help Net Security

Education and Academia

• Education Sector Hounded By Cyber Attacks In 2021 | CSO Online

• Reports Published in the Last Week

• Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises - ITRC (idtheftcenter.org)

• Experian plc - Experian’s Annual Future of Fraud Forecast Predicts Five Key Threats for Businesses and Consumers in 2022

• Aqua Security Reports Large Increase in Supply Chain Attacks (infoq.com)

Other News

• Cyber Security: 11 Steps To Take As Threat Levels Increase | ZDNet

• Right of Boom: Can Your MSP Really Survive A Cyber Attack? - MSSP Alert

• Are You Prepared to Defend Against a USB Attack? (darkreading.com)

• Prioritizing And Remediating Vulnerabilities In The Wake Of Log4J and Microsoft's Patch Tuesday Blunder | CSO Online

• VW Fired Senior Employee After They Raised Cyber Security Concerns | Financial Times

• Microsoft Outlook RCE Zero-Day Exploits Now Selling For $400,000 (bleepingcomputer.com)

• Hackers Are Taking Over CEO Accounts With Rogue OAuth Apps (bleepingcomputer.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Over the past few weeks, the global media has been alerting us all to the prospect of aggressive action by Russia in Ukraine. The US has warned of imminent acts of provocation to create a pretext to invade Ukraine, and today the UK has started to withdraw embassy staff.

Conflict is no longer restricted to the physical world. We might think we are a safe distance away from the front line, but modern warfare does not care about international borders.

The last time Russia took aggressive action against Ukraine, companies across the world found themselves victim of an attack that got out of control. Russia was named by several intelligence agencies as having injected the NotPetya encrypting malware through a Ukrainian tax preparation software in 2017 to target Ukrainian assets. The situation eventually spiralled to infect thousands of businesses across the world, causing serious damage.

The situation could be more serious this time. The risk of damage to companies in the Channel Islands and UK from a Russian cyber attack increases further when sides are taken, with the US, UK and other allied nations likely to take up at least some degree of involvement. The British Government for example, plans to invest £5 billion in retaliatory cyber attacks, creating their very own “Cyber Force” to target hostile states.

We need to learn from this, and we advise you to ensure you have appropriate controls in place to help protect yourself and if necessary to be able to recover if you are affected by an attack. These controls must be across people, operations and technology; it is impossible for technology alone to give the necessary protection.

Contact us for help to understand your risks and your security gaps.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Risks Top Worldwide Business Concerns In 2022

Cyber perils are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year.

Cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%).

The annual survey incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts. View the full global and country risk rankings.

https://www.helpnetsecurity.com/2022/01/20/cyber-concern-2022/

Bosses Think That Security Is Taken Care Of: CISOs Aren't So Sure

The World Economic Forum warns about a significant gap in understanding between C-suites and information security staff - but it's possible to close the gap.

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.

The World Economic Forum's new report, The Global Cyber Security Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn't result in significant disruption.

However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cyber security.

This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.

https://www.zdnet.com/article/managers-think-their-systems-are-unbreakable-cybersecurity-teams-arent-so-sure/

Fraud Is On the Rise, and It's Going to Get Worse

The acceleration of the digital transformation resulted in a surge of online transactions, greater adoption of digital payments, and increased fraud.

As more daily activities — work, education, shopping, and entertainment — shift online, fraud is also on the rise. A trio of recent reports paint a bleak picture, highlighting concerns that companies are experiencing increasing losses from fraud and that the situation will get worse over the coming year.

In KPMG's survey of senior risk executives, 67% say their companies have experienced external fraud in the past 12 months, and 38% expect the risk of fraud committed by external perpetrators to somewhat increase in the next year. External fraud, which includes credit card fraud and identity theft, is specifically referring to incidents perpetuated by individuals outside the company. For most of these respondents, there was a financial impact: Forty-two percent say their organisations experienced 0.5% to 1% of loss as a result of fraud and cybercrime.

https://www.darkreading.com/edge-articles/fraud-is-on-the-rise-and-its-going-to-get-worse

Two-Fifths of Ransomware Victims Still Paying Up

Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.

The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey – interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.

Some 87% said their organisation had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.

Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

https://www.infosecurity-magazine.com/news/two-fifths-ransomware-victims/

Less Than a Fifth of Cyber Leaders Feel Confident Their Organisation is Cyber-Resilient

Less than one-fifth (17%) of cyber leaders feel confident that their organisations are cyber-resilient, according to the World Economic Forum (WEF)’s inaugural Global Cyber Security Outlook 2022 report.

The study, written in collaboration with Accenture, revealed there is a wide perception gap between business executives and security leaders on the issue of cyber security. For example, 92% of businesses believe cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders.

This difference in attitude appears to be having worrying consequences. The WEF said that many security leaders feel that they are not consulted in security decisions, and only 68% believe cyber-resilience forms a major part of their organisation’s overall corporate risk management.

In addition, over half (59%) of all cyber leaders admitted they would find it challenging to respond to a cyber security incident due to a shortage of skills within their team.

Supply chain security was another major concern among cyber leaders, with almost nine in 10 (88%) viewing SMEs as a key threat to supply chains.

Interestingly, 59% of cyber leaders said cyber-resilience and cyber security are synonymous, with the differences not well understood.

https://www.infosecurity-magazine.com/news/cyber-leaders-organisation/

Endpoint Malware And Ransomware Detections Hit All-Time High

Endpoint malware and ransomware detections surpassed the total volume seen in 2020 by the end of Q3 2021, according to researchers at the WatchGuard Threat Lab. In its latest report, WatchGuard also highlights that a significant percentage of malware continues to arrive over encrypted connections.

While zero-day malware increased by just 3% to 67.2% in Q3 2021, the percentage of malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. Data shows that many organisations are not decrypting these connections and therefore have poor visibility into the amount of malware hitting their networks.

https://www.helpnetsecurity.com/2022/01/20/endpoint-malware-ransomware-detections-q3-2021/

End Users Remain Organisations' Biggest Security Risk

With the rapid adoption of hybrid working environments and increased attacks, IT and security professionals worry that future data breaches will most likely be the result of end users who are negligent of or break security policy, according to a recent Dark Reading survey. The percentage of respondents in Dark Reading's 2021 Strategic Security Survey who perceive users breaking policy as the biggest risk fell slightly, however, from 51% in 2020 to 48% in 2021. Other potential issues involving end users showed improvements as well, with social engineering falling in concern from 20% to 15% and remote work worries halving from 26% to 13%.

While this trend is positive, it's unclear where the increased confidence comes from, since more people now report ineffective end-user security awareness training (11%, to 2020's 7%).

Respondents shared their heightened concern about well-funded attacks. In 2021, 25% predicted an attack targeted at their organisations (a rise from 2020, when 20% said the same), and fear of a nation-state-sponsored action rose to 16% from 9% the year before. Yet only 16% reported sophisticated, automated malware as a top concern, a 10% drop from 2020, and fear of a gap between security and IT advances only merited 9%. A tiny 3% worried that their security tools wouldn't work well together, dropping from the previous year's 10%.

https://www.darkreading.com/edge-threat-monitor/despite-rise-of-third-party-concerns-end-users-still-the-biggest-security-risk

Supply Chain Disruptions Rose In 2021

56% of businesses experienced more supply chain disruptions in 2021 than 2020, a Hubs report reveals.

Last year was marked by a number of challenges, including computer chip shortages, port congestion, the ongoing impacts of COVID-19, logistics impediments, and energy crises, though with every hurdle faced, solutions are being sought. It is increasingly clear that while certain risks are hard to anticipate and difficult to plan for, it is possible to mitigate the effects of supply chain disruptions by establishing a robust and agile supply chain.

Over 98% of global companies are now planning to boost the resilience of their manufacturing supply chains, however, 37% have yet to implement any measures. As businesses develop long term strategies, over 57% of companies say diversification of their supply chains is the most effective way of building resilience. This report explores last year’s most disruptive events, how disruptions have changed over time, industry trends and strategies for strengthening manufacturing supply chains.

https://www.helpnetsecurity.com/2022/01/19/supply-chain-disruptions-2021/

Red Cross Begs Attackers Not to Leak Stolen Data for 515K People

A cyber attack forced the Red Cross to shut down IT systems running the Restoring Family Links system, which reunites families fractured by war, disaster or migration. UPDATE: The ICRC says it’s open to confidentially communicating with the attacker.

The Red Cross is imploring threat actors to show mercy by abstaining from leaking data belonging to 515,000+ “highly vulnerable” people. The data was stolen from a program used to reunite family members split apart by war, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director general of the International Committee for the Red Cross (ICRC), said in a release on Wednesday. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

https://threatpost.com/red-cross-begs-attackers-not-to-leak-515k-peoples-stolen-data/177799/

DHL Dethrones Microsoft As Most Imitated Brand In Phishing Attacks

DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth.

This isn't surprising considering that the final quarter of every year includes the Black Friday, Cyber Monday, and Christmas shopping season, so phishing lures based on package deliveries naturally increase.

DHL is an international package delivery and express mail service, delivering over 1.6 billion parcels per year.

As such, phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season.

The specific lures range from a package that is stuck at customs and requires action for clearance to supposed tracking numbers that hide inside document attachments or embedded links.

https://www.bleepingcomputer.com/news/security/dhl-dethrones-microsoft-as-most-imitated-brand-in-phishing-attacks/

Threats

Ransomware

• New White Rabbit Ransomware Linked To FIN8 Hacking Group (bleepingcomputer.com)

• Conti Ransomware Gang Started Leaking Files Stolen From Bank Indonesia - Security Affairs

• This New Ransomware Comes With A Small But Dangerous Payload | ZDNet

• FBI Warning: This New Ransomware Makes Demands Of Up To $500,000 | ZDNet

• Experts Warn Of Attacks Using A New Linux Variant Of SFile Ransomware - Security Affairs

• SEC Filing Reveals Fortune 500 Firm Targeted in Ransomware Attack | Threatpost

• FBI Warns Organisations of Diavol Ransomware Attacks | SecurityWeek.Com

• Marketing Giant RRD Confirms Data Theft In Conti Ransomware Attack (bleepingcomputer.com)

• After Ransomware Arrests, Some Dark Web Criminals Are Getting Worried | ZDNet

BEC – Business Email Compromise

• Nigerian Authorities Arrest 11 Members of Prolific BEC Fraud Group | SecurityWeek.Com

Phishing

• Phishing Impersonates Shipping Giant Maersk To Push STRRAT Malware (bleepingcomputer.com)

• #COVID19 Phishing Emails Surge 500% on Omicron Concerns - Infosecurity Magazine

• Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs

Malware

• Microsoft Details Recent Damaging Malware Attacks on Ukrainian Organisations (darkreading.com)

• Custom-Written Malware Discovered Across Windows, MacOS, And Linux Systems | TechSpot

• Backdoor RAT for Windows, macOS, and Linux went undetected until now | Ars Technica

• Ukraine: Wiper Malware Masquerading As Ransomware Hits Government Organisations - Help Net Security

• Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware (thehackernews.com)

• Linux Malware Is On The Rise. Here Are Three Top Threats Right Now | ZDNet

• Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag

• New MoonBounce UEFI Malware Used By Apt41 In Targeted Attacks (bleepingcomputer.com)

Data Breaches/Leaks

• Exposed Records Exceeded 40 Billion In 2021 - Help Net Security

• European Regulators Hand Out €1.1bn in GDPR Fines - Infosecurity Magazine

Organised Crime & Criminal Actors

• Financially Motivated Earth Lusca Threat Actors Targets Orgs Worldwide - Security Affairs

• A Hacker Is Negotiating With Victims on the Blockchain After $1.4M Heist (vice.com)

• FBI & European Police Take Down Computer Servers Used In Major Cyberattacks Worldwide - CNNPolitics

• Europol Shuts Down VPNLab, Cyber Criminals' Favourite VPN Service (thehackernews.com)

Cryptocurrency/Cryptomining/Cryptojacking

• 2FA Bypassed in $34.6M Crypto.com Heist | Threatpost

• Cyber Criminals Actively Target VMware vSphere with Cryptominers | Threatpost

• New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets (thehackernews.com)

• Cheap Malware Is Behind A Rise In Attacks On Cryptocurrency Wallets | ZDNet

Insider Risk and Insider Threats

• Research: Why Employees Violate Cyber Security Policies (hbr.org)

• What CISOs Can Learn About Insider Threats From Iran's Human Espionage Tactics | CSO Online

Fraud, Scams & Financial Crime

• How Buy Now, Pay Later Is Being Targeted By Fraudsters - Help Net Security

• Romance Scammer Who Targeted 670 Women Gets 28 Months In Jail – Naked Security (sophos.com)

Insurance

• Merck Awarded $1.4B Insurance Payout over NotPetya Attack | Threatpost

CNI, OT, ICS, IIoT and SCADA

• UK Mulls Making MSPs Subject To Mandatory Security Standards • The Register

• ‘Anomalous’ Spyware Stealing Credentials In Industrial Firms (bleepingcomputer.com)

• European Union Simulated A Cyber Attack On A Fictitious Finnish Power Company - Security Affairs

Nation State Actors

• Ukraine: Recent Cyber Attacks Part of Wider Plot to Sabotage Critical Infrastructure (thehackernews.com)

• Ukraine Cyber Attack Timeline: Microsoft, CISA, White House and Kyiv Statements - MSSP Alert

• Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks (thehackernews.com)

• Security Scanners Across Europe Tied To China Govt, Military | AP News

Cloud

• Attackers Use Public Cloud Providers To Spread RATs | CSO Online

Privacy

• UK.Gov's No Place To Hide campaign flops on launch • The Register

Passwords & Credential Stuffing

• Your Keyboard Walking Password Isn’t Complex Or Secure – Review Geek

• Box Flaw Allowed To Bypass MFA And Takeover Accounts - Security Affairs

Spyware, Espionage & Cyber Warfare

• Malware That Can Survive OS Reinstalls Strikes Again, Likely for Cyber Espionage | PCMag

Vulnerabilities

• CISA Adds 13 Exploited Vulnerabilities To List, 9 with Feb. 1 Remediation Date | ZDNet

• Microsoft RDP Vulnerability Makes It A Breeze For Attackers To Become Men-In-The-Middle - TechRepublic

• High-Severity Vulnerabilities Patched in McAfee Enterprise Product | SecurityWeek.Com

• Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM (thehackernews.com)

• A bug in McAfee Agent allows to run code with SYSTEM privileges - Security Affairs

• Zoho Fixes A Critical Vulnerability (CVE-2021-44757) in Desktop Central - Security Affairs

• Ubuntu Patch For Heap Buffer Overflow Vulnerability • The Register

• Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers (thehackernews.com)

• Hackers Attempt to Exploit New SolarWinds Serv-U Bug in Log4Shell Attacks (thehackernews.com)

• F5 Patches Two Dozen Vulnerabilities in BIG-IP | SecurityWeek.Com

• McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges | Threatpost

• Oracle Critical Patch Update for January 2022 will fix 483 new flaws - Security Affairs

• 20K WordPress Sites Exposed by Insecure Plugin REST-API | Threatpost

• Nasty Linux Kernel Bug Found And Fixed | ZDNet

• Cisco Issues Patch for Critical RCE Vulnerability in RCM for StarOS Software (thehackernews.com)

• Critical Bugs in Control Web Panel Expose Linux Servers to RCE Attacks (thehackernews.com)

• Critical SAP Vulnerability Allows Supply Chain Attacks | SecurityWeek.Com

• Zoho Plugs Another Critical Security Hole In Desktop Central (bleepingcomputer.com)

• Safari Exploit Can Leak Browser Histories And Google Account Info | Engadget

Sector Specific

Financial Services Sector

• Singapore Pushed To Introduce Security Measures Amidst Online Banking Scams | ZDNet

Health/Medical/Pharma Sector

• More Than Half Of Medical Devices Found To Have Critical Vulnerabilities | ZDNet

• Additional Healthcare Firms Disclose Impact From Netgain Ransomware Attack | SecurityWeek.Com

Retail

• PCI SSC Updates Card Security Standards To Secure The Card Production Process - Help Net Security

Education and Academia

• Kids Won’t Stop Launching DDoS Attacks Against Their Schools | TechRadar

Other News

• Biggest MSP Takeaways From The Apache Log4j Vulnerability - MSSP Alert

• The Emotional Stages Of A Data Breach: How To Deal With Panic, Anger, And Guilt | CSO Online

• The Log4j Vulnerability Puts Pressure on the Security World | Threatpost

• Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes (thehackernews.com)

• BadUSB explained: How rogue USBs threaten your organisation | CSO Online

• Millions of UK Wi-Fi Routers Vulnerable To Security Threats - IT Security Guru

• NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation | SecurityWeek.Com

• UK Umbrella Company Parasol Group Confirms Cyber Attack • The Register

• MPs Criticise Cyber Agency For Not Aiding China Rights Group After It Was Hacked | China | The Guardian

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Businesses Suffered 50% More Cyber Attack Attempts per Week in 2021

Cyberattack attempts reached an all-time high in the fourth quarter of 2021, jumping to 925 a week per organisation, partly due to attempts stemming from the Log4j vulnerability, according to new data.

Check Point Research on Monday reported that it found 50% more attack attempts per week on corporate networks globally in calendar year 2021 compared with 2020.

The researchers define a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain — scanning/exploiting vulnerabilities, sending phishing emails, malicious website access, malicious file downloads (from Web/email), second-stage downloads, and command-and-control communications.

https://www.darkreading.com/attacks-breaches/corporate-networks-saw-50-more-attacks-per-week-in-2021-

Cyber Attacks Against MSPs Jump 67%

Cyber attacks spiked by 50 percent in 2021 as compared to 2020, aided by millions of attacks in December by hackers attempting to exploit the Log4J vulnerability, according to a Check Point Software Technologies research report.

In terming 2021 a “record breaking year,” the security provider pointed to a worldwide peak of 925 cyber attacks per organisation weekly and an October 2021 measure that showed a 40 percent increase in cyberattacks, with one out of every 61 entities hit by ransomware each week. The number of cyberattacks on managed service providers (MSPs) and internet service providers (ISPs) rose by nearly 70 percent year over year.

https://www.msspalert.com/cybersecurity-news/cyberattacks-vs-msps-skyrocket/

SMEs Still An Easy Target For Cyber Criminals

Cyber crime continues to be a major concern, with 51% of SMEs experiencing a cyber security breach, a Markel Direct survey reveals.

In this survey that polled 1000 respondents, Markel Direct explored the issue of cybercrime and its impact on the self-employed and SMEs. The survey found the most common cybersecurity attacks were malware/virus related (24%) followed by a data breach (16%) and phishing attack (15%), with 68% reporting the cost of their breach was up to £5,000.

This comes after the latest Quarterly Fraud and Cyber Crime Report revealed that Britons lost over £1 billion in the first six months of 2021, due to the considerable increase in fraudulent activity.

https://www.helpnetsecurity.com/2022/01/12/smes-cybersecurity-breach/

World Economic Forum: Cyber Security Failures an Increasing Global Threat

Cybersecurity was once again identified as a major short and medium-term threat to the world in this year’s World Economic Forum’s (WEF’s) The Global Risk Report. The analysis was based on insights from nearly 1000 global experts and leaders who responded to the WEF’s Global Risks Perception Survey (GRPS).

Perhaps unsurprisingly, environmental issues like climate action failure and extreme weather ranked highest on the risks facing the world over the short (0-2 years), medium (2-5 years) and long-term (5-10 years). In addition, a number of challenges exacerbated by the pandemic, such as livelihood crises, infectious diseases and mental health deterioration, also scored highly. Overall, this added up to a pessimistic assessment, with 84.2% of respondents stating they were either “worried” or “concerned” about the global outlook.

Digital challenges, such as “cyber security failures,” were also viewed as a significant and growing problem to the world. Nearly one in five (19.5%) respondents believe cybersecurity failures will be a critical threat to the world in just the next 0-2 years, and 14.6% said it would be in 2-5 years

https://www.infosecurity-magazine.com/news/world-economic-forum-cybersecurity/

Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days

Microsoft started 2022 with a large January Patch Tuesday update covering nine critical CVEs, including a self-propagator with a 9.8 CVSS score.

Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update – nine of them rated critical – including six that are listed as publicly known zero-days.

The fixes cover a swath of the computing giant’s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).

https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/

Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks

In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations.

The surprise takedown, which it said was carried out at the request of the US authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organised cyber crime syndicate.

"In order to implement the criminal plan, these persons developed malicious software, organised the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet," the FSB said in a statement.

In addition, the FSB seized over 426 million rubles, including in cryptocurrency, $600,000, €500,000, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars that were purchased with money obtained by illicit means.

https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html

North Korea Hackers Stole $400m Of Cryptocurrency In 2021, Report Says

North Korean hackers stole almost $400m (£291m) worth of digital assets in at least seven attacks on cryptocurrency platforms last year, a report claims.

Blockchain analysis company Chainalysis said it was one of most successful years on record for cyber-criminals in the closed east Asian state.

The attacks mainly targeted investment firms and centralised exchanges.

North Korea has routinely denied being involved in hack attacks attributed to them.

"From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%," Chainalysis said in a report.

https://www.bbc.co.uk/news/business-59990477

No Lights, No Heat, No Money - That's Life In Ukraine During Cyber Warfare

Hackers who defaced and interrupted access to numerous Ukrainian government websites on Friday could be setting the stage for more serious cyberattacks that would disrupt the lives of ordinary Ukrainians, experts said.

"As tensions grow, we can expect more aggressive cyber activity in Ukraine and potentially elsewhere," said John Hultquist, an intelligence analyst at US cyber security company Mandiant, possibly including "destructive attacks that target critical infrastructure."

"Organisations need to begin preparing," Hultquist added.

Intrusions by hackers on hospitals, power utility companies, and the financial system were until recently rare. But organised cyber criminals, many of them living in Russia, have gone after institutions aggressively in the past two years with ransomware, freezing data and computerized equipment needed to care for hospital patients.

In some cases, those extortion attacks have led to patient deaths, according to litigation, media reports and medical professionals.

https://www.reuters.com/world/europe/no-lights-no-heat-no-money-thats-life-ukraine-during-cyber-warfare-2022-01-14/

Ukrainian Police Arrest Five Members Of Ransomware Affiliate

Ukrainian police announced the arrest of five members of a ransomware affiliate on Thursday, noting that the group was behind attacks on more than 50 companies across Europe and the US.

In a statement, both the Ukrainian Security Service and Ukrainian Cyber Police said the group made at least $1 million through their attacks on the companies.

US and UK law enforcement officials worked with Ukrainian officials on the operation.

Officials said the leader of the group was a 36-year-old who worked with his wife and three other people out of Kyiv. The five are facing a variety of charges in Ukraine related to money laundering, hacking, and selling malware.

One of the people charged is wanted by law enforcement agencies in UK after "using a virus to obtain bank card details of the customers of British banks," according to the police statement.

The bank card details were used to buy things online that were then resold.

https://www.zdnet.com/article/ukrainian-police-arrest-members-of-ransomware-affiliate/

Fingers Point To Lazarus, Cobalt, Fin7 As Key Hacking Groups Attacking Finance Industry

The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organisations today.

According to "Follow the Money," a new report (.PDF) published on the financial sector by Outpost24's Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today.

The financial sector has always been, and possibly always will be, a key target for cybercriminal groups. Organisations in this area are often custodians of sensitive personally identifiable information (PII) belonging to customers and clients, financial accounts, and cash.

They also often underpin the economy: if a payment processor or bank's systems go down due to malware, this can cause irreparable harm not only to the victim company in question, but this can also have severe financial and operational consequences for customers.

https://www.zdnet.com/article/fingers-point-to-lazarus-cobalt-fin7-as-key-hacking-groups-focused-on-finance-industry/

Ransomware, Supply Chain, And Deepfakes: The Top Threats The Finance Industry Needs To Prepare For

The finance industry is constantly targeted by numerous threat actors, and they are always innovating and trying new techniques (such as deepfakes) to outsmart security teams and breach an organisation’s network.

In addition to that, there is currently a huge demand for data and new tools on the dark web. In fact, users are selling access to point-of-sale (PoS) terminals and login details to the websites of financial services organisations all the time.

How can financial organisations protect themselves from existing threats and combat new ones at the same time?

https://www.helpnetsecurity.com/2022/01/12/finance-industry-threats/

Threats

Ransomware

• Night Sky Ransomware Is Attacking Corporate Networks For 800k Ransom - The Cybersecurity Times

• One Of The REvil Members Arrested Was Behind Colonial Pipeline Attack - Security Affairs

• Ransomware Is Being Rewritten In Go For Joint Attacks On Windows, Linux Users | IT PRO

• Inside a Ransomware Hit at Nordic Choice Hotels - WSJ

• Watch Out, That Microsoft Edge Update Is Actually Ransomware | TechRadar

• Qlocker Ransomware Returns To Target QNAP NAS Devices Worldwide (bleepingcomputer.com)

• Trends That Shaped Ransomware – And Why It’s Not Slowing Down - CyberScoop

Phishing

• Check Your SPF Records: Wide IP Ranges Undo Email Security And Make For Tasty Phishes | ZDNet

• Phishers Are Targeting Office 365 Users By Exploiting Adobe Cloud - Help Net Security

• Hackers Exploiting Microsoft Exchange Server Vulnerabilities in Enterprise Phishing Campaigns - MSSP Alert

• Real Big Phish: Mobile Phishing & Managing User Fallibility | Threatpost

Malware

• Microsoft Defender Weakness Lets Hackers Bypass Malware Detection (bleepingcomputer.com)

• New RedLine Malware Version Spread As Fake Omicron Stat Counter (bleepingcomputer.com)

• ‘Fully Undetected’ SysJoker Backdoor Malware Targets Windows, Linux & macOS | Threatpost

• FluBot Malware Continues To Evolve. What's New In Ver 5.0 And Beyond? Security Affairs

• Oops: Cyberspies Infect Themselves With Their Own Malware (bleepingcomputer.com)

Mobile

• Android Users Can Now Disable 2G to Block Stingray Attacks (bleepingcomputer.com)

• EFF Praises Android’s New 2G Kill Switch, Wants Apple To Follow Suit | Ars Technica

• How To Protect Yourself Against Sim-Swapping Scams With Mobile Phone Fraud On The Rise (inews.co.uk)

IoT

• How a Hacker Controlled Dozens of Teslas Using a Flaw in Third-Party App (vice.com)

• Better Smart Home Security In 5 Easy Steps - CNET

Organised Crime & Criminal Actors

• Cyber Attacks On Corporations Hit Record Breaking Highs - IT Security Guru

Cryptocurrency/Cryptomining/Cryptojacking

• Abcbot Botnet Is Linked To Xanthe Cryptojacking Group | ZDNet

• North Korean Hackers Impersonate Major Crypto Investment Firm to Scam Startups (vice.com)

Insider Risk and Insider Threats

• Insider Threat Does Not Have To Be Malicious, So How Do You Protect Your Organisation? - Help Net Security

• Data Security In The Age Of Insider Threats: A Primer - Help Net Security

• Former DHS Official Charged With Stealing Govt Employees' PII (bleepingcomputer.com)

• Forensics Expert Kept Murder Snaps on PC - Infosecurity Magazine

Fraud, Scams & Financial Crime

• £92m Lost To Romance Scammers In 2021 - IT Security Guru

• ‘It Felt Like Losing A Husband’: The Fraudsters Breaking Hearts – And Emptying Bank Accounts | Relationships | The Guardian

DoS/DDoS

• Extortion DDoS Attacks Grow Stronger And More Common (Bleepingcomputer.Com)

• DDoS Attacks That Come Combined With Extortion Demands Are On The Rise | ZDNet

CNI, OT, ICS, IIoT and SCADA

• Manufacturers Are Starting To Realize The Importance Of OT Security - Help Net Security

• FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure (thehackernews.com)

• Critical Infrastructure Falls Short on Ransomware Readiness, Mitigation, Recovery - MSSP Alert

Nation State Actors

• Ukraine Hacks Add to Worries of Cyber Conflict With Russia | SecurityWeek.Com

• Destructive Malware Targeting Ukrainian Organisations - Microsoft Security Blog

• US Olympic Athletes Urged to Leave Phones Behind (gizmodo.com)

• Suspected Chinese Hackers Use Log4j Flaw To Deploy Night Sky Ransomware, Microsoft Warns - CyberScoop

• Russian Submarines Threatening Undersea Cables, UK Defence Chief Warns - Security Affairs

• Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor (thehackernews.com)

• US Cyber Command Links 'MuddyWater' Hacking Group to Iranian Intelligence (thehackernews.com)

Cloud

• The Rising Threat Of Cyber Criminals Targeting Cloud Infrastructure In 2022 - Help Net Security

• 5 Top Hybrid Cloud Security Challenges | CSO Online

Passwords & Credential Stuffing

• 4 Ways Cyber Criminals Hide Credential Stuffing Attacks | CSO Online

Parental Controls and Child Safety

• UK Hacker Jailed for Spying on Children and Downloading Indecent Images (thehackernews.com)

Vulnerabilities

• CISA Adds 15 Exploited Vulnerabilities From Google, IBM, Microsoft, Oracle And More To Catalog | ZDNet

• Threat Actors Can Bypass Malware Detection Due To Microsoft Defender Weakness - Security Affairs

• noPac Exploit: Microsoft AD Flaw May Lead to Total Domain Compromise | CrowdStrike

• Adobe Fixes 4 Critical Reader Bugs That Were Demonstrated At Tianfu Cup - Security Affairs

• WordPress 5.8.3 Security Update Fixes SQL Injection, XSS Flaws (bleepingcomputer.com)

• WordPress Bugs Exploded in 2021, Most Exploitable | Threatpost

• Sonicwall SMA 100 VPN Box Security Hole Exploit Info Shared • The Register

• Cisco Patches Critical Vulnerability in Contact Center Products | SecurityWeek.Com

• Millions of Routers Exposed to RCE by USB Kernel Bug | Threatpost

• MacOS Bug Could Let Creeps Snoop On You | Threatpost

• Mozilla Patches High-Risk Firefox, Thunderbird Security Flaws | SecurityWeek.Com

Sector Specific

Financial Services Sector

• When It Comes To Banking Security, There's No Silver Bullet - Help Net Security

SMBs – Small and Medium Businesses

• Over Half of SMEs Have Experienced a Cyber Security Breach - Infosecurity Magazine

Reports Published in the Last Week

• Finance Whitepaper. Digital risk management for FSIs. (blueliv.com)

Other News

• Hackers Penetrate 93% of Local Company Networks, Cyber Simulation Finds - MSSP Alert

• URL Parsing: A Ticking Time Bomb Of Security Exploits - TechRepublic

• Europol Told to Delete Vast Trove of Personal Information - Infosecurity Magazine

• The Race Towards Renewable Energy Is Creating New Cyber Security Risks | ZDNet

• What Is Clipboard Hijacking? How to Avoid Becoming a Victim (makeuseof.com)

• White House Reminds Tech Giants Open Source Is A National Security Issue (bleepingcomputer.com)

• Want To Improve Corporate Security? Prioritize Personal Security | ZDNet

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Microsoft Sees Rampant Log4j Exploit Attempts, Testing

Microsoft says it’s only going to get worse: It’s seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.

No surprise here: The holidays bought no Log4Shell relief.

Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache’s Log4j logging library.

“We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,” according to Microsoft.

https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/

Warning: Log4j Still Lurks Where Dependency Analysis Can’t Find It

The best programming practice to include a third-party library in source code is to use the import command. It is the easiest way to do it, and it is also the way that most dependency analysis programs work to determine if a vulnerable library is in play. But any time code is included without calling it as an external package, traditional dependency analysis might not be enough to find it — including when Java coders use a common trick to resolve conflicting dependencies during the design process.

A new study by jFrog found that 400 packages on repository Maven Central used Log4j code without calling it as an external package. Around a third of that came from fat jars — jar files that include all external dependencies to make a more efficient product. The remainder came from directly inserting Log4j code into the source code, including shading, a work-around used when two or more dependencies call different versions of the same library in a way that might conflict.

While 400 may not seem like a lot for Maven Central, where Google found 17,000 packages implementing the vulnerable Log4j library, some of the 400 packages unearthed by JFrog are widely used.

https://www.scmagazine.com/analysis/devops/warning-log4j-still-lurks-where-dependency-analysis-cant-find-it

Hackers Sending Malware-Filled USB Sticks to Companies Disguised as Presents

The "malicious USB stick" trick is old but apparently it's still wildly popular with the crooks.

Word to the wise: If a stranger ever offers you a random USB stick as a gift, best not to take it.

On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defence, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports.

The hacker group behind this bad behaviour—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.

https://gizmodo.com/hackers-have-been-sending-malware-filled-usb-sticks-to-1848323578

Patch Systems Vulnerable To Critical Log4j Flaws, UK And US Officials Warn

One of the highest-severity vulnerabilities in years, Log4Shell remains under attack.

Criminals are actively exploiting the high-severity Log4Shell vulnerability on servers running VMware Horizon in an attempt to install malware that allows them to gain full control of affected systems, the UK’s publicly funded healthcare system is warning.

CVE-2021-44228 is one of the most severe vulnerabilities to come to light in the past few years. It resides in Log4J, a system-logging code library used in thousands if not millions of third-party applications and websites. That means there is a huge base of vulnerable systems. Additionally, the vulnerability is extremely easy to exploit and allows attackers to install Web shells, which provide a command window for executing highly privileged commands on hacked servers.

The remote-code execution flaw in Log4J came to light in December after exploit code was released before a patch was available. Malicious hackers quickly began actively exploiting CVE-2021-44228 to compromise sensitive systems.

https://arstechnica.com/information-technology/2022/01/patch-systems-vulnerable-to-critical-log4j-flaws-uk-and-us-officials-warn/

‘Elephant Beetle’ Lurks For Months In Networks

The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.

Researchers have identified a threat group that’s been quietly siphoning off millions of dollars from financial- and commerce-sector companies, spending months patiently studying their targets’ financial systems and slipping in fraudulent transactions amongst regular activity.

The Sygnia Incident Response team has been tracking the group, which it named Elephant Beetle, aka TG2003, for two years.

In a Wednesday report, the researchers called Elephant Beetle’s attack relentless, as the group has hidden “in plain sight” without the need to develop exploits.

https://threatpost.com/elephant-beetle-months-networks-financial/177393/

Sonicwall: Y2k22 Bug Hits Email Security, Firewall Products

SonicWall has confirmed today that some of its Email Security and firewall products have been hit by the Y2K22 bug, causing message log updates and junk box failures starting with January 1st, 2022.

The company says that email users and administrators will no longer be able to access the junk box or un-junk newly received emails on affected systems.

They will also no longer be able to trace incoming/outgoing emails using the message logs because they're no longer updated.

On January 2nd, SonicWall deployed updates to North American and European instances of Hosted Email Security, the company's cloud email security service.

It also released fixes for its on-premises Email Security Appliance (ES 10.0.15) and customers using firewalls with the Anti-Spam Junk Store functionality toggled on (Junk Store 7.6.9).

https://www.bleepingcomputer.com/news/security/sonicwall-y2k22-bug-hits-email-security-firewall-products/

Hackers Use Video Player To Steal Credit Cards From Over 100 Sites

Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.

These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information.

In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.

https://www.bleepingcomputer.com/news/security/hackers-use-video-player-to-steal-credit-cards-from-over-100-sites/

Cyber World Is Starting 2022 In Crisis Mode With The Log4j Bug

The cyber security world is starting off 2022 in crisis mode.

The newest culprit is the log4j software bug, which cyber security and Infrastructure Security Agency (CISA) Director Jen Easterly called “the most serious vulnerability I have seen in my decades-long career.” It forced many cyber security pros to work through the holidays to protect computer systems at Big Tech firms, large and small companies and government agencies.

But crises like log4j have become the norm rather than the exception during the past few years.

Last year kicked off with the SolarWinds hack — a Russian government operation that compromised reams of sensitive information from U.S. government agencies and corporations.

Digital threats of all sorts are growing far faster than the capability to defend against them. If past is prologue, 2022 is likely to be a year of big hacks, big threats and plenty more crises.

“We’re always in crisis is the long and short of it,” Jake Williams, a former National Security Agency (NSA) cyber operator and founder of the firm Rendition Infosec, told me. “Anyone looking for calm rather than the storm in cyber is in the wrong field.”

https://www.washingtonpost.com/politics/2022/01/03/cyber-world-is-starting-2022-crisis-mode-with-log4j-bug/

Everything You Need To Know About Ransomware Attacks and Gangs In 2022

Ransomware is a lucrative business for criminals. It is paying off, and it is working.

According to a recent Trend Micro report, a staggering 84% of US organisations experienced either a phishing or ransomware attack in the last year. The average ransomware payment was over $500,000.

Bad actors want to keep cashing in. So they’re going as far as creating ransomware kits as a service (Ransomware as a Service) to be sold on the dark web and even setting up fake companies to recruit potential employees.

Many ransomware gangs function like real companies — with marketing teams, websites, software development, user documentation, support forums and media relations.

If the “companies” run by ransomware gangs can operate with minimal expenses and mind-blowing revenues, what’s stopping them from growing in number and size?

https://securityintelligence.com/articles/ransomware-attacks-gangs-2022/

Why the Log4j Vulnerability Makes Endpoint Visibility and Zero Trust Security More Important Than Ever

The Apache Log4j vulnerability is one of the most serious vulnerabilities in recent years—putting millions of devices at risk.

IT organisations worldwide are still reeling from the discovery of a major security vulnerability in Apache Log4j, an open-source logging utility embedded in countless internal and commercial applications.

By submitting a carefully constructed variable string to log4j, attackers can take control of any application that includes log4j. Suddenly, cyber criminals around the world have a blueprint for launching attacks on everything from retail store kiosks to mission-critical applications in hospitals.

If security teams overlook even one instance of log4j in their software, they give attackers an opportunity to issue system commands at will. Attackers can use those commands to install ransomware, exfiltrate data, shut down operations — the list goes on.

How should enterprises respond to this pervasive threat?

https://www.cio.com/article/302868/why-the-log4j-vulnerability-makes-endpoint-visibility-and-zero-trust-security-more-important-than-ever.html

Threats

Ransomware

• Night Sky Is The Latest Ransomware Targeting Corporate Networks (bleepingcomputer.com)

• Counties In New Mexico, Arkansas Begin 2022 With Ransomware Attacks | ZDNet

• Ransomware Attack Affects The Websites Of 5,000 Schools - CNNPolitics

Phishing

• Google Docs Comments Weaponized in New Phishing Campaign (darkreading.com)

• US Arrests Suspect Who Stole Unpublished Books In Phishing Attacks (bleepingcomputer.com)

Malware

• FluBot Malware Now Targets Europe Posing As Flash Player App (bleepingcomputer.com)

• New Mac Malware Samples Underscore Growing Threat (darkreading.com)

• Purple Fox Rootkit Now Bundled With Telegram Installer | Malwarebytes Labs

• ‘Malsmoke’ Exploits Microsoft’s E-Signature Verification | Threatpost

Mobile

• Apple iPhone Malware Tactic Causes Fake Shutdowns to Enable Spying | Threatpost

IoT

• IoT's Importance is Growing Rapidly, But Its Security Is Still Weak | SecurityWeek.Com

Data Breaches/Leaks

• List Of Data Breaches And Cyber Attacks In December 2021 | 219M records (itgovernance.co.uk)

• Have I Been Pwned Warns Of DatPiff Data Breach Impacting Millions (bleepingcomputer.com)

• Morgan Stanley To Pay $60 Million To Resolve Data Security Lawsuit (Yahoo.Com)

Cryptocurrency/Cryptomining/Cryptojacking

• Report: $2.2 Billion In Cryptocurrency Stolen From DeFi Platforms In 2021 | ZDNet

• UK Police Seize £322m of Cryptocurrency in Past Five Years - Infosecurity Magazine

Fraud, Scams & Financial Crime

• Broker-Dealers Impersonators Stole $50 Million Using Spoofed Sites (bleepingcomputer.com)

• 'Sextortion' Leads To Financial Losses And Psychological Trauma. Here's What To Look Out For On Dating Apps (theconversation.com)

DoS/DDoS

• CDN Cache Poisoning Allows DoS Attacks Against Cloud Apps (darkreading.com)

OT, ICS, IIoT and SCADA

• Why The UK’s Energy Sector Is Fragile And Ripe To Cyber Attacks - Help Net Security

Nation State Actors

• Should Businesses Be Concerned About APT-Style Attacks? - Help Net Security

• MI6 Chief Thanks China For ‘Free Publicity’ After James Bond Spoof | China | The Guardian

• Log4j Vulnerabilities: New Patches And Nation-State Exploitation. (thecyberwire.com)

• North Korea-Linked Konni APT Targets Russian Diplomatic Bodies - Security Affairs

Privacy

• Swiss Army Bans All Chat Apps But Locally-Developed Threema (bleepingcomputer.com)

• France Fines Google, Facebook €210 Million Over Privacy Violating Tracking Cookies (thehackernews.com)

Passwords & Credential Stuffing

• 1.1M Compromised Accounts Found at 17 Major Companies | Threatpost

Spyware and Espionage

• US Counterintelligence Shares Tips To Block Spyware Attacks (bleepingcomputer.com)

Vulnerabilities

• Google Chrome Update Includes 37 Security Fixes | ZDNet

• Emergency Windows Server Update Fixes Remote Desktop Issues (bleepingcomputer.com)

• Microsoft Rolled Out Emergency Fix For Y2k22 Bug In Exchange Servers - Security Affairs

• VMware Fixed CVE-2021-22045 Heap-Overflow In Workstation, Fusion and ESXi - Security Affairs

• Latest WordPress Security Release Fixes XSS, SQL Injection Bugs | The Daily Swig (portswigger.net)

• Internet Bug Bounty: High Severity Vulnerability In Apache HTTP Server Could Lead To RCE | The Daily Swig (portswigger.net)

• QNAP: Get NAS Devices Off the Internet Now | Threatpost

• New Ubuntu Linux Kernel Security Updates Fix 9 Vulnerabilities, Patch Now - 9to5Linux

• JFrog Researchers Find JNDI Vulnerability In H2 Database Consoles Similar To Log4Shell | ZDNet

• Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks | SecurityWeek.Com

Sector Specific

Defence

• FBI: Hackers Use BadUSB To Target Defence Firms With Ransomware (bleepingcomputer.com)

Health/Medical/Pharma Sector

• Are Medical Devices at Risk of Ransomware Attacks? (thehackernews.com)

Estate Agents

• Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack (thehackernews.com)

Other News

Log4j Flaw Attack Levels Remain High, Microsoft Warns | ZDNet

Cyber Attack Against UK Ministry of Defence Training Academy Revealed | ZDNet

API Security: Understanding The Next Top Attack Vector - Help Net Security

E-Waste Is a Cybersecurity Problem, Too - IEEE Spectrum

The Log4j Debacle Showed Again That Public Disclosure Of 0-Days Only Helps Attackers - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

The Log4j Flaw Will Take Years to be Fully Addressed

More than 80% of Java packages affected by the vulnerability in the Apache Log4j library cannot be updated directly, and will require coordination between different project teams to address the flaw.

Shortly after the first vulnerability in the Apache Log4j library (CVE-2021-44228) was disclosed, Google's Open Source Insights Team surveyed all the Java packages in the Maven Central Repository "to determine the scope of the issue in the open source ecosystem of JVM based languages, and to track the ongoing efforts to mitigate the affected packages," say team members James Wetter and Nicky Ringland. The team estimates it could take years before the vulnerability is fully addressed within the Java ecosystem.

A significant part of the problem has to do with indirect dependencies. Direct dependencies, or the cases where package explicitly pulls log4j into the code, are relatively straightforward to fix, as the developer or project owner just has to update log4j to the latest version.

https://www.darkreading.com/tech-trends/the-log4j-flaw-will-take-years-to-be-fully-addressed

Copycat And Fad Hackers Will Be The Bane Of Supply Chain Security In 2022

Replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases next year, cyber security researchers have warned.

The supply chain is a consistent attack vector for threat actors today. By compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original -- singular -- victim or may choose to cherry-pick from the most valuable potential targets.

This can save cyber criminals time and money, as one successful attack can open the door to potentially thousands of victims at once.

A ransomware attack levied against Kaseya in 2021 highlighted the disruption a supply chain-based attack can cause. Ransomware was deployed by exploiting a vulnerability in Kaseya's VSA software, leading to the compromise of multiple managed service providers (MSP) in Kaseya's customer base.

https://www.zdnet.com/article/copycat-and-fad-hackers-will-be-the-bane-of-supply-chain-security-in-2022/

This Nightmare Incident Shows Why You Really Shouldn't Store Passwords In Your Browser

An infostealer is scooping up passwords stored in browsers, experts warn

An unnamed company was recently breached after an employee stored their corporate account password in their web browser, a new report suggests.

According to research from security company AhnLab, the employee was working from home on a device shared with other household members, which was already infected with Redline Stealer, an infostealing malware.

Although the computer was equipped with antivirus software, the malware was able to evade detection, before stealing the passwords stored in the victim's browser.

https://www.techradar.com/news/this-simple-malware-shows-why-you-really-shouldnt-store-passwords-in-your-browser

Kaspersky Research: 47% of Incident Response Requests Linked to Ransomware

This year — 2021 — marked a “new era of ransomware,” said Vladimir Kuskov, head of threat exploration at Russian cyber security company Kaspersky. This is reflected in security incident requests handled by Kaspersky’s Global Emergency Response Team (GERT) between January and November 2021.

Kaspersky reported 46.7 percent of the security incidents that GERT handled in the first 11 months of 2021 were related to ransomware. Comparatively, Kaspersky attributed ransomware to 37.9 percent of security incidents that GERT handled for all of 2020 and 34 percent for 2019.

In addition, the government and industrial sectors have been the most common targets for ransomware attacks in 2021 to date, Kaspersky indicated. These industries accounted for nearly 50 percent of ransomware-related incident response requests that GERT has handled.

https://www.msspalert.com/cybersecurity-research/kaspersky-research-47-of-incident-response-requests-linked-to-ransomware/

Global Cyber Attacks from Nation-State Actors Posing Greater Threats

Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.

The macro-trend I’m most alarmed by today is the fact that attackers don’t seem to care about getting caught anymore. We have seen an increase in temerity of attacks by nation-states, such as the Russian attack on SolarWinds, and seen their attack tactics shift from targeted, stealthy operations into opportunistic hacks for potential future uses, such as the attacks attributed to Hafnium.

Such a brazen approach hasn’t been a common tactic of nation-states in the past, but now seems to be the status quo. In part, this trend may also be due to a destabilization of the international relations climate stemming from COVID-19, as well as work-from-home forcing core business services out onto the internet to facilitate employee access.

Broadly speaking, we should see China as a rising cyber security threat on the international stage. That has been the case for some time in terms of their economic, defense and military posture, but 2021 has quite clearly demonstrated that the relationship has deteriorated into a sort of Cold War, with espionage playing out in the cyber-domain.

https://threatpost.com/global-cyberattacks-nation-state-threats/177253/

Y2k22 Bug Is Causing Microsoft Exchange Server To Fail Worldwide: FIP-FS Scan Engine Failed To Load

Company admins are having their New Year’s celebrations interrupted by reports that their Exchange Servers are failing with the error “FIP-FS Scan Engine failed to load – Can’t Convert “2201010001” to long (2022/01/01 00:00 UTC)“.

The issue appears to be due to Microsoft using the first two numbers of the update version to denote the year of the update, which caused the “long” version of the date to overflow.

At present, it seems the main workaround is to disable the anti-malware scanner on the Exchange Server by using Set-MalwareFilteringServer -BypassFiltering $True -identity <server name> and restarting the Microsoft Exchange Transport service.

It appears Microsoft has not acknowledged the issue yet, but if you are affected some peer support is available at Reddit here.

Update: Microsoft has now acknowledged the issue and is working on a fix

https://mspoweruser.com/y2k22-bug-is-causing-microsoft-exchange-server-to-fail-worldwide/

External Attackers Can Penetrate Most Local Company Networks

In 93% of cases, external attackers can breach the organisation’s network perimeter and gain access to local network resources, and it takes an average of two days to penetrate the company’s internal network. In 100% of companies analysed, an insider can gain full control over the infrastructure.

These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.

The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.

During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.

https://www.helpnetsecurity.com/2021/12/28/external-attackers-local-company-networks/

The Have I Been Pwned Service Now Includes 441K Accounts Stolen By RedLine Malware

The Have I Been Pwned data breach notification service now allows victims of the RedLine malware to check if their credentials have been stolen. The service now includes credentials for 441K accounts stolen by the popular info-stealer.

The RedLine malware allows operators to steal several information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as a first-stage malware.

Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.

A few days ago the data breach hunter Bob Diachenko discovered an unsecured server exposing over 6 million RedLine logs containing data harvested between August and September 2021. The server is still accessible, but the researchers pointed out that threat actors abandoned it because the the number of logs is not increasing.

https://securityaffairs.co/wordpress/126186/malware/redline-malware-hibp.html

Threats

Ransomware

• Organisations Targeted With Babuk-Based Rook Ransomware | SecurityWeek.Com

• QNAP NAS Devices Hit With Surge Of Ransomware Attacks | TechRadar

• Shutterfly Hit By A Conti Ransomware Attack - Security Affairs

• Cyber Attack On One Of Norway’s Largest Media Companies Shuts Down Presses - The Record by Recorded Future

Malware

• Threat Actor Uses HP iLO Rootkit To Wipe Servers - The Record by Recorded Future

• New Malware Uses SSD Over-Provisioning to Bypass Security Measures | Tom's Hardware

• Threat Actors Are Abusing MSBuild To Implant Cobalt Strike Beacons - Security Affairs

Data Breaches/Leaks

• LastPass Says No Passwords Were Compromised Following Breach Scare - The Verge

• T-Mobile Welcomed Christmas With Its Second Data Breach In Less Than Six Months - Phonearena

Organised Crime & Criminal Actors

• In the Fight Against Cyber Crime, Takedowns Are Only Temporary (darkreading.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Cryptomining Attack Exploits Docker API Misconfiguration Since 2019 | Threatpost

Insider Risk and Insider Threats

• When Employees Leave, Is Your Data Walking Out The Door? - Help Net Security

Scams, Fraud & Financial Crime

• Fraud Detection And Prevention Market To Hit $100 Billion By 2027 - Help Net Security

Nation State Actors

• China-linked BlackTech APT Uses New Flagpro Malware In Recent Attacks - Security Affairs

• APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools | Threatpost

Passwords

• RedLine Malware Shows Why Passwords Shouldn't Be Saved In Browsers (bleepingcomputer.com)

Vulnerabilities

• Experts Monitor Ongoing Attacks Using Exploits For Log4j Library Flaws - Security Affairs

• Netgear Leaves Vulnerabilities Unpatched In Nighthawk Router (bleepingcomputer.com)

Other News

• What the Rise in Cyber-Recon Means for Your Security Strategy | Threatpost

• Most Companies Struggling To Achieve Observability Despite Investing In Tools - Help Net Security

• LastPass Confirms Credential Stuffing Attack Against Some Of Its Users - The Record by Recorded Future

• A New Year Will Bring New Targets: What to Look for in 2022 | SecurityWeek.Com

• University Loses 77TB Of Research Data Due To Backup Error (bleepingcomputer.com)

• Don’t Expect A Slowdown After Record-Setting Year For Cyber Security As Several Drivers Remain For Big 2022 – Crunchbase News

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Criminals Shifting Focus: IT Sector Most Targeted In 2021

Darktrace reported that the IT and communications sector was globally the most targeted industry by cybercriminals in 2021.

Darktrace’s data is developed by ‘early indicator analysis’ that looks at the breadcrumbs of potential cyber-attacks at several stages before they are attributed to any particular actor and before they escalate into a full-blown crisis. Findings show that its artificial intelligence autonomously interrupted an average of 150,000 threats per week against the sector in 2021.

The IT and communications sector includes telecommunications providers, software developers, and managed security service providers, amongst others. There was also a growing trend of hackers targeting backup servers in an attempt to deliberately disable or corrupt backup files by deleting a single index file that would render all backups inaccessible. Attackers could then launch ransomware attacks against the clients of the backup vendor, preventing recovery and forcing payment.

In 2020, the most attacked industry was the financial and insurance sector, showing that cyber-criminals have shifted their focus over the last 12 months.

Over the last 12 months, it is clear that attackers are relentlessly trying to access the networks of trusted suppliers in the IT and communications sector. Quite simply, it is a better return on investment than, for example, going after one company in the financial services sector. SolarWinds and Kaseya are just two well-known and recent examples of this. Sadly, there is likely to be more in the near term.

The findings of this research mark one year since the compromise of US software company SolarWinds rattled the security industry. This landmark supply-chain attack made thousands of organisations vulnerable to infiltration by inserting malicious code into the Orion system. Over the last 12 months, there has been a continued spate of attacks against the IT and communications sector, including the high-profile attacks on Kaseya and Gitlab.

https://www.helpnetsecurity.com/2021/12/22/cybercriminals-it-sector/

New Ransomware Variants Flourish Amid Law Enforcement Actions

Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cyber crime gangs to prevent them from victimizing additional companies.

"Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] groups dominating the ecosystem at this point in time are completely different than just a few months ago," Intel 471 researchers said in a report published this month. "Yet, even with the shift in the variants, ransomware incidents as a whole are still on the rise."

Sweeping law enforcement operations undertaken by government agencies in recent months have brought about rapid shifts in the RaaS landscape and turned the tables on ransomware syndicates like Avaddon, BlackMatter, Cl0p, DarkSide, Egregor, and REvil, forcing the actors to slow down or shut down their businesses altogether.

https://thehackernews.com/2021/12/new-ransomware-variants-flourish-amid.html

93% of Tested Networks Vulnerable to Breach, Pen Testers Find

Data from dozens of penetration tests and security assessments suggest nearly every organisation can be infiltrated by cyber attackers.

The vast majority of businesses can be compromised within a month by a motivated attacker using common techniques, such as compromising credential, exploiting known vulnerabilities in software and Web applications, or taking advantage of configuration flaws, according to an analysis of security assessments by Positive Technologies.

In 93% of cases, an external attacker could breach a target company's network and gain access to local devices and systems, the company's security service professionals found. In 71% of cases, the attacker could affect the businesses in a way deemed "unacceptable." For example, every bank tested by the security firm could be attacked in a way that disrupted business processes and reduced the quality of their service.

https://www.darkreading.com/attacks-breaches/93-of-tested-networks-vulnerable-to-breach-pentesters-find

Dridex Malware Trolls Employees With Fake Job Termination Emails

A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season's greeting message.

Dridex is a banking malware spread through malicious emails that was initially developed to steal online banking credentials. Over time, the developers evolved the malware to use different modules that provide additional malicious behaviour, such as installing other malware payloads, providing remote access to threat actors, or spreading to other devices on the network.

This malware was created by a hacking group known as Evil Corp, which is behind various ransomware operations, such as BitPaymer, DoppelPaymer, WastedLocker variants, and Grief. Due to this, Dridex infections are known to lead to ransomware attacks on compromised networks.

https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/

More Than 35,000 Java Packages Impacted By Log4j Flaw, Google Warns

The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.

“More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry.” reads the report published by Google. “As far as ecosystem impact goes, 8% is enormous.”

The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.

The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.

Since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).

https://securityaffairs.co/wordpress/125845/security/log4j-java-packages-flaws.html

Log4j Flaw: Attackers Are 'Actively Scanning Networks' Warns New Guidance, Joint Advisory from Cyber Agencies in US, Australia, Canada, New Zealand and the United Kingdom

A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.

The project is a joint effort by the US' Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).

The organisations said they issued the advisory in response to "active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors." Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organisations.

https://www.zdnet.com/article/cisa-cybersecurity-centers-from-australia-nz-uk-and-canada-release-log4j-advisory/

Conti Ransomware Gang Has Full Log4Shell Attack Chain

The Conti gang was the first professional-grade, sophisticated ransomware group to weaponise Log4j2, now with a full attack chain.

The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.

The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.

As of Monday the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.

https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/

Second Ransomware Family Exploiting Log4j Spotted In US, Europe

This was quickly followed by a second ransomware group when researchers found a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the US and Europe.

A number of researchers, including at cybersecurity giant Sophos, have now said they’ve observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family — which has been revived following the discovery of the vulnerability in the widely used Log4j logging software.

https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/

Threat actors steal $80 million per month with fake giveaways, surveys

Scammers are estimated to have made $80 million per month by impersonating popular brands asking people to participate in fake surveys or giveaways.

Researchers warn of this new trend in global fraud schemes involving targeted links to make investigation and take-down increasingly challenging.

According to current estimates, these massive campaigns resulted in an estimated $80,000,000 per month, stolen from 10 million people in 91 countries.

The scam themes are the typical and "trustworthy" fake surveys and giveaways from popular brands with the holiday season making targets more susceptible to fraudulent gift offerings.

According to a report by Group-IB, there are currently 60 known scam networks that use targeted links in their campaigns, impersonating 121 brands in false giveaways.

Each network uses an average of 70 different Internet domain names as part of their campaigns, but some find great success with fewer domains, which indicates that quality beats quantity when it comes to scams.

https://www.bleepingcomputer.com/news/security/threat-actors-steal-80-million-per-month-with-fake-giveaways-surveys/

Microsoft Teams might have a few serious security issues

Security researchers have discovered four separate vulnerabilities in Microsoft Teams that could be exploited by an attacker to spoof link previews, leak IP addresses and even access the software giant's internal services.

These discoveries were made by researchers at Positive Security who “stumbled upon” them while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron according to a new blog post. For those unfamiliar, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.

During their investigation into the matter, the researchers found that they could bypass the SOP in Teams by abusing the link preview feature in Microsoft's video conferencing software by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.

https://www.techradar.com/news/microsoft-teams-might-have-a-few-serious-security-issues

The Future of Work Has Changed, and Your Security Mindset Needs to Follow

VPNs have become a vulnerability that puts organisations at risk of cyber attacks.

When businesses first sent employees to work from home in March 2020 — thinking it'd only be for two weeks — they turned to quick fixes that would enable remote work for large numbers of people as quickly as possible. While these solutions solved the short-term challenge of allowing distributed workforces to connect to a company's network from anywhere, they're now becoming a security vulnerability that is putting organisations at risk of growing cyberattacks.

Now that almost two years have passed and work has fundamentally shifted, with fully or hybrid remote environments here to stay, business and security leaders need solutions that better fit their unique and increasingly complex needs. In fact, a new survey from Menlo Security has found that 75% of organisations are re-evaluating their security strategies for remote employees, exemplifying that accommodating remote work is a top priority for the majority of business leaders.

To successfully manage the risks that distributed workforces entail, leaders must shift their mindset away from the hub-and-spoke approach of providing connectivity to the entire network, instead segmenting access by each individual private application, wherever it is deployed, as threats of cyberattacks loom across all industries. As organisations grapple with the added security challenges that remote and hybrid work environments bring, adopting a zero-trust approach will be critical for end-to-end network and endpoint protection.

https://www.darkreading.com/attacks-breaches/the-future-of-work-has-changed-and-your-security-mindset-needs-to-follow

Threats

Ransomware

• Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros - Infosecurity Magazine

• PYSA Emerges as Top Ransomware Actor in November | Threatpost

• AvosLocker Ransomware Reboots In Safe Mode To Bypass Security Tools (bleepingcomputer.com)

• Rook Ransomware Is Yet Another Spawn Of The Leaked Babuk Code (bleepingcomputer.com)

• PYSA Ransomware Behind Most Double Extortion Attacks In November (bleepingcomputer.com)

• This Ransomware Strain Just Started Targeting Lots More Businesses | ZDNet

Phishing

• How Likely Are Employees To Fall Prey To A Phishing Attack? - Help Net Security

• Dridex Omicron Phishing Taunts With Funeral Helpline Number (bleepingcomputer.com)

• New Phishing Campaign Claims $80m Per Month - IT Security Guru

Malware

• Log4j Vulnerability Now Used To Install Dridex Banking Malware (bleepingcomputer.com)

• New BLISTER Malware Using Code Signing Certificates to Evade Detection (thehackernews.com)

IoT

• Honeypot Experiment Reveals What Hackers Want From IoT Devices (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Example Of How Attackers Are Trying To Push Crypto Miners Via Log4Shell - SANS Internet Storm Center

Insider Risk and Insider Threats

• Cyber Crime Cops Arrest NHS Workers - Infosecurity Magazine

Scams, Fraud & Financial Crime

• Robocalls More Than Doubled in 2021, Cost Victims $30B | Threatpost

Insurance

• Cyber Insurance Trends: Insurers And Insurees Must Adapt Equally To Growing Threats - Help Net Security

Dark Web

• 2easy Now A Significant Dark Web Marketplace For Stolen Data (bleepingcomputer.com)

OT, ICS, IIoT and SCADA

• Lights Out: Cyber Attacks Shut Down Building Automation Systems (darkreading.com)

• Walk-Through Metal Detectors Can Be Hacked, New Research Finds (gizmodo.com)

Nation State Actors

• FBI: State Hackers Exploiting New Zoho Zero-Day Since October (bleepingcomputer.com)

Passwords

• UK National Crime Agency Finds 225 Million Previously Unexposed Passwords • The Register

Parental Controls and Child Safety

• Fisher Price Chatter Bluetooth Telephone Has Serious Privacy Issues - Security Affairs

Vulnerabilities

• Microsoft Teams Bug Allowing Phishing Unpatched Since March (bleepingcomputer.com)

• FBI: Another Zoho ManageEngine Zero-Day Under Active Attack | Threatpost

• Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers (thehackernews.com)

• New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw (thehackernews.com)

• All in One SEO Plugin Bug Threatens 3M Websites with Takeovers | Threatpost

• Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software (thehackernews.com)

• Crooks Bypass A Microsoft Office Patch For CVE-2021-40444 To Spread Formbook Malware - Security Affairs

• Microsoft Admits To Azure App Service Source Code Leak Bug • The Register

• Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security (thehackernews.com)

• New Dell BIOS Updates Cause Laptops And Desktops Not To Boot (bleepingcomputer.com)

• Western Digital Warns Customers To Update Their My Cloud Devices (Bleepingcomputer.Com)

• New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G (thehackernews.com)

Sector Specific

Health/Medical/Pharma Sector

• Escalation in Healthcare Data Breaches - Infosecurity Magazine

Retail

• The Retail Sector Needs To Know When And Not If It Will Be Hacked - Help Net Security

Transport and Aviation

• Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector (thehackernews.com)

Other News

• How Confident Can Organisations Be In Their Managed Services Security? - Help Net Security

• Experts Discover Backdoor Deployed on the US Federal Agency's Network (thehackernews.com)

• Half-Billion Compromised Credentials Lurking on Open Cloud Server | Threatpost

• New Log4J Flaw Caps Year of Relentless Cyber Security Crises - WSJ

• Log4Shell Is A Dumpster Fire That Should Have Been Avoided - Help Net Security

• The Log4j Flaw Is The Latest Reminder That Quick Security Fixes Are Easier Said Than Done - CyberScoop

• 7 of the Most Impactful Cyber Security Incidents of 2021 (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Employees Think They’re Safe From Cyber Threats On Company Devices

A research launched by Menlo Security reveals increased cyber security risks posed to employees and organisations during the 2021 holiday shopping season.

The research – which surveyed 2,000 employed people in the United States and the United Kingdom – found that while employees are concerned about threats and are taking some measures to mitigate them, they often have false confidence in their security posture.

There are now more threats to corporate devices and networks than ever as hybrid work models blur the boundaries between work and home. More than half of respondents (56% US; 53% UK) reported performing non-work-related tasks – such as online shopping – on company devices.

Furthermore, the survey found that 65% of people in the US (63% UK) are doing more online holiday shopping in 2021 compared to previous years, and nearly half of respondents (48% US; 45% UK), reported shopping for gifts this holiday season on a work-issued device such as a laptop or mobile phone.

Workers are also noticing a rise in cyber threats this holiday season, with 58% of respondents in the US (48% UK) observing an increase in scams and fraudulent messages, exemplifying that threats are rampant worldwide. This is worrying many people, as the vast majority of respondents (80% US & UK) report being somewhat to very concerned about their personal data being stolen while online shopping.

However, despite workers’ recognition and concern of cyber threats, 60% of people (65% UK) still believe they’re secure from cyberthreats if they’re using a company device.

https://www.helpnetsecurity.com/2021/12/14/employees-cybersecurity-risks/

Internet Is Scrambling To Fix Log4shell, The Worst Hack In History

Massive data breaches have become so common that we’ve gotten numb to reports detailing another hack or 0-day exploit. That doesn’t reduce the risk of such events happening, as the cat-and-mouse game between security experts and hackers continues. As some vulnerabilities get fixed, others pop up requiring attention from product and service providers. The newest one has a name that will not mean anything to most people. They call the hack Log4Shell in security briefings, which doesn’t sound very scary. But the new 0-day attack is so significant that some people see it as the worst internet hack in history.

Malicious individuals are already exploiting the Log4Shell attack, which allows them to get into computer systems and servers without a password. Security experts have seen Log4Shell in action in Minecraft, the popular game that Microsoft owns. A few lines of text passed around in a chat might be enough to penetrate the defences of a target computer. The same ease of access would allow hackers to go after any computer out there using the Log4J open-sourced java-based logging utility.

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

Apache Log4j Flaw: A Fukushima Moment for the Cyber Security Industry

Organisations around the world will be dealing with the long-tail consequences of this vulnerability, known as Log4Shell, for years to come.

The discovery of a critical flaw in the Apache Log4j software is nothing short of a Fukushima moment for the cybersecurity industry.

Ten years ago, an earthquake and subsequent tidal wave triggered the meltdown of the Fukushima nuclear power plant that continues to plague the region today. Similarly, the early exploitation of Log4j, during which attackers will go after the low-hanging fruit exposed by the vulnerability, will evolve over time to take the form of more complex attacks on more sensitive systems that have less exposure to the internet. And, just as Fukushima brought to light significant issues with longstanding processes in place at the plant, so too does the Log4j vulnerability, known as Log4Shell, highlight two crucial practices of concern:

·       How organisations capture and protect their massive troves of log data; and

·       The use of open-source code libraries as the building blocks for major enterprise applications.

The paradox of Log4j: the more you log, the worse it gets

We’re discovering new apps every minute which use Log4j in one way or another. It affects not only the code you build, but also the third-party systems you have in place. Everything from the new printer you’ve bought for the office to the ticketing system you’ve just deployed is potentially affected by this flaw. Some affected systems may be on premises, others may be hosted in the cloud but no matter where they are, the flaw is likely to have an impact.

https://www.theregister.com/2021/12/17/vmware_criticial_uem_flaw/

60% of UK Workers Have Been Victim of a Cyber-Attack, Yet Awareness Remains Low

There is a “dangerous” lack of awareness among UK workers towards cybersecurity, leaving businesses at risk of attacks, according to a new study by Armis. This is despite 60% of workers admitting they have fallen victim to a cyber-attack.

The nationwide survey of 2000 UK employees found that only around a quarter (27%) are aware of the associated cyber risks, while one in 10 (11%) don’t worry about them at all.

Even more worryingly, just one in five people said they paid for online security, putting businesses at high risk of attacks amid the shift to remote working during COVID-19.

The most prevalent types of attacks experienced by workers or their organisations were phishing (27%), data breaches (23%) and malware (20%).

The study also revealed growing concerns about the scale of the cyber-threats facing the UK. A large-scale cyber-attack was ranked as the fourth biggest future concern (21%) among the respondents, equal to the UK going to war. Two-fifths (40%) said they would like to see a minister for cyber security installed to ensure the issue is focused on more at a government level.

Russian-backed cyber-criminals were considered the biggest threat to the UK’s cybersecurity (20%) by the respondents, followed by financially motivated cyber-criminals (17%) and Chinese-backed cyber-criminals (16%).

https://www.infosecurity-magazine.com/news/uk-workers-victim-cyber-attack/

Ransomware in 2022: We're All Screwed

Ransomware is now a primary threat for businesses, and with the past year or so considered the "golden era" for operators, cybersecurity experts believe this criminal enterprise will reach new heights in the future.

Kronos. Colonial Pipeline. JBS. Kaseya. These are only a handful of 2021's high-profile victims of threat groups including DarkSide, REvil, and BlackMatter.

According to Kela's analysis of dark web forum activity, the "perfect" prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.

Over the past few years, we've seen ransomware operators evolve from disorganised splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains.

Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena -- including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker -- can be one component of attacks designed to elicit a blackmail payment from a victim organisation.

https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/

Attacks on UK Firms Increase Five-Fold During Pandemic

Attacks on UK firms surged five-fold during the pandemic and now cost way more than the global average, according to Accenture.

The global consultancy polled 500 UK executives to compile its State of Cybersecurity Resilience 2021 study.

It found that large organisations experienced 885 attempted cyber-attacks in 2020 – up from 156 the previous year and more than triple the global average of 270.

They’re also more expensive than elsewhere. Accenture calculated that incidents and breaches cost over £1.3m a year – £350,000 more than the global average.

Over 80% of respondents said the cost of staying ahead of cyber-criminals is unsustainable, a fifth more than the previous year, and a quarter said they’ve been forced to increase cybersecurity budgets by 10% or more.

Worryingly, supply chain attacks accounted for 64% of breaches in the UK last year, up by a quarter (26%) from the previous year.

https://www.infosecurity-magazine.com/news/attacks-on-uk-firms-increase/

The Log4J Software Flaw Is ‘Christmas Come Early’ for Cyber Criminals

Researchers have just identified a security flaw in a software program called Log4J, widely used by a host of private, commercial and government entities to record details ranging from usernames and passwords to credit card transactions. Since the glitch was found last weekend, the cybersecurity community has been scrambling to protect applications, services, infrastructure and even Internet of Things devices from criminals—who are already taking advantage of the vulnerability.

“For cybercriminals this is Christmas come early, because the sky’s the limit,” says Theresa Payton, a former White House chief information officer and the CEO of Fortalice Solutions, a cybersecurity consulting company. “They’re really only limited by their imagination, their technical know-how and their own ability to exploit this flaw.” Payton spoke with Scientific American about what Log4J does, how criminals can use its newly discovered weakness, and what it will take to repair the problem.

https://www.scientificamerican.com/article/the-log4j-software-flaw-is-christmas-come-early-for-cybercriminals/

Why Cloud Storage Isn't Immune to Ransomware

Ransomware is the flavour of the month for cybercriminals. The FBI reports that ransomware attacks rose 20% and losses almost tripled in 2020. And our increased use of the cloud may have played a part in that spike. A survey of CISOs conducted by IDC earlier this year found that 98% of their companies suffered at least one cloud data breach in the previous 18 months as opposed to 79% last year, and numbers got worse the more exposure they had to the cloud.

Organisations now use hundreds of cloud-based apps, which adds thousands of new identities logging in to their systems. This opens almost unlimited possibilities for hackers. Even if cloud vendors have their own identity and access management controls, vulnerabilities will emerge. In fact, recent research into cloud security found that over 70% of organisations had machines open to the public that were linked to identities whose permissions were vulnerable, under the right conditions, to being exploited to launch ransomware attacks.

A number of reasons could explain why security falls through the cracks of many cloud systems, and leaves them more vulnerable to ransomware attacks.

https://www.darkreading.com/attacks-breaches/why-cloud-storage-isn-t-immune-to-ransomware

400 Banks’ Customers Targeted with Anubis Trojan

Customers of Chase, Wells Fargo, Bank of America and Capital One, along with nearly 400 other financial institutions, are being targeted by a malicious app disguised to look like the official account management platform for French telecom company Orange S.A.

Researchers say this is just the beginning.

Once downloaded, the malware – a variant of banking trojan Anubis – steals the user’s personal data to rip them off, researchers at Lookout warned in a new report. And it’s not just customers of big banks at risk, the researchers added: Virtual payment platforms and crypto wallets are also being targeted.

“As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain,” the Lookout report said. “This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection and abuse of the device’s accessibility services.”

https://threatpost.com/400-banks-targeted-anubis-trojan/177038/

Sites Hacked With Credit Card Stealers Undetected For Months

Threat actors are gearing up for the holidays with credit card skimming attacks remaining undetected for months as payment information is stolen from customers.

Magecart skimming is an attack that involves the injection of malicious JavaScript code on a target website, which runs when the visitor is at the checkout page.

The code can steal payment details such as credit card number, holder name, addresses, and CVV, and send them to the actor.

Threat actors may then use this information for purchasing goods online or sold to other actors on underground forums and dark web marketplaces known as "carding" sites.

https://www.bleepingcomputer.com/news/security/sites-hacked-with-credit-card-stealers-undetected-for-months/

Threats

Ransomware

• Why Ransomware Attacks Happen Out Of Hours Or During The Holidays • The Register

• Conti Ransomware Gang Exploits Log4Shell Bug In Its Operations - Security Affairs

• Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware (thehackernews.com)

• HR Management Firm Kronos Needs Weeks to Recover From Ransomware Attack | SecurityWeek.Com

• Ransomware Affiliate Arrested In Romania - The Record By Recorded Future

• Police Arrests Ransomware Affiliate Behind High-Profile Attacks (Bleepingcomputer.Com)

• All Change at the Top as New Ransomware Groups Emerge - Infosecurity Magazine

• Hive Ransomware Enters Big League With Hundreds Breached In Four Months (Bleepingcomputer.Com)

• Ransomware Suspect Arrested Over Attacks On 'High-Profile' Organisations | Zdnet

• The FBI Believes The HelloKitty Ransomware Gang Operates Out Of Ukraine - The Record By Recorded Future

BEC – Business Email Compromise

• Logistics Giant Warns of BEC Emails Following Ransomware Attack (bleepingcomputer.com)

Phishing

• How A Phishing Campaign Is Able To Exploit Microsoft Outlook - Techrepublic

• Phishing Campaign Uses PowerPoint Macros To Drop Agent Tesla (Bleepingcomputer.Com)

• New Microsoft Exchange Credential Stealing Malware Could Be Worse Than Phishing - TechRepublic

Other Social Engineering

• How to Guard Against Smishing Attacks on Your Phone | WIRED

Malware

• Hackers Start Pushing Malware In Worldwide Log4shell Attacks (Bleepingcomputer.Com)

• Hackers’ Log4Shell Malware Attacks Shuts Down Thousands of Government Websites | Tech Times

• Log4Shell Is Spawning Even Nastier Mutations | Threatpost

• Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials (thehackernews.com)

• A Practical and Detailed Look at Cobalt Strike Threat Actors - MSSP Alert

• New Fileless Malware Uses Windows Registry as Storage to Evade Detection (thehackernews.com)

• ‘DarkWatchman’ RAT Shows Evolution in Fileless Malware | Threatpost

• New PseudoManuscrypt Malware Infected Over 35,000 Computers in 2021 (thehackernews.com)

Mobile

• China: Man Lifts Sleeping Ex's Eyelids, Unlocks Phone, Steals $24k (insider.com)

• Malicious Joker App Scores Half-Million Downloads on Google Play | Threatpost

• Apple Patches 42 Security Flaws in Latest iOS Refresh | SecurityWeek.Com

• How to Figure Out If Your Phone Has Malware | PCMag

• How to Guard Against Smishing Attacks on Your Phone | WIRED

IoT

• Modern Cars: A Growing Bundle Of Security Vulnerabilities - Help Net Security

• Are Your Home Security Cameras Vulnerable To Hacking? - cnet

Data Breaches/Leaks

• Personal Details Of 80,000 South Australian Public Servants Stolen In Cyber-Attack | South Australia | The Guardian

• Oregon Medical Group Notifies 750,000 Patients Of Data Breach | Zdnet

Organised Crime & Criminal Actors

• Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group (thehackernews.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Log4j Attackers Switch To Injecting Monero Miners Via RMI (bleepingcomputer.com)

• Hackers Are Using the Blockchain to Make Bulletproof Botnets (gizmodo.com)

• Botnet Steals Half A Million Dollars In Cryptocurrency From Victims - Techrepublic

• Hackers Steal $140 Million From Users of Crypto Gaming Company (vice.com)

Insider Risk and Insider Threats

Fraud & Financial Crime

• “Sadistic” Online Extortionist Jailed for 32 Years - Infosecurity Magazine

• Experts: Public Should Freeze Credit Post-Breach - Infosecurity Magazine

Nation State Actors

• Wary Of Chinese Tech Prowess, British MI6 Says China Bigger Threat To UK Than Russia, Iran & Global Terrorism (eurasiantimes.com)

• China, Iran Among Those Exploiting Apache Cyber Vulnerability, Researchers Say (Yahoo.Com)

• Documents Link Huawei To Uyghur Surveillance Projects, Report Claims | Huawei | The Guardian

• Huawei Documents Show Chinese Tech Giant’s Involvement In Surveillance Programs - The Washington Post

• Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability | SecurityWeek.Com

Cloud

• Convergence Ahoy: Get Ready for Cloud-Based Ransomware | Threatpost

Privacy

• Adtech Vendors Still Tracking EU Users Who Deny Consent Via IAB’s TCF, Study Suggests | TechCrunch

Spyware and Espionage

• iPhone Hack: NSO Malware Builds A Computer Inside Your Phone To Steal Data | New Scientist

• Meta Acts Against 7 Entities Found Spying on 50,000 Users (darkreading.com)

• A New Spyware-For-Hire, Predator, Caught Hacking Phones Of Politicians And Journalists | Techcrunch

Vulnerabilities

• 4 Ways To Properly Mitigate The Log4j Vulnerabilities (And 4 To Skip) | CSO Online

• Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges (thehackernews.com)

• New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability (thehackernews.com)

• Patching Isn't Enough For December's Patch Tuesday | Computerworld

• Windows 10 Patch Tuesday (Kb5008212) Is Out — Here's What's New And What's Broken - Neowin

• Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware (thehackernews.com)

• Adobe Addresses Over 60 Vulnerabilities In Multiple Products - Security Affairs

• Hackers Launch More Than 1.2m Attacks Through Log4J Flaw | Financial Times (ft.com)

• Google Pushes Emergency Chrome Update To Fix Zero-Day Used In Attacks (Bleepingcomputer.Com)

• Over Log4j? VMware Has Another Critical Flaw For You To Fix - The Register

• CISA Urges VMware Admins To Patch Critical Flaw In Workspace ONE UEM (bleepingcomputer.com)

Sector Specific

SMBs – Small and Medium Businesses

What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost

Security Priorities Are Geared Toward Ongoing Remote And Hybrid Work - Help Net Security

Transport and Aviation

Nation State Threat Group Targets Airline with Aclip Backdoor (securityintelligence.com)

Other News

• Why Tech Companies Must Come Clean About The Latest Cyber Security Crisis | Fortune

• “Worst-Case Scenario” Exploit Travels the Globe - Infosecurity Magazine

• Log4j Hack Raises Serious Questions About Open-Source Software | Financial Times

• Why Log4j Mitigation Is Fraught With Challenges (darkreading.com)

• Security Flaws Found In A Popular Guest Wi-Fi System Used In Hundreds Of Hotels | TechCrunch

• Experts: Log4j Bug Could Be Exploited for “Years” - Infosecurity Magazine

• 2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns | Threatpost

• Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips (thehackernews.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Beware Of Ransomware Attacks Between Christmas And New Year’s!

Darktrace reported that its security researchers discovered a 30% increase in the average number of attempted ransomware attacks globally over the holiday season in every consecutive year from 2018 to 2020 compared to the monthly average.

The researchers also observed a 70% average increase in attempted ransomware attacks in November and December compared to January and February. Following a record number of ransomware attacks this year, the company expects the spike to be higher over the 2021 holiday period.

https://www.helpnetsecurity.com/2021/12/09/ransomware-attacks-holiday/

Why Holidays Put Your Company at Risk of Cyber Attack (And How to Take Precautions)

It is a time when many are thinking of their families and loved ones, time off work, and gift-giving – the holidays. However, while many have their minds outside the realm of work during the holiday season, often, this is when attackers plan their most sinister attacks.

So how can you take precautions to protect your organisation during these times?

Attackers today do not have a soft spot for businesses and give companies a break at any time of the year, especially not during holidays. On the contrary, any time of the year where companies may be less prepared to fend off a cyberattack is an opportunity for successful compromise. As a result, the holidays put your company at a higher risk of cyberattack.

https://thehackernews.com/2021/12/why-holidays-put-your-company-at-risk.html

Security Experts Sound Alarm on Zero-Day in Widely Used Log4j Tool

Security experts are sounding the equivalent of a five-alarm fire on a critical new zero-day vulnerability in Log4j, a logging framework that is ubiquitously present in Java software.

The flaw (CVE-2021-44228) could allow remote attackers to run arbitrary code on any application that uses Log4j and is already being actively exploited. Some vendors have observed mass scanning activity — presumably by threat actors — for vulnerable applications, and there are some reports of exploit activity against organisations. Attacks against the flaw take little skill to execute and are being fueled by proof-of-concept code in the wild.

https://www.darkreading.com/vulnerabilities-threats/security-experts-sound-alarm-on-zero-day-in-widely-used-log4j-tool

SolarWinds Attackers Spotted Using New Tactics, Malware

One year after the disruptive supply-chain attacks, researchers have observed two new clusters of activity from the Russia-based actors that signal a significant threat may be brewing.

One year after the notorious and far-reaching SolarWinds supply-chain attacks, its orchestrators are on the offensive again. Researchers said they’ve seen the threat group – which Microsoft refers to as “Nobelium” and which is linked to Russia’s spy agency – compromising global business and government targets with novel tactics and custom malware, stealing data and moving laterally across networks.

https://threatpost.com/solarwinds-attackers-new-tactics-malware/176818/

Cyber Crime Supply Chain: Fuelling The Rise In Ransomware

Trend Micro released a research detailing the murky cybercrime supply chain behind much of the recent surge in ransomware attacks. Demand has increased so much over the past two years that many cybercriminal markets now have their own “Access-as-a-Service” sections.

https://www.helpnetsecurity.com/2021/12/06/cybercrime-supply-chain/

Weak Passwords Caused 30% Of Security Breaches

A recent survey assessed the risk factors associated with password management and how to safeguard them from attacks or breaches. The results revealed that 30% of respondents reported password leaks and security breaches as a result of poor password practices. Respondees admitted to making poor password choices, such as sharing them with colleagues, family members or friends; writing them on sticky notes, papers, planners; re-using passwords across multiple sites and only changing them when prompted.

Consequently, researchers revealed some of the best password practices to create unhackable passwords. These practices include using secure VPNs, two-factor authentication, using a password management software and creating unique passwords that aren’t easily deduced .

https://www.itsecurityguru.org/2021/12/10/weak-passwords-caused-30-of-security-breaches/

Work-from-Anywhere Requires "Work-from-Anywhere Security"

Securing today's expanding networks often includes adding additional technologies to an already overburdened security environment. With organisations already struggling to manage an average of 45 security tools, with each incident requiring coordination across 19 different devices, adding new technologies to the mix may be the straw that breaks the camel's back.

The most recent example of the rapid expansion of the network's attack surface has been remote work. The COVID-19 pandemic accelerated the need for a work-from-anywhere (WFA) strategy. And now, as workers begin to return to the office, a hybrid approach to work has become the new status quo. According to Accenture, 83% of workers prefer a hybrid work model that allows them to work remotely between 25% and 75% of the time. And businesses are listening. 63% of high-revenue growth companies have already enabled productivity anywhere workforce models.

One of the biggest security challenges of a hybrid workforce is that employees need to move seamlessly between the corporate office, their home network, and other remote locations. Applications, whether deployed in the data centre, SaaS, or cloud, not only need to be available from anywhere, but user experience—and security—needs to be consistent from any location as well.

https://www.securityweek.com/work-anywhere-requires-work-anywhere-security

Just 3% of UK Firms Escaped a Supply Chain Breach in 2021

Some 97% of UK organisations suffered a supply chain breach over the past year, up from 82% in 2020 and the second highest figure globally, according to BlueVoyant.

The security firm polled 1200 C-level executives with responsibility for managing risk in supply chains, across the UK, US, Singapore, Canada, Germany and the Netherlands.

UK firms also experienced a higher-than-average percentage of breaches: 59% suffered between two and five supply chain incidents compared to an overall average of 49%. The average number of breaches in the country grew from 2.64 in 2020 to 3.57 in 2021.

Perhaps unsurprisingly given these figures, only a quarter (27%) of UK respondents said they consider third-party cyber risk a key priority versus a 42% global average.

https://www.infosecurity-magazine.com/news/just-3-uk-firms-escaped-supply/

Critical Flaw In ManageEngine Desktop Central MSP Tool Exploited In The Wild

News of this latest zero-day vulnerability comes after hackers exploited at least two other flaws in ManageEngine products this year. Attacks against MSPs and their tools have seen a rise over the past several years due to hackers realizing that compromising such organisations can provide an easy way into the networks of thousands of businesses that rely on them to manage their IT assets.

News of this latest zero-day vulnerability comes after hackers exploited at least two other flaws in ManageEngine products this year. Attacks against MSPs and their tools have seen a rise over the past several years due to hackers realizing that compromising such organisations can provide an easy way into the networks of thousands of businesses that rely on them to manage their IT assets.

https://www.csoonline.com/article/3643928/critical-flaw-in-manageengine-desktop-central-msp-tool-exploited-in-the-wild.html

New Financial Services Industry Report Reveals Major Gaps in Storage and Backup Security

Continuity™, the first dedicated storage and backup security provider, this week announced findings from its Security Intelligence Report: Analysis of Storage and Backup Security in the Financial Services & Banking Sector. This extensive study – the first of its kind – explores the security posture of storage and backup environments in the global financial services industry.

The survey of 200 financial services firms and banks from 45 countries revealed that most of these organisations have not yet reached a satisfactory level of storage and backup maturity. Notably, more than half (52%) of the respondents were not strongly confident about their storage and backup security, and a quarter (25%) noted they were significantly concerned (low or no confidence).

https://www.darkreading.com/attacks-breaches/new-financial-services-industry-report-reveals-major-gaps-in-storage-and-backup-security

UK’s Poor Cyber Risk Planning Could “Wreak Havoc”

The UK’s long-term risk planning is under-powered and could expose the nation if it is struck by a serious cyber-threat, a new House of Lords (HoL) report has found.

The study, Preparing for Extreme Risks: Building a Resilient Society, was produced by the upper chamber’s Select Committee on Risk Assessment and Risk Planning after interviews with 85 expert witnesses.

It claimed that the government spends too much of its time reacting to crises and emergencies, neglecting the kind of long-term planning which would have prepared the country better for the COVID-19 pandemic.

“The UK’s unpreparedness to manage the outbreak of the COVID-19 virus was and is clear. More broadly, our inquiry has analyzed the UK’s risk assessment process and found that our current system is deficient at assessing and addressing future threats and hazards,” it argued.

“However, pandemics are only one of a number of extreme risks facing the UK. Severe space weather events could render smart technologies on which much of society relies inoperable for weeks or longer; this would include GPS, the internet, communications systems and power supplies. A cyber or physical attack on our critical national infrastructure could wreak havoc.”

https://www.infosecurity-magazine.com/news/uks-poor-cyber-risk-planning-could/

Threats

Ransomware

• Ransomware Attacks Soar, Hackers Set To Become More Aggressive | Reuters

• Emotet’s Behaviour & Spread Are Omens of Ransomware Attacks | Threatpost

• Ireland Conti Ransomware Attack Vector Was Spam Email • The Register

• Crackdown On Crypto Firms Needed To ‘Wreck’ Ransomware, Says Ex-GCHQ Boss (telegraph.co.uk)

• Companies Linked to Russian Ransomware Hide in Plain Sight - The New York Times (nytimes.com)

• New 'Karakurt' Cyber Crime Gang Focuses On Data Theft And Extortion - Security Affairs

• More Than 300 Spar Shops In North Of England Hit By Cyber Attack | Hacking | The Guardian

• New Cerber Ransomware Targets Confluence And GitLab Servers (Bleepingcomputer.Com)

• Ransomware Attack Locks Hotel Guests Out Of Rooms - IT Security Guru

• BlackCat: A New Rust-based Ransomware Malware Spotted in the Wild (thehackernews.com)

• ALPHV BlackCat - This Year's Most Sophisticated Ransomware (Bleepingcomputer.Com)

Phishing

• Microsoft, Google OAuth Flaws Can Be Abused In Phishing Attacks (Bleepingcomputer.Com)

• Researchers Explore Microsoft Outlook Phishing Techniques (darkreading.com)

• Convincing Microsoft Phishing Uses Fake Office 365 Spam Alerts (Bleepingcomputer.Com)

• Study: Most Phishing Pages Are Abandoned Or Disappear In A Matter Of Days - Techrepublic

• Phishing Attacks Use QR Codes To Steal Banking Credentials (Bleepingcomputer.Com)

Malware

• Emotet Is Back and More Dangerous Than Before (darkreading.com)

• 140,000 Reasons Why Emotet is Piggybacking on TrickBot in its Return from the Dead (thehackernews.com)

• Malicious Notepad++ Installers Push StrongPity Malware (bleepingcomputer.com)

Mobile

• Dangerous Android Scam Drains Your Bank Account With One Phone Call (Bgr.Com)

IOT

• IoT Under Attack: Security Is Still Not Good Enough On These Edge Devices | ZDNet

• Three-Quarters of Firms Admit to Sub-Optimal IoT Security - Infosecurity Magazine

Data Breaches/Leaks

• 2021 Will Be A Record-Breaking Year For Data Breaches, What About 2022? - Help Net Security

• Volvo Says Data Got Stolen In Cyber Attack (jalopnik.com)

Organised Crime & Criminal Actors

• Microsoft Seizes 42 Malicious Web Domains Used By Chinese Hackers (thehackernews.com)

• Google Disrupts Massive Glupteba Botnet, Sues Russian Operators (Bleepingcomputer.Com)

• Cyber Criminals Are Using Fake Advertising To Distribute Malware | Techspot

Cryptocurrency/Cryptojacking

• Hackers Are Minting Their Own Crypto To Use In Elaborate Phishing Scams | Techradar

• Tor2Mine Cryptominer Is Warning Sign Of Network Exploitation • The Register

• QNAP Warns Users Of Bitcoin Miner Targeting Their NAS Devices (Bleepingcomputer.com)

Insider Risk and Insider Threats

• Burned Out Workers Are Less Likely To Follow Security Guidelines - Help Net Security

Fraud & Financial Crime

• Romance Fraudster Targeted 670 Women Online - Infosecurity Magazine

• Passport Forgeries At All Time High - IT Security Guru

Dark Web

• The Dark Web Has Its Own People's Court (darkreading.com)

OT, ICS, IIoT and SCADA

• NIST Cyber-Resiliency Framework Extended to Include Critical Infrastructure Controls (darkreading.com)

Nation State Actors

• UK Spy Chief Raises Fears Over China’s Digital Renminbi | Financial Times (FT.com)

• Collect Today, Decrypt Tomorrow: How Russia And China Are Preparing For Quantum Computing | CSO Online

• Russia Blocks Tor Privacy Service in Latest Censorship Move (thehackernews.com)

Cloud

• Top 10 Azure Cloud Configuration Mistakes (trendmicro.com)

Vulnerabilities

• Your Microsoft Network Is Only As Secure As Your Oldest Server | CSO Online

• With 18,378 Vulnerabilities Reported In 2021, NIST Records Fifth Straight Year Of Record Numbers | ZDNet

• Lack of Patching Leaves 300,000 Routers at Risk for Attack (darkreading.com)

• Vulnerability In Windows 10 URI Handler Leads To Remote Code Execution | Malwarebytes Labs

• Cisco Hit With Software And Physical Issues | Network World

• Dark Mirai Botnet Targeting RCE On Popular TP-Link Router (Bleepingcomputer.Com)

• Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites | Threatpost

Sector Specific

Financial Services Sector

• US Bank Regulator Urges Vigilance As Ransomware Attacks On The Rise | Reuters

• Israel Leads 10-Country Simulation Of Major Cyber Attack On World Markets | The Times Of Israel

Health/Medical/Pharma Sector

• Ireland Conti Ransomware Attack Vector Was Spam Email • The Register

Retail

• Fueled by Pandemic Realities, Grinchbots Aggressively Surge in Activity | Threatpost

• Hackers Infect Random WordPress Plugins To Steal Credit Cards (Bleepingcomputer.Com)

Transport and Aviation

• German Logistics Giant Hellmann Reports Cyberattack | ZDNet

Other News

• Google, Microsoft: Internet Whac-a-Mole vs. Cyber Criminals - MSSP Alert

• From DDoS To Bots And Everything In Between: Preparing For The New And Improved Attacker Toolbox - Help Net Security

• Are You Guilty of These 8 Network-Security Bad Practices? | Threatpost

• 1.6 Million WordPress Sites Under Cyber Attack From Over 16,000 IP Addresses (thehackernews.com)

• Next-Gen Maldocs & How to Solve the Human Vulnerability | Threatpost

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Double Extortion Ransomware Victims Soar 935%

Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites.

Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021.

During that time, an “unholy alliance” of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches, it claimed.

In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered.

Group-IB warned that, even if victim organisations pay the ransom, their data often end up on these sites.

https://www.infosecurity-magazine.com/news/double-extortion-ransomware-soar/

MI6 Boss: Digital Attack Surface Growing "Exponentially"

Head of the Secret Intelligence Service (SIS), Richard Moore, explained in a rare speech this week that, unlike the character Q from the James Bond films, even MI6 cannot source all of its tech capabilities in-house.

New partners and tech capabilities will help address MI6’s four key priorities: Russia, China, Iran and global terrorism. It’s a challenge made more acute as technology rapidly advances, he said.

“The ‘digital attack surface’ that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially. We may experience more technological progress in the next ten years than in the last century, with a disruptive impact equal to the industrial revolution,” Moore argued.

https://www.infosecurity-magazine.com/news/mi6-digital-attack-surface-growing/

How Phishing Kits Are Enabling A New Legion Of Pro Phishers

Some cybercriminals are motivated by political ideals, others by malice or mischief, but most are only interested in cold, hard cash. To ensure their criminal endeavours are profitable, they need to balance the potential payday against the time, resources and risk required.

It’s no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-made phishing kits that bundle together everything they need for a lucrative campaign.

https://www.helpnetsecurity.com/2021/12/02/phishing-kits-pro/

Crooks Are Selling Access To Hacked Networks. Ransomware Gangs Are Their Biggest Customers

Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the last year.

There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.

Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021

https://www.zdnet.com/article/theres-been-a-big-jump-in-crooks-selling-access-to-hacked-networks-ransomware-gangs-are-their-best-customers/

Omicron Phishing Scam Already Spotted in UK

The global pandemic has provided cover for all sorts of phishing scams over the past couple of years, and the rise in alarm over the spread of the latest COVID-19 variant, Omicron, is no exception.

As public health professionals across the globe grapple with what they fear could be an even more dangerous COVID-19 variant than Delta, threat actors have grabbed the opportunity to turn uncertainty into cash.

UK consumer watchdog “Which?” has raised the alarm that a new phishing scam, doctored up to look like official communications from the National Health Service (NHS), is targeting people with fraud offers for free PCR tests for the COVID-19 Omicron variant

https://threatpost.com/omicron-phishing-scam-uk/176771/

Phishing Remains the Most Common Cause of Data Breaches, Survey Says

Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest Strategic Security Survey shows that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organisations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.

https://www.darkreading.com/edge-threat-monitor/phishing-remains-the-most-common-cause-of-data-breaches-survey-says

Ransomware Victims Increase Security Budgets Due To Surge In Attacks

As the end of 2021 approaches, there’s no doubt ransomware became a top cybersecurity concern across multiple industries.  Successful ransomware attacks like the Colonial Pipeline, which took down critical US infrastructure, and Kaseya, which hit over 1,500 companies in a single attack, became a popular topic in the news.

Research conducted by Cymulate, however, shows that despite the increase in the number of attacks this past year, overall victims suffered limited damage in both severity and duration. Potential victims have improved their level of preparedness, with 70% reporting an increase of awareness at the boardroom and business management level. The majority (55%) undertook proactive measures to prevent ransomware attacks before they could cause any significant damage, and many of those respondents (38%) prevented attacks even before they could cause any serious downtime. Only 14% of respondents that experienced an attack were down for a week or more.

https://venturebeat.com/2021/12/03/report-ransomware-victims-increase-security-budgets-due-to-surge-in-attacks/

Control Failures Are Behind A Growing Number Of Cyber Security Incidents

Data from a survey of 1,200 enterprise security leaders reveals that an increase in tools and manual reporting combined with control failures are contributing to the success of threats such as ransomware, which costs organisations an average of $1.85 million in recovery, according to Panaseer.

Currently, only 36% of security leaders feel very confident in their ability to prove controls were working as intended. This is despite 99% of respondents believing it’s valuable to know that all controls are fully deployed and operating within policy, and cybersecurity control failures are currently being listed as the top emerging risk in the latest Gartner Emerging Risks Monitor Report. Attacks only succeed when they hit systems that haven’t been patched or don’t have security controls monitoring them.

https://www.helpnetsecurity.com/2021/12/01/control-failures-cybersecurity/

MI6 Spy Chief Says China, Russia, Iran Top UK Threat List

China, Russia and Iran pose three of the biggest threats to the U.K. in a fast-changing, unstable world, the head of Britain’s foreign intelligence agency said Tuesday.

MI6 chief Richard Moore said the three countries and international terrorism make up the “big four” security issues confronting Britain’s spies.

In his first public speech since becoming head of the Secret Intelligence Service, also known as MI6, in October 2020, Moore said China is the intelligence agency’s “single greatest priority” as the country’s leadership increasingly backs “bold and decisive action” to further its interests.

Calling China “an authoritarian state with different values than ours,” he said Beijing conducts “large-scale espionage operations” against the U.K. and its allies, tries to ”distort public discourse and political decision-making” and exports technology that enables a “web of authoritarian control” around the world.

Moore said the U.K. also continues “to face an acute threat from Russia.” He said Moscow has sponsored killing attempts, such as the poisoning of former spy Sergei Skripal in England in 2018, mounts cyber attacks and attempts to interfere in other countries’ democratic processes.

https://www.securityweek.com/mi6-spy-chief-says-china-russia-iran-top-uk-threat-list

Threats

Ransomware

• Microsoft Exchange Servers Hacked To Deploy BlackByte Ransomware (Bleepingcomputer.Com)

• Ransomware Group Rebrands Multiple Times to Evade Detection - Infosecurity Magazine (infosecurity-magazine.com)

• New Ransomware Variant Could Become Next Big Threat (darkreading.com)

• FBI Says The Cuba Ransomware Gang Made $43.9 Million From Ransom Payments - The Record By Recorded Future

• Yanluowang Ransomware Tied to Thieflock Threat Actor | Threatpost

• Yanluowang Ransomware Operation Matures With Experienced Affiliates (Bleepingcomputer.Com)

• Ransomware Attack On Planned Parenthood Exposes 400,000 Patients' Personal Data - CNN

• Ransomware vs. Cities: A Cyber War (darkreading.com)

Phishing

• APT Groups Adopt New Phishing Method. Will Cybercriminals Follow? (darkreading.com)

• Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks (thehackernews.com)

• Phishing Kits' Favourite Brand? Amazon - Help Net Security

Malware

• Emotet Now Spreads Via Fake Adobe Windows App Installer Packages (Bleepingcomputer.Com)

• New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions (thehackernews.com)

• Password-Stealing And Keylogging Malware Is Being Spread Through Fake Downloads | ZDNet

• Malware Variants In 2021: Harder To Detect And Respond To - Help Net Security

Mobile

• More Than 300,000 Play Store Users Infected With Android Banking Trojans - The Record By Recorded Future

• Surge Of Info-Stealing Android Malware FluBot Detected Again • The Register

• Fake Support Agents Call Victims To Install Android Banking Malware (Bleepingcomputer.Com)

• Multi-Platform Spyware Tracks Users Across Windows And Android | Techradar

• BEWARE: More Google Play Store Apps are Found to Have Trojan Malware, Per a Kaspersky Malware Analyst | Tech Times

IOT

• HP Patches Wormable Bug Impacting More Than 150 Multi-Functional Printers - The Record By Recorded Future

• IOT Devices Must “Protect Consumers From Cyber Harm”, Says UK Government – Naked Security (Sophos.Com)

Vulnerabilities

• Pretty Much All Wi-Fi Routers Are Vulnerable To Attack, Study Finds | Techradar

• Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks (thehackernews.com)

• New Ubuntu Linux Kernel Security Patches Address 6 Vulnerabilities, Update Now - 9to5Linux

• Netgear Router Vulnerabilities Affecting SME Products Fixed • The Register

Data Breaches/Leaks

• UK Government Fined £500,000 For New Year Honours Data Breach - BBC News

• Panasonic Discloses Four-Months-Long Data Breach - The Record By Recorded Future

• Misconfigured Database Leaks Data On 300k E-Commerce Buyers - Infosecurity Magazine (Infosecurity-Magazine.Com)

Organised Crime & Criminal Actors

• Russian Bulletproof Hosting Kingpin Gets Five Years - Infosecurity Magazine (infosecurity-magazine.com)

• Europol Arrested 1800 Money Mules As Part Of Anti-Money-Laundering Operation - Security Affairs

Cryptocurrency/Cryptojacking

• Iranians Charged for Cryptojacking After U.S. Firm Gets $760,000 Cloud Bill | SecurityWeek.Com

• Threat Actors Stole $120 M In Crypto From BadgerDAO DeFi Platform - Security Affairs

• Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify (trendmicro.com)

• How Do Criminals Exploit Cryptocurrencies? | Financial Times (ft.com)

Insider Threats

• Man Charged With Ubiquiti Data Breach And Extortion Was Employee Assigned To Investigate Hack (Bitdefender.Com)

Fraud & Financial Crime

• How Criminals Are Using Synthetic Identities for Fraud (darkreading.com)

Insurance

• Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost

• Cyber War Victims Might Not Get Payouts – Insurer • The Register

OT, ICS, IIoT and SCADA

• USB Devices the Common Denominator in All Attacks on Air-Gapped Systems (darkreading.com)

Nation State Actors

• MI6 Spy Chief Says China, Russia, Iran Top UK Threat List | SecurityWeek.Com

• Lloyd’s Carves Out Cyber-Insurance Exclusions for State-Sponsored Attacks | Threatpost

• Jumping The Air Gap: 15 Years Of Nation‑State Effort | WeLiveSecurity

• Israel and Iran Broaden Cyberwar to Attack Civilian Targets - The New York Times (nytimes.com)

• APT groups from China, Russia, and India adopt novel attack technique - The Record by Recorded Future

• North Korea-Linked Zinc APT Posed As Samsung Recruiters To Target Security Firms - Security Affairs

Cloud

• These Researchers Wanted To Test Cloud Security. They Were Shocked By What They Found | ZDNet

Parental Controls

• Smartwatches For Children Are A Privacy And Security Nightmare (Bleepingcomputer.Com)

Sector Specific

Retail

• Holiday Season Fraud Fear Higher this Year - Infosecurity Magazine (infosecurity-magazine.com)

• The Cyber Threats Facing Retailers This Holiday Shopping Season (darkreading.com)

Other News

• Hackers Are Guessing Your Credit Card Details - And There's Nothing You Can Do About It | Techradar

• UK Adults ‘Not Concerned’ Over Online Security, Poll Suggests | The Independent

• Nine WiFi Routers Used By Millions Were Vulnerable To 226 Flaws (Bleepingcomputer.Com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

70% Of IT Pros Say Security Hygiene Has Got Harder Over Past Two Years

A new report from Enterprise Strategy Group (ESG) and JupiterOne warns of inadequate security hygiene and posture management practices at many organizations. The research found that 86% of organizations believe they follow best practices for security hygiene and posture management. However, 70% of organizations said they use more than ten security tools to manage security hygiene and posture management, which raises concerns about data management and operations overhead.

In addition, 73% of security professionals admitted that they still depend on spreadsheets to manage security hygiene and posture at their organizations. As a result, 70% of respondents said that security hygiene and posture management had become more difficult over the past two years as their attack surfaces have grown.

https://venturebeat.com/2021/11/19/report-70-of-it-pros-say-security-hygiene-has-gotten-harder-over-past-two-years/

As Digital Shopping Surges, Researchers Predict 8 Million Daily Attacks

Arkose Labs released new data on the latest fraud trends, revealing increased threats during the holidays, rising bot attacks, and a resurgence in attacks on travel companies. As shoppers fill their online carts, account takeover (ATO) attacks and gift-card fraud remain persistent.

The report shares the top six fraud-fighting trends from the previous 3 months and provides data highlighting that no digital business is immune from attack. Financial industries saw 32 percent more attacks than in the first half of 2021.

Retail and travel attacks increased 63 percent in Q3, and gaming saw a spate of fake new accounts being set up for fraudulent purposes. Media and streaming businesses saw 60 percent of malicious activity targeting logins, and 20 percent of these attacks originating from human fraud farms.

Technology platforms see 91 percent of all attacks powered by bots. Overall, attacks are increasing in every industry, and they are growing more sophisticated.

https://www.helpnetsecurity.com/2021/11/22/threats-during-holidays/

More Ransomware Attacks Up to September Than Whole of 2020

Most UK business leaders expect cyber-threats to surge next year, with ransomware, business email compromise (BEC), cloud and supply chain attacks all predicted to increase, according to PwC.

The findings come from the consulting giant’s 2022 Global Digital Trust Insights Survey and were distilled from interviews with 257 business and technology executives in the UK.

Although most (63%) respondents said they expect security budgets to increase next year, even more (66%) predicted cyber-threats would rise. Ransomware (61%), BEC (61%), malware via software updates (63%), and cloud compromise (64%) were among the most notable.

Bobbie Ramsden-Knowles, crisis and resilience partner at PwC UK, claimed the firm’s threat intelligence team has tracked more ransomware incidents globally up to September this year than for the whole of 2020.

https://www.infosecurity-magazine.com/news/more-ransomware-attacks-september/

Ransomware Warning: Hackers See Holidays And Weekends As A Great Time To Attack

Just because you're taking a break, that doesn't mean hackers will be too.

Ahead of the holidays cyber agencies have released a warning to stay vigilant on holidays and weekends, because hackers don't plan on taking a holiday break.

Warnings remind organisations that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed.

Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure.

Some of the worst ransomware attacks happened on holidays and weekends.

https://www.zdnet.com/article/security-warning-ransomware-attackers-are-working-on-the-holidays-even-if-you-arent/

Suspect Arrested In 'Ransom Your Employer' Criminal Scheme

A Nigerian man has been arrested in connection to a scheme attempting to lure insiders to deploy ransomware on employer systems.

On November 22, security expert Brian Krebs reported that the man, Oluwaseun Medayedupin, was arrested by Nigerian authorities on Friday.

The suspect is allegedly linked to a 'ransom your employer' scheme investigated by Abnormal Security in August.

Customers of the cybersecurity firm were sent emails with the subject "Partnership affiliate offer," requesting that the recipient considered becoming an accomplice in a cyberattack.

The emails offered a 40% cut of an anticipated $2.5 million ransomware payment in Bitcoin (BTC), made after the recipients installed the DemonWare ransomware on their employer's systems.

https://www.zdnet.com/article/suspect-arrested-in-ransom-your-employer-criminal-scheme/

The Newer Cyber Crime Triad: Trickbot-Emotet-Conti

Advanced Intelligence researchers argue that the restarting of the Emotet botnet was driven by Conti ransomware gang.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action.

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

https://securityaffairs.co/wordpress/124807/cyber-crime/trickbot-emotet-conti-triad.html

Threat Actors Find And Compromise Exposed Services In 24 Hours

Researchers set up 320 honeypots to see how quickly threat actors would target exposed cloud services and report that 80% of them were compromised in under 24 hours.

Malicious actors are constantly scanning the Internet for exposed services that could be exploited to access internal networks or perform other malicious activity.

To track what software and services are targeted by threat actors, researchers create publicly accessible honeypots. Honeypots are servers configured to appear as if they are running various software as lures to monitor threat actors' tactics.

https://www.bleepingcomputer.com/news/security/threat-actors-find-and-compromise-exposed-services-in-24-hours/

Does Your Company Employ A CISO? Many Are Operating Without Security Leadership

45% of companies do not employ a Chief Information Security Officer (CISO), a Navisite research found. Of this group, 58% think their company should hire a CISO.

Only 40% of respondents stated their cybersecurity strategy was developed by a CISO or member of the security team, with 60% relying on other parts of their organization, including IT, executive leadership and compliance.

130 security, IT and compliance professionals were polled in the US to determine their perceptions on the state of cybersecurity leadership and readiness within their organizations. More than 80% of respondents described their job title as either executive leadership or management, with more than 60% of respondents coming from mid-sized organizations between 100-5,000 employees.

Why you should employ a CISO?

·       21% of respondents admit their company does not have a dedicated person or staff whose sole responsibility is security/cybersecurity.

·       75% of respondents said their company experienced an increase in overall cybersecurity threat volume in the last year.

·       80% of respondents felt their company exhibited strong cybersecurity leadership during the COVID-19 pandemic.

·       70% of respondents expressed confidence in the effectiveness of their cybersecurity program—but that confidence dropped to 58% for companies without a CISO.

·       47% of survey takers believe their company spends too little on cybersecurity.

https://www.helpnetsecurity.com/2021/11/23/employ-ciso/

New Malware Is Capable Of Evading Almost All Antivirus Products

There’s a new JavaScript downloader on the prowl that not only distributes eight different Remote Access Trojans (RATs), keyloggers and information stealers, but is also able to bypass detection by a majority of security tools, experts have warned.

Cyber security researchers at HP Wolf Security named the malware RATDispenser, noting that while JavaScript downloaders typically have a lower detection rate than other downloaders, this particular malware is more dangerous since it employs several techniques to evade detection.

“It’s particularly concerning to see RATDispenser only being detected by about 11% of antivirus systems, resulting in this stealthy malware successfully deploying on victims’ endpoints in most cases,” noted Patrick Schlapfer, Malware Analyst at HP.

https://www.techradar.com/news/new-malware-is-capable-of-evading-almost-all-antivirus-products

Interpol Arrests Over 1,000 Suspects Linked To Cyber Crime

Interpol has coordinated the arrest of 1,003 individuals linked to various cyber-crimes such as romance scams, investment frauds, online money laundering, and illegal online gambling.

This crackdown results from a four-month action codenamed ‘Operation HAEICHI-II,’ which took place in twenty countries between June and September 2021.

These were Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam.

On the financial aspect of the operation, the authorities have also intercepted nearly $27,000,000 and froze 2,350 banking accounts linked to various online crimes.

As the Interpol announcement details, at least ten new criminal modus operandi were identified in HAEICHI-II, indicative of the evolving nature of cyber-crime.

https://www.bleepingcomputer.com/news/legal/interpol-arrests-over-1-000-suspects-linked-to-cyber-crime/

Researchers Warn Of Severe Risks From ‘Printjack’ Printer Attacks

A team of Italian researchers has compiled a set of three attacks called 'Printjack,' warning users of the significant consequences of over-trusting their printer.

The attacks include recruiting the printers in DDoS swarms, imposing a paper DoS state, and performing privacy breaches.

As the researchers point out, modern printers are still vulnerable to elementary flaws and lag behind other IoT and electronic devices that are starting to conform with cybersecurity and data privacy requirements.

By evaluating the attack potential and the risk levels, the researchers found non-compliance with GDPR requirements and the ISO/IEC 27005:2018 (framework for managing cyber-risks).

This lack of in-built security is particularly problematic when considering how omnipresent printers are, being deployed in critical environments, companies, and organizations of all sizes.

https://www.bleepingcomputer.com/news/security/researchers-warn-of-severe-risks-from-printjack-printer-attacks/

Threats

Ransomware

• New Memento Ransomware Uses Password-Protected WinRAR Archives To Block Access To The Files - Security Affairs

• Defense Contractors Are Highly Susceptible To Ransomware Attacks - Help Net Security

• Holidays Don't Mean Much To Ransomware Attackers - Help Net Security

BEC – Business Email Compromise

• Two Nigerians Sentenced to Prison in US for Role in BEC Scams | SecurityWeek.Com

Phishing

• TrickBot Phishing Checks Screen Resolution To Evade Researchers (Bleepingcomputer.Com)

Malware

• Crooks Compromise Microsoft Exchange Servers To Hijack Internal Email Chains - Security Affairs

• Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware (thehackernews.com)

• Malicious Python Packages Employ Advanced Detection Evasion Techniques - Help Net Security

• Stealthy New JavaScript Malware Infects Windows PCs with RATs (bleepingcomputer.com)

• New Golang-based Linux Malware Targeting eCommerce Websites (thehackernews.com)

Mobile

• Spyware Alert! 23 Apps Found Spying On Android Users Via Mobile Camera | techgig

• MediaTek Chip Flaw Could Have Let Attackers Spy on Android Phones (darkreading.com)

• Over 9 Million Android Phones Running Malware Apps from Huawei's AppGallery (thehackernews.com)

IOT

• Hikvision Security Cameras Potentially Exposed to Remote Code Execution (sans.edu)

• Some Tesla Owners Unable To Unlock Cars Due To Server Errors (Bleepingcomputer.Com)

Vulnerabilities

• All Versions of Windows Are Vulnerable to a New Zero-Day Exploit (pcmag.com)

• Attackers Hijack Email Using Proxy Logon/Proxyshell Flaws | Threatpost

• Cisco Flaw Affects Firewalls - Infosecurity Magazine

• Expert Discloses Details Of Flaws In Oracle VirtualBox - Security Affairs

• VMware Warns of Newly Discovered Vulnerabilities in vSphere Web Client (thehackernews.com)

Data Breaches/Leaks

• GoDaddy Hack Exposes Accounts Of 1.2 Million Customers (Bitdefender.Com)

Organised Crime & Criminal Actors

• Hackers Accused Of Stealing $100m Live Openly In Russia | World | The Times

Cryptocurrency/Cryptojacking

• Teen Accused of Stealing Bitcoin Worth $36.5M - Infosecurity Magazine (infosecurity-magazine.com)

Fraud & Financial Crime

• Fraud Fighters Aren't Prepared For The Multi-Billion Dollar Threat Of Global Insurance Fraud - Help Net Security

Insurance

• Work From Home, Digital Shift During Covid Drives Cyber Insurance Prices (bloombergquint.com)

Nation State Actors

• NCSC Warns Industry, Academia Of Foreign Threats To Their Intellectual Property | CSO Online

• North Korean Hackers Found Behind a Range of Credential Theft Campaigns (thehackernews.com)

• US Bans Chinese Firms For Feeding Tech To The Military • The Register

Cloud

• Observing Attacks Against Hundreds of Exposed Services in Public Clouds (paloaltonetworks.com)

Passwords

• Attackers Don't Bother Brute-Forcing Long Passwords, Microsoft Engineer Says - The Record By Recorded Future

• Less than Half of Consumers Change Password Post-Breach - Infosecurity Magazine

Parental Controls

• Products Used By Children Are Not Nearly As Privacy-Protecting As They Should Be - Help Net Security

Sector Specific

Financial Services Sector

• Credentials Exposed For Majority Of US Financial Firm Employees | Sc Media (Scmagazine.Com)

• US Government Securities Watchdog Spoofed By Investment Scammers – Don’t Fall For It! – Naked Security (sophos.com)

SMBs – Small and Medium Businesses

• UK Govt Warns Thousands Of SMBs Their Online Stores Were Hacked (Bleepingcomputer.Com)

Defence

• Defence Contractors Are Highly Susceptible To Ransomware Attacks - Help Net Security

Health/Medical/Pharma Sector

• Devious ‘Tardigrade’ Malware Hits Biomanufacturing Facilities | WIRED

• Preventing a Cyber Pandemic in Healthcare | SecurityWeek.Com

• Healthcare Organisations At Risk: The Attack Surface Is Expanding - Help Net Security

• ENISA - The Need For Incident Response Capabilities In The Health Sector - Security Affairs

• Philips Working on Patches for Vulnerabilities Found in Medical Products | SecurityWeek.Com

Transport and Aviation

• Hackers Hit Iran's Mahan Airline, Claim Confidential Data Theft (Bleepingcomputer.Com)

Maritime

• Marine Services Provider Swire Pacific Offshore Hit By Ransomware (Bleepingcomputer.Com)

Reports Published in the Last Week

• The Evolving Threat of Ransomware | The State of Security (tripwire.com)

Other News

• As Digital Shopping Surges, Researchers Predict 8 Million Daily Attacks - Help Net Security

• Rising Cyber Crime Demands Laws And Users Keep Up | The Seattle Times

• IKEA Email Systems Hit By Ongoing Cyber Attack (Bleepingcomputer.Com)

• UK and German Police Take Down 21 Jihadist Websites - Infosecurity Magazine

 As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Insurers Run From Ransomware Cover As Losses Mount

Insurers have halved the amount of cyber cover they provide to customers after the pandemic and home-working drove a surge in ransomware attacks that left them smarting from hefty payouts.

Faced with increased demand, major European and US insurers and syndicates operating in the Lloyd's of London market have been able to charge higher premium rates to cover ransoms, the repair of hacked networks, business interruption losses and even PR fees to mend reputational damage.

But the increase in ransomware attacks and the growing sophistication of attackers have made insurers wary. Insurers say some attackers may even check whether potential victims have policies that would make them more likely to pay out.

"Insurers are changing their appetites, limits, coverage and pricing," Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have halved – where people were offering 10 million pounds ($13.50 million), nearly everyone has reduced to five."

Lloyd's of London, which has around a fifth of the global cyber market, has discouraged its 100-odd syndicate members from taking on cyber business next year, industry sources say on condition of anonymity. Lloyd's declined to comment.

https://www.reuters.com/markets/europe/insurers-run-ransomware-cover-losses-mount-2021-11-19/

The Ransomware Threat Is Getting Worse. But Businesses Still Aren't Taking It Seriously

Ransomware is the most significant cybersecurity threat facing the country today, but many businesses still aren't taking the threat as seriously as they should be, the National Cyber Security Centre (NCSC) has warned.

In its newly published annual review, the NCSC – the cybersecurity arm of intelligence agency GCHQ – details the incidents and threats the UK has faced during the past 12 months, including cyberattacks against the health service and vaccine developers during the coronavirus pandemic, state-sponsored cyber-espionage campaigns, phishing scams and more.

But, because of the likely impact a successful attack could have on essential services or critical national infrastructure, it's ransomware that is viewed as the most dangerous cyber threat – and one that more leadership teams need to think about.

https://www.zdnet.com/article/the-ransomware-threat-is-getting-worse-but-businesses-still-arent-taking-it-seriously/

Ransomware Is Now A Giant Black Hole That Is Sucking In All Other Forms Of Cyber Crime

File-encrypting malware is where the money is -- and that's changing the whole online crime ecosystem.

Ransomware is so lucrative for the gangs involved that other parts of the cybercrime ecosystem are being repurposed into a system for delivering potential victims.

"The gravitational force of ransomware's black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system -- with significant implications for IT security," said security company Sophos in a report.

Ransomware is considered by many experts to be most pressing security risk facing businesses -- and its extremely lucrative for the gangs involved, with ransom payouts increasing significantly.

https://www.zdnet.com/article/ransomware-is-now-a-giant-black-hole-that-is-sucking-in-all-other-forms-of-cybercrime/

52% Of SMBs Have Experienced A Cyber Attack In The Last Year

The consequences of a breach have never been more severe, with global cybercrime collectively totalling $16.4 billion each day, a Devolutions survey reveals.

A recent study by IBM revealed that organizations with fewer than 500 employees had an average data breach cost of $2.98 million per incident in 2021. As has been reported, approximately 60% of SMBs go out of business within six months of getting hacked.

Smaller companies are not exempt from cyberattacks; in fact, it’s quite the opposite. Yet many of the tools and resources that larger companies have at their disposal to protect them from cyber attacks are not befitting for smaller companies. There is a gap in the market.

https://www.helpnetsecurity.com/2021/11/19/smbs-cyberattack/

Ransomware Phishing Emails Sneak Through SEGs

Secure email gateway (SEG) protections aren’t necessarily enough to stop phishing emails from delivering ransomware to employees, especially if the cybercrooks are using legitimate cloud services to host malicious pages.

Researchers are raising the alarm over a phishing email kicking off a Halloween-themed MICROP ransomware offensive, which they observed making its way to a target’s inbox despite its being secured by an SEG.

https://threatpost.com/ransomware-phishing-emails-segs/176470/

Reality Check: Your Security Hygiene Is Worse Than You Think It Is

Sevco Security published a report which explores the gap between perceptions and realities of security hygiene and asset management. Leveraging findings from ESG’s “Security Hygiene and Posture Management Survey,” Sevco’s report addresses five unfounded perceptions that many security teams assume to be true and the realities that unveil alarming security risks.

The report reveals that the perception of good security hygiene often leads to gaps in asset inventory that leave organizations open to security incidents. One such gap is the assumption that organizations have an accurate understanding of asset inventory. The reality is that on average, organizations discover 20-30% previously unknown devices once various inventory sources have been analysed and reconciled.

https://www.helpnetsecurity.com/2021/11/18/perception-good-security-hygiene/

The Covid-19 Crisis Has Fueled The Increase Of Cyber Crime In All Its Forms

The accelerated digitalization related to the COVID-19 pandemic has significantly influenced the development of a number of cyber threats, according to the new edition of Europol’s Internet Organised Crime Threat Assessment.

Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals.

While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts. The increase of online shopping in general has attracted more fraudsters. With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly.

https://www.helpnetsecurity.com/2021/11/18/covid-19-cybercrime/

Ransomware Attacks Are Getting More Complex And Even Harder To Prevent

Ransomware attackers are probing known common vulnerabilities and exposures (CVEs) for weaknesses and quickly capitalizing on them, launching attacks faster than vendor teams can patch them. Unfortunately, ransomware attackers are also making attacks more complex, costly, and challenging to identify and stop, acting on potential targets’ weaknesses faster than enterprises can react.

Two recent research studies — Ivanti’s latest ransomware report, conducted with Cyber Security Works and Cyware, and a second study by Forrester Consulting on behalf of Cyware — show there’s a widening gap between how quickly enterprises can identify a ransomware threat versus the quickness of a cyberattack. Both studies provide a stark assessment of how far behind enterprises are on identifying and stopping ransomware attacks.

https://venturebeat.com/2021/11/13/ransomware-attacks-are-getting-more-complex-and-even-harder-to-prevent/

Most Ransomware Attacks Rely On Exploiting Older, Unpatched Vulnerabilities

Ransomware attackers exploited a dozen new vulnerabilities in campaigns in Q3 2021, bringing the total number of vulnerabilities associated with ransomware to 278, claims a new report.

Compiled by cybersecurity vendor Ivanti, the report reveals that ransomware groups are continuing to grow in sophistication, boldness, and volume, with numbers up across the board since Q2 2021.

It tracked a 4.5% increase in CVEs associated with ransomware in Q3 2021, along with a similar increase in actively exploited and trending vulnerabilities, along with a 3.4% increase in ransomware families, as compared to Q2 2021.

https://www.techradar.com/news/most-ransomware-attacks-rely-on-exploiting-older-unpatched-vulnerabilities

Out-Of-Hours Ransomware Attacks Have A Greater Impact On Revenue

Ransomware attacks at weekends and holidays are throwing victims into disarray, according to a study released by security company Cybereason.

The report, “Organizations at Risk: Ransomware Attackers Don’t Take Holidays,” surveyed security professionals whose organizations suffered a ransomware attack during a holiday or weekend in the last 12 months. It found 86% of them reported missing holiday or weekend activities with friends and family when responding to these attacks.

Of those surveyed, 60% take longer to assess the scope of an attack that happened over the weekend or on a holiday. Half said out-of-hours attacks led to a slower response overall.

One problem was assembling the right team, with just over a third reporting difficulties in getting the necessary people together. When those people do clock in unexpectedly, they might not be fully fit for duty. In fact, 70% were intoxicated when called in to address the attack, the report added.

https://www.itpro.co.uk/security/ransomware/361591/out-of-hours-ransomware-attacks-have-a-greater-impact-on-revenue

Threats

Ransomware

• UK Fighting Hacking Epidemic As Russian Ransomware Attacks Increase | Cybercrime | The Guardian

• Ransomware Gangs Are Now Rich Enough To Buy Zero-Day Flaws, Say Researchers | ZDNet

• Russian Ransomware Gangs Start Collaborating With Chinese Hackers (Bleepingcomputer.Com)

• Exchange Exploit Leads to Domain Wide Ransomware (thedfirreport.com)

• Threat Actors Offer Millions For Zero-Days, Developers Talk Of Exploit-As-A-Service (Bleepingcomputer.Com)

• New Memento Ransomware Switches To Winrar After Failing At Encryption (Bleepingcomputer.Com)

• ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyber Attacks - Truesec

• Fake Ransomware Warnings Hit Wordpress Sites: How To Stay Safe - Malwarebytes Labs

• MosesStaff Locks Up Targets, with No Ransom Demand, No Decryption | Threatpost

BEC - Business Email Compromise

• Microsoft Exchange Server Flaws Now Exploited for BEC Attacks (darkreading.com)

Phishing

• Here Are The New Emotet Spam Campaigns Hitting Mailboxes Worldwide (Bleepingcomputer.Com)

Malware

• Emotet Malware Is Back And Rebuilding Its Botnet Via TrickBot (Bleepingcomputer.Com)

• New Mac Malware Raises More Questions About Apple's Security Patching - Malwarebytes Labs

Mobile

• New Banking Trojan SharkBot Makes Waves Across Europe, US | ZDNet

• Android Malware BrazKing Returns As A Stealthier Banking Trojan (Bleepingcomputer.Com)

• Android Malware That Spies On Your Phone Identified With 23 Apps. (livemint.com)

Vulnerabilities

• Intel Vulnerabilities: Bios Bugs Put Cars, Laptops, Devices at Risk to Hackers - MSSP Alert

• Microsoft Informs Users of High-Severity Vulnerability in Azure AD | SecurityWeek.Com

• New Secret-Spilling Hole In Intel CPUs Sends Company Patching (Again) | Ars Technica

• Netgear Fixes Code Execution Flaw In Many SOHO Devices - Security Affairs

• Six Million Sky Routers Exposed To Takeover Attacks For 17 Months (Bleepingcomputer.Com)

• WordPress Template Plugin Vulnerability Hits +1 Million Sites (searchenginejournal.com)

• 10,000+ Websites And Apps Are Vulnerable To Magecart - Help Net Security

• Linux Has A Serious Security Problem That Once Again Enables DNS Cache Poisoning | Ars Technica

• Vulnerabilities In NPM Allowed Threat Actors To Publish New Version Of Any Package | The Daily Swig (portswigger.net)

• Eighteen High Severity Vulnerabilities Remediated In AMD's Radeon Graphics Driver Packages | TechSpot

Data Breaches/Leaks

• Robinhood Says Hackers Also Got Thousands Of Phone Numbers - The Verge

Organised Crime & Criminal Actors

• Russian Cyber Crime Forums Throw Doors Open to Chinese-Speakers - Infosecurity Magazine

• A Canadian Teen Was Arrested in a $36.5M SIM-Swap Heist | WIRED

Cryptocurrency/Cryptojacking

• Cyber Criminals Increasingly Employ Crypto-Mixers to Launder Stolen Profits (darkreading.com)

• Chinese Communist Party Official Expelled For Mining Crypto • The Register

Supply Chain

• New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk (intezer.com)

• Hackers Are Threatening The Global Supply Chain | OilPrice.com

DoS/DDoS

• Cloudflare Fends Off A Multi-Vector DDoS Attack - NotebookCheck.net

Nation State Actors

• Cyber War’s Global Players—It’s Not Always Russia Or China | CSO Online

• FBI Warns Of APT Group Exploiting FatPipe VPN Zero-Day Since May (Bleepingcomputer.com)

• Iranian Targeting Of IT Sector On The Rise - Microsoft Security Blog

• Iranians Charged in Cyber Attacks Against US 2020 Election | Threatpost

• Microsoft Warns about 6 Iranian Hacking Groups Turning to Ransomware (thehackernews.com)

Cloud

• Cyber Criminals Target Alibaba Cloud for Cryptomining, Malware | Threatpost

• Cloud Compliance: Falling Out Of It Could Spell Doom - Help Net Security

Financial Services Sector

• US Regulators Order Banks To Report Cyberattacks Within 36 Hours (Bleepingcomputer.Com)

Health Sector

• Healthcare Organisations At Risk: The Attack Surface Is Expanding - Help Net Security

Reports Published in the Last Week

• NCSC Annual Review 2021 - NCSC.GOV.UK

Other News

• Why Are You Still Using QWERTY? 2021's Most Common Passwords Revealed | ZDNet

• Shrinking Cyber Budgets Are Leaving Businesses At Risk - Help Net Security

• Trend Micro: 90% of IT Decision Makers Believe Organisations Compromise on Cyber Security in Favour of Other Goals (darkreading.com)

• FBI Probes Cyber-Attack Emails Sent From Internal Server - BBC News

• Corporate Espionage Specialists RedCurl Return With Improved Tools - Cyberscoop

• 76% Of Gamers Were Financially Affected By A Cyber Attack, Losing $700+ On Average - Help Net Security

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Covid Impact Heightens Risk Of Cyber Security Breaches

CYBER SECURITY breaches are the biggest staff-related risk as Covid-19 and recruitment difficulties continue to impact workplaces, according to a survey of Channel Island employers.

Seven out of ten senior HR professionals and business leaders saw a cyber security breach as the greatest staff-related risk for a regulated financial services business – way ahead of employees leaving (16%) and employees working from home (10%). Some 57% of employers said Covid-19 had changed their policies, procedures and systems ‘moderately’, with 29.5% reporting ‘significant’ changes, according to the research undertaken at a virtual employment conference organised by Walkers last month.

https://guernseypress.com/news/2021/11/12/covid-impact-heightens-risk-of-cyber-security-breaches/

81% of Organisations Experienced Increased Cyber Threats During COVID-19

More than four in five (81%) organisations experienced increased cyber-threats during the COVD-19 pandemic, according to a new study by McAfee and FireEye.

The global survey of 1451 IT and line of business decision-makers found that close to half (43%) have suffered from downtime due to a cyber concern. This resulted in costs of $100,000 for some organisations.

Despite the increased threat landscape and the fact that over half (57%) of organisations saw a rise in online/web activity, 24% of respondents revealed they have had their technology and security budgets reduced over this period.

https://www.infosecurity-magazine.com/news/81-orgs-cyber-threats-covid19/

Phishing Attacks Grow 31.5% Over 2020, Social Media Attacks Continue To Climb

Phishing remains the dominant attack vector for bad actors, growing 31.5 percent over 2020, according to a PhishLabs report. Notably, attacks in September 2021 were more than twice as high as the previous year.

https://www.helpnetsecurity.com/2021/11/11/phishing-attacks-grow-2020/

Threat from Organised Cyber Crime Syndicates Is Rising

Europol reports that criminal groups are undermining the EU’s economy and its society, offering everything from murder-for-hire to kidnapping, torture and mutilation.

From encrypting communications to fencing ill-gotten gains on underground sites, organised crime is cashing in on the digital revolution.

The latest organised crime threat assessment from Europol issues a dire warning about the corrosive effect the rising influence of criminal syndicates is having on both the economy and society of the European Union. And it’s all happening online.

https://threatpost.com/organised-cybercrime-syndicates-europol/176326/

Ransomware Gangs Are Using These 'Ruthless' Tactics As They Aim For Bigger Payouts

More sophisticated ransomware attacks are on the way as cyber criminals tailor campaigns to raise the chances of a ransom payment.

Ransomware attacks are becoming more sophisticated as cyber criminals continue to develop new techniques to make campaigns more effective and increase their chances of successfully demanding a ransom payment.

According to the European law enforcement agency Europol there was a 300% increase in the number of ransom payments between 2019 and 2020 alone – and that doesn't account for 2021 being another bumper year for cyber criminals launching ransomware attacks, as they've taken advantage of security vulnerabilities presented by the rise in remote working. 

Europol's Internet Organised Crime Threat Assessment (IOCT) shows that while cybercrime, including malware and DDoS attacks, continues to evolve, it's ransomware attacks that have been a significant amount of disruption over the course of the past year.

https://www.ZDNet.com/article/ransomware-gangs-are-now-using-ruthless-tactics-as-they-aim-for-bigger-payouts/

Firms Will Struggle to Secure Extended Attack Surface in 2022

Companies are relying more heavily on third parties, remote employees, and partners, expanding their attack surface area beyond traditional boundaries.

In 2022, much of cybersecurity will boil down to managing the security of relationships, as companies adapt to the post-pandemic remote workforce and the increased use of third-party providers, a panel of analysts stated at the Forrester Research Security & Risk 2021 Conference.

Among five predictions for the coming year, the analysts argued that companies' attempts to manage remote employees would stray into intrusive territory, causing workers to push back and hampering security-focused monitoring, such as that for insider threats. Other predictions maintain that 60% of security incidents in the next year will come from issues with third parties, while the cybersecurity workforce will suffer from burnout and join what's been called the "Great Resignation," the recent trend of workers leaving the workforce.

https://www.darkreading.com/risk/firms-will-struggle-to-secure-extended-attack-surface-in-2022

Millions Of Home Wi-Fi Routers Threatened By Malware — What To Do

Netgear, Linksys, D-Link routers among those targeted

There's a nasty new piece of malware out there targeting Wi-Fi routers, and you'll want to make sure yours is fully updated so it doesn't get infected.

The AT&T researchers who discovered the malware are calling it BotenaGo, and it's apparently different from the Mirai botnet malware that's been attacking routers since 2016. BotenaGo packs in exploits for 33 different known vulnerabilities in 12 different router brands, including D-Link, Linksys, Netgear, Tenda, Totolink, Zyxel and ZTE. A full list is on the AT&T Cybersecurity blog post.

To avoid infection, ensure you update your router with the latest firmware.

https://www.tomsguide.com/uk/news/botenago-router-malware

Vulnerabilities Associated With Ransomware Increased 4.5% In Q3 2021

Ransomware groups are continuing to grow in sophistication, boldness, and volume, with numbers up across the board since Q2 2021, a report by Ivanti, Cyber Security Works and Cyware reveals.

This last quarter saw a 4.5% increase in CVEs associated with ransomware, a 4.5% increase in actively exploited and trending vulnerabilities, a 3.4% increase in ransomware families, and a 1.2% increase in older vulnerabilities tied to ransomware compared to Q2 2021.

https://www.helpnetsecurity.com/2021/11/10/vulnerabilities-associated-with-ransomware/

80% Of Organisations Experienced Employees Misusing And Abusing Access To Business Apps

Organisations continue to operate with limited visibility into user activity and sessions associated with web applications, despite the ever-present risk of insider threats and credential theft, a CyberArk research reveals.

While the adoption of web applications has brought flexibility and increased productivity, organisations often lag in implementing the security controls necessary to mitigate risk of human error or malicious intent.

https://www.helpnetsecurity.com/2021/11/08/user-activity-visibility/

Gen Z Is Behaving Recklessly Online - And Will Live To Regret It

Handing out personal information could be a slippery slope

Members of Generation Z, the cohort of people born in the first decade of the 21st century, care about digital privacy, but their desire for online fame and popularity is greater, a new study from ExpressVPN suggests.

The VPN provider surveyed 1,500 young adults from the US to evaluate their online habits and attitudes towards social media, and identified a troubling pattern that could have dire consequences.

The survey found that Generation Z isn’t trusting of the social media platforms they frequent, expressing concern that platforms may be using their images for facial recognition (67%) and wariness about oversharing personal information (66%).

https://www.techradar.com/news/gen-z-is-behaving-recklessly-online-and-will-live-to-regret-it

Threats

Ransomware

• 12 New Flaws Used in Ransomware Attacks in Q3 | Threatpost

• Average Ransomware Payment For US Victims More Than $6 Million, Survey Says | ZDNet

• Ransomware Disrupted Store Operations In The Netherlands And Germany - Security Affairs

• Toronto’s Transit Agency Cyber Attack Exposes 25,000 Employees’ Data | Techcrunch

• Comic Book Distributor Struggling With Shipments After Ransomware Attack | ZDNet

• Ransomware Attack Hits UK Fertility Clinic - Infosecurity Magazine (infosecurity-magazine.com)

• Spanish Brewery “Paralyzed” by Cyber-Attack - Infosecurity Magazine (infosecurity-magazine.com)

• TrickBot Teams Up With Shatak Phishers For Conti Ransomware Attacks (Bleepingcomputer.Com)

• REvil Ransomware: US seizes $6 Million In Ransom Payments And Expected To Charge Ukrainian Over Major Cyber Attack - CNNPolitics

BEC

• Interpol Closes in on Global BEC Gang - Infosecurity Magazine (infosecurity-magazine.com)

• Tiny Font Size Fools Email Filters in BEC Phishing | Threatpost

Phishing

• How Cyber Criminals Use Bait Attacks To Gather Info About Their Intended Victims - TechRepublic

• Microsoft Warns Of Surge In HTML Smuggling Phishing Attacks (Bleepingcomputer.Com)

• Shadow IT Makes People More Vulnerable to Phishing (sans.edu)

• Gmail Accounts Are Used In 91% Of All Baiting Email Attacks (Bleepingcomputer.Com)

Other Social Engineering

• SMS About Bank Fraud as a Pretext for Voice Phishing – Krebs on Security

Malware

• QAKBOT Loader Returns With New Techniques and Tools (trendmicro.com)

• Abcbot — A New Evolving Wormable Botnet Malware Targeting Linux (thehackernews.com)

• GravityRAT Returns Disguised As An End-To-End Encrypted Chat App - Security Affairs

• Report: 57% Of All Ecommerce Cyber Attacks Are Bot-Driven | Venturebeat

• New BazarBackdoor Attack Discovered - Infosecurity Magazine (infosecurity-magazine.com)

Mobile

• More Than 1,000 Android Phones Found Infected By Creepy New Spyware | Ars Technica

IOT

• BotenaGo Botnet Targets Millions Of IoT Devices With 33 Exploits (Bleepingcomputer.Com)

• Why the NSA Wants To Protect You From Your Toothbrush (msnbc.com)

Vulnerabilities

• Intel And AMD Address High Severity Vulnerabilities In Products And Drivers - Security Affairs

• Samba Update Patches Plaintext Passwork Plundering Problem – Naked Security (Sophos.Com)

• Microsoft Fixes Exchange Server Zero-Day (DarkReading.com)

• Palo Alto Networks Patches Zero-Day Affecting Firewalls Using GlobalProtect Portal VPN | ZDNet

• Researchers Wait 12 Months To Report Vulnerability With 9.8 Out Of 10 Severity Rating | Ars Technica

• Google Warns Hackers Used MacOS Zero-Day Flaw, Could Capture Keystrokes, Screengrabs | ZDNet

Data Breaches/Leaks

• Robinhood Discloses Data Breach Impacting 7 Million Customers (Bleepingcomputer.Com)

• This Top VPN Provider May Have Leaked Millions Of User Details | Techradar

Organised Crime & Criminal Actors

• UK Recorded 1.8m Computer Misuse Crimes During 2019 • The Register

• These Are The Top-Level Domains Threat Actors Like The Most (Bleepingcomputer.Com)

• Aleksandr Zhukov, Self-Described 'King Of Fraud,' Is Sentenced To 10 Years - Cyberscoop

• Cyber-Mercenary Group Void Balaur Attacks High-Profile Targets for Cash | Threatpost

• Humanizing Hackers: Entering The Minds Of Those Behind The Attacks - Help Net Security

Cryptocurrency/Cryptojacking

• How To Spot And Block Cryptominers On Your Network | CSO Online

Insider Threats

• Insider IP Theft Is Surging — and Most Can't Stop It (darkreading.com)

DoS/DDoS

• DDoS Attacks Shatter Records in Q3, Report Finds   | Threatpost

OT, ICS, IIoT and SCADA

• 83% of Critical Infrastructure Organisations Suffered Breaches, 2021 Cyber Security Research Reveals (darkreading.com)

Nation State Actors

• State Hackers Breach Defence, Energy, Healthcare Orgs Worldwide (Bleepingcomputer.Com)

• China’s next generation of hackers won’t be criminals. That’s a problem. | TechCrunch

• Suspected Chinese Hackers Hit Critical Infrastructure, Government Agencies In Espionage Operation - MSSP Alert

• Russian Cyber Crime Group Exploits SolarWinds Serv-U Vulnerability | SecurityWeek.Com

• Microsoft: Patch Zoho Bug Now to Stop Chinese Hackers - Infosecurity Magazine (infosecurity-magazine.com)

• North Korean Hackers Target The South's Think Tanks Through Blog Posts | ZDNet

• Iranian Threat Actors Attempt To Buy Stolen Data Of US Orgs, FBI Warns - Security Affairs

• 'Lyceum' Threat Group Broadens Focus to ISPs (darkreading.com)

Cloud

• Cloud Attack Analysis Unearths Lessons for Security Pros (darkreading.com)

Privacy

• There’s Been A Big Rise In Monitoring Workers At Home. We Should All Be Worried | ZDNet

• Spyware Providers Are Flocking To International Arms Fairs To Sell To NATO Foes - Cyberscoop

• CEO of Blacklisted Spyware Firm Quits - Infosecurity Magazine (infosecurity-magazine.com)

• The Metaverse Is the Ultimate Surveillance Tool (vice.com)

Reports Published in the Last Week

• Internet Organised Crime Threat Assessment (IOCTA) 2021 | Europol (europa.eu)

• Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more! – Naked Security

• Kaspersky Q3 2021 DDoS Attack Report | Securelist

• Report: 74% Of IT Security Pros Want Better Penetration Testing | Venturebeat

Other News

• Booking.com Was Reportedly Hacked By A Us Intel Agency But Never Told Customers | Ars Technica

• Younger Generations Care Little About Cybersecurity - Help Net Security

• Hundreds Of Thousands Of Fake Warnings Of Cyber Attacks Sent From A Hacked FBI Email Server - Security Affairs

• The Rising Threat Stemming From Identity Sprawl | SecurityWeek.Com

• Playstation 5 Hacked—Twice! - Malwarebytes Labs | Malwarebytes Labs

• Hong Kong Cyber Attack Reveals That Apple Favours Latest OS Versions For Security Updates | Techspot

• Unique Challenges to Cyber-Security in Healthcare and How to Address Them (thehackernews.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

500 Million Attempted Ransomware Attacks (So Far) in 2021, With No Sign Of Slowing

So far, 2021 is stacking up to be the most costly and dangerous year on record for the volume of ransomware attacks, SonicWall said in a new report.

The security provider has logged nearly 500 million attempted ransomware attacks through September, 2021, with 1,748 attempts per customer in that nine-month period. The overall total of 495 million to date amounts to a 148 percent surge as compared to the same period last year. SonicWall expects to record 714 million attempted ransomware attacks by the close of 2021, a 134 percent skyrocket over last year’s totals. https://www.msspalert.com/cybersecurity-research/500-million-attempted-ransomware-attacks-so-far-in-2021/

Top 10 Ways Attackers Are Increasing Pressure On Their Ransomware Victims To Pay

Sophos researchers have detailed how ransomware attackers are implementing a wide range of ruthless pressure tactics to persuade victims to pay the ransom.

Their research is based on evidence and insight from a team of 24/7 incident responders who help organisations under active cyberattack. It highlights the shift in ransomware pressure techniques from solely encrypting data to including other pain points, such as harassing employees.

Since organisations have become better at backing up their data and restoring encrypted files from backups, attackers are supplementing their ransom demands with additional extortion measures that increase the pressure to pay.

For example, the Sophos Rapid Response team has seen cases where attackers email or phone a victim’s employees, calling them by their name and sharing personal details they’ve stolen – such as any disciplinary actions or passport information – with the aim of scaring them into demanding their employer pays the ransom. This kind of behavior shows how ransomware has shifted from a purely technical attack targeting systems and data into one that also targets people. https://www.helpnetsecurity.com/2021/11/04/attackers-pressure-ransomware-victims/

40% Of Organisations Suffered A Cloud-Based Data Breach In The Past 12 Months

Despite increasing cyber attacks targeting data in the cloud, 83% of businesses are still failing to encrypt half of the sensitive data they store in the cloud, raising even greater concerns as to the impact cyber criminals can have. 40% of organisations have experienced a cloud-based data breach in the past 12 months, according to a study conducted by 451 Research.

Cloud adoption is on the rise and businesses are continuing to diversify the way they use cloud solutions. Globally, 57% of respondents reported they make use of two or more cloud infrastructure providers, whilst 24% of organisations flagged that the majority of their workloads and data now reside in the cloud. https://www.helpnetsecurity.com/2021/11/02/experienced-cloud-based-data-breach/

Midsize Business Cyber Attacks: A Security Reality Check

Ransomware bombshells hit large enterprises. Carpet-bomb cyberattacks target MSP software supply chains and their small business customers. But what’s the state of cybersecurity among midsize businesses?

Actually, that landscape also faces its share of digital bombshells. Indeed, nearly two in three midsize organisations have suffered a ransomware attack in the past 18 months and 20 percent of them spent at least $250,000 to recover from it, according to research by UncommonX, an MSSP that leans heavily on its own SaaS-based solutions..

The Chicago-based MSSP’s newly released State of Cybersecurity for Midsize Organisations found that smaller companies are often not properly prepared to fend off a cyber attack nor do they engage in adequate network monitoring. In short, cybersecurity is often not enough of a priority within midsize companies. https://www.msspalert.com/cybersecurity-news/midsize-business-cyberattacks-a-security-reality-check/

70% Of Dev Teams Admit To Skipping Security Steps

According to a new study by Invicti Security, 70% of development teams always or frequently skip security steps due to time pressures when completing projects. This explains why, in the average organisation, 33% of security issues in remediation at any given time come from production code.

Security and development teams spend every day inside a catch-22: relentless demand for continued digital innovation amid increasing security threats to a sprawling attack surface. While there are some bright spots emerging on the road to secure innovation, these professionals are stressed — and too often make bad choices. https://venturebeat.com/2021/10/27/report-70-of-dev-teams-admit-to-skipping-security-steps/

79% Of IT Teams Have Seen Increase In Endpoint Security Breaches

According to a new report by HP Wolf Security, 79% of IT teams have seen an increase in rebuild rates, indicating that hackers are becoming more successful at breaching the endpoint and compromising organisations’ devices and data.

This sudden increase in rebuild rates is particularly affecting enterprises with 1,000 employees or more — organisations of this kind have the highest average number of rebuilds per month at 67.3. The study also highlights that employees are clicking on more malicious emails. Whether this is because people are less vigilant working from home or because they find it harder to determine what is safe to open, the rising number of rebuilds suggests that hackers have become more successful at breaching the endpoint through malicious links. https://venturebeat.com/2021/10/28/report-79-of-it-teams-have-seen-increase-in-endpoint-security-breaches/

Enterprises With Subsidiaries More Prone To Cyber Attacks, Study Says

Global enterprises with multiple subsidiaries are more exposed to cybersecurity threats and have more difficulty managing risk than companies with no, or fewer, subsidiaries, according to an Osterman Research report commissioned by CyCognito.

The study surveyed 201 organisations with at least 10 subsidiaries and at least 3,000 employees or $1 billion in annual revenue.

Despite being extremely confident about running effective subsidiary risk management, about 67% of respondents said their organisations had either experienced a cyberattack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out the possibility.

About half of the respondents acknowledged that they wouldn't be surprised if a cyberbreach were to occur "tomorrow." https://www.csoonline.com/article/3639014/enterprises-with-subsidiaries-more-prone-to-cyberattacks-study-says.html

Cisco Talos Reports New Variant Of Babuk Ransomware Targeting Exchange Servers

Cisco Talos has a warning out for companies about a new variant of the Babuk ransomware. The security researchers discovered the campaign in mid-October and think that the variant has been active since July 2021. The new element in this attack is an unusual infection chain technique.

The researchers think that the initial infection vector is an exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Babuk can affect several hardware and software platforms but this version is targeting Windows. The ransomware encrypts the target's machine, interrupts the system backup process and deletes the volume shadow copies. https://www.techrepublic.com/article/cisco-talos-reports-new-variant-of-babuk-ransomware-targeting-exchange-servers/

Ransomware Gangs Target Corporate Financial Activities

The FBI is warning about a fresh extortion tactic: threatening to tank share prices for publicly held companies.

Ransomware gangs are zeroing in on publicly held companies with the threat of financial exposure in an effort to encourage ransom payments, the FBI is warning.

In an alert issued this week the Bureau said that activity over the course of the past year shows a trend toward targeting companies when they’re coming up to “significant, time-sensitive financial events,” such as quarterly earnings reports and mandated SEC filings, initial public offerings, M&A activity, and so on. The idea is to ratchet up the extortion thumb-screws by threatening to leak stolen information relevant to these events if the target doesn’t pay up.

Impending events that could affect a victim’s stock value, such as announcements [or] mergers and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion. https://threatpost.com/ransomware-corporate-financial/175940/

Web Of Deceit: The Rising Threat Of Ransomware

With payouts of almost £260m last year alone, it has become the biggest – and easiest – money-earner available to hackers.

Heists at famous jewellers usually involve masked men, guns, shouting and terrified staff and customers. That was indeed the scene in August 2009 at the London branch of Graff, the famous diamond merchants, when a gang stole around £40million worth of jewels. They were caught not long after.

But the latest heist on Graff, revealed recently, was quieter. No guns, no masks, no shouting. Instead the company – which supplies a dizzying parade of top-name stars such as the Beckhams, Tom Hanks and Tamara Ecclestone – faced a demand, displayed on a computer screen, for millions of pounds, payable to a group of Russian hackers.

Graff, like hundreds of companies around the world, had been hit by “ransomware”: an attachment to an email delivered a malicious program which let in hackers, who scrambled all the files on its computer systems using an uncrackable computer code, for which they had the digital “key”.

They’d hand it over in exchange for a payment worth millions of pounds in untraceable cryptocurrency such as bitcoin, where transactions are made between digital “wallets” that do not pass through any bank and are not tied to any identity.

Without the key, the systems are useless. The option is to restore the system from backups – but frequently the hackers will have targeted those too. https://www.telegraph.co.uk/news/2021/11/06/web-deceit-rising-threat-ransomware/

While Businesses Are Ramping Up Their Risk Mitigation Efforts, They Could Be Doing More

Zurich North America and Advisen have released a survey of corporate risk managers and insurance buyers revealing current views about information security and cyber risk management.

The survey results indicate that risk professionals are increasingly aware of their intensifying cyber risks and the need to manage them using risk mitigation and risk transfer. However, a deeper dive into the numbers found that there is much room for improvement in building cyber resilience.

Sixty-five percent of respondents have invested in cyber security solutions to mitigate risk, which means that 35 percent of respondents still have not. https://www.helpnetsecurity.com/2021/11/03/gaps-risk-mitigation-efforts/

Threats

Ransomware

• Ransomware Attacks Increased 148% In Q3 2021, Showing No Sign Of Slowing - Help Net Security

• Conti Group Leak Celebs’ Data After Ransom Attack on Jeweller - Infosecurity Magazine (infosecurity-magazine.com)

• Babuk Ransomware Seen Exploiting ProxyShell Vulnerabilities | SecurityWeek.Com

• Toronto Subways Hit By Ransomware As US Lawmakers Slam 'Burdensome' Cyber Security rules | ZDNet

• FBI Says Ransomware Gangs Are Using Future Merger And Acquisition Info To Pressure Victims - The Record By Recorded Future

• BlackMatter Ransomware Moves Victims To LockBit After Shutdown (Bleepingcomputer.Com)

Phishing

• Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents (darkreading.com)

Other Social Engineering

• Consumers Warned About Rise in Call Center Threats - Infosecurity Magazine (infosecurity-magazine.com)

• “Customer Complaint” Email Scam Preys On Your Fear Of Getting Into Trouble At Work – Naked Security (Sophos.Com)

• Voice Phishing Attack Spoofs Amazon To Steal Credit Card Information - Techrepublic

Malware

• Stealthier Version Of Mekotio Banking Trojan Spotted In The Wild (Bleepingcomputer.Com)

• 77% Of Rootkits Are Used For Espionage Purposes - Help Net Security

Mobile

• Why You Should Delete Google Chrome On Your Phone (forbes.com)

• Phishing Attacks Are Harder To Spot On Your Smartphone. That's Why Hackers Are Using Them More | ZDNet

• Android Patches Actively Exploited Zero-Day Kernel Bug | Threatpost

• Stealthy Trojan That Roots Android Devices Makes Its Way On App Stores | CSO Online

• Android Hit By AbstractEmu Malware • The Register

Vulnerabilities

• Apple macOS Flaw Allows Kernel-Level Compromise | Threatpost

• BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released | Threatpost

• Get Patching: Cisco Warns Of These Critical Product Vulnerabilities | ZDNet

• 50% Of Internet-Facing Gitlab Installations Are Still Affected By A RCE Flaw - Security Affairs

• Critical RCE Vulnerability Reported in Linux Kernel's TIPC Module (thehackernews.com)

Data Breaches/Leaks

• UK Labour Party Blames Breach Of Members’ Data On Third-Party Cyber Attack | Techcrunch

• Medical School Exposes Personal Data Of Thousands Of Students | ZDNet

Cryptocurrency/Cryptojacking

• Squid Game Crypto Scammers Rip Off Investors for Millions | Threatpost

• Threat Actors Stole $55m Worth Of Cryptocurrency From bZx DeFi Platform - Security Affairs

OT, ICS, IIoT and SCADA

• Keeping An Eye On Critical Infrastructure And Industrial Sys • The Register

Privacy

• Facebook Kills Its Facial Recognition System, Citing 'Societal Concerns,' Uncertain Rules From Regulators - CyberScoop

Parental Controls

• 44% of Parents Struggle to Follow Tech Rules They Set for Their Kids (darkreading.com)

• Annual Cost of Child Identity Fraud Almost $1Bn - Infosecurity Magazine (infosecurity-magazine.com)

Reports Published in the Last Week

• Report: More Than Half Of Organisations Do Not Effectively Defend Against Cyberattacks - TechRepublic

• Cyber Security Threat Landscape Growing In Sophistication, Complexity And Impact - Help Net Security

Other News

• Hackers Are Stealing Data Today So Quantum Computers Can Crack It In A Decade | MIT Technology Review

• Another Cyber Security Awareness Month Has Passed and Little Has Changed | SecurityWeek.Com

• Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar | Threatpost

• Organisations Seldom Prioritize Cyber Security Over Business Outcomes - Help Net Security

• Are Your Passwords On The Dark Web? How To Check What Leaked After A Data Breach - CNET

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Protect Your Passwords, Warns Spy Chief, As Ransomware Cyber Attacks Double

Ransomware cyber attacks doubled in the past year, the chief of GCHQ has revealed - as he warned Britain must “pay attention” to attacks from China.

Sir Jeremy Fleming, director of the cyber spy agency, called for more action to "sort out" ransomware attacks across the UK, adding it was not "rocket science".

He said such attacks have doubled in the last year, with hackers using software to lock files on computers and stop victims from accessing their own data.

This essentially holds them hostage until the hackers receive payment and then give a decryption key to the victim, so they can regain access.

‘Criminals are making very good money from it’

Sir Jeremy said ransomware "just pays" and added that "criminals are making very good money from it and are often feeling that that's largely uncontested".

While cautious of “keeping up” with security challenges alongside European partners, he said the immediate priority was tackling “links between criminal and state actors” to defeat ransomware, which he said “is no mean feat in itself”. https://www.telegraph.co.uk/news/2021/10/25/ransomware-cyber-attacks-double-year-reveals-spy-chief/

Graff Multinational Jeweller Hit by Conti Gang. Data of its Rich Clients Are At Risk, Including Trump and Beckham, as the Gang Threaten to Release Private Details of World Leaders, Actors and Tycoons

The latest attack of the Conti ransomware gang makes the headlines, the threat actors hit high society jeweller Graff and asked the payment of a multi-million ransom to avoid leaking details of world leaders, actors and tycoons.

The customers of the company are the richest people on the globe, including Donald Trump, David Beckham, Tom Hanks, Samuel L Jackson, Alec Baldwin, and Sir Philip Green.

As proof of the hack, the group already published on its leak site files related to purchases made by David Beckham, Oprah, and Donald Trump.

The Conti gang has already leaked 69,000 confidential documents, leaked files include customer lists, invoices, receipts, and credit notes. https://securityaffairs.co/wordpress/123980/cyber-crime/conti-ransomware-graff-jeweller.html

Business Email Compromise (BEC) Costs UK Firms £140M Over Past Year

Reported business email compromise (BEC) incidents have hit 4600 cases over the past 12 months, costing individuals and businesses £138m in losses, according to new figures from the UK’s National Economic Crime Centre (NECC).

The government body is working with the National Crime Agency (NCA), City of London Police, banking group UK Finance and fraud prevention non-profit Cifas on a new campaign to raise awareness of the crime, also dubbed “mandate fraud” or “payment diversion fraud.”

It claimed that the average amount lost over those 4600 cases was £30,000, with criminals typically impersonating others and creating or amending invoices to trick victims into diverting money to accounts under their control. https://www.infosecurity-magazine.com/news/bec-costs-uk-firms-140m-past-year/

Ransomware: It's A 'Golden Era' For Cyber Criminals - And It Could Get Worse Before It Gets Better

Ransomware is the most significant cybersecurity threat facing organisations today as increasingly professional and sophisticated cyber criminals follow the money in order to maximise the profit from illicit campaigns.

ENISNA, the European Union Agency for Cybersecurity, has released the latest edition of the ENISA Threat Landscape (ETL) report, which analyses cyber-criminal activity between April 2020 and July 2021. It warns of a surge in cyber criminality, much of it driven by the monetisation of ransomware attacks.

Although the paper warns that many different cybersecurity threats are on the rise, ransomware represents the 'prime threat' faced by organisations today, with a 150% rise in ransomware attacks during the reporting period. And there are fears that despite the problem of ransomware attracting the attention of world leaders, the problem will get worse before it gets better. https://www.zdnet.com/article/ransomware-its-a-golden-era-for-cyber-criminals-and-it-could-get-worse-before-it-gets-better/

Despite Increased Cyber Threats, Many Organisations Have No Defence Plans In Place

98% of US executives report that their organisations experienced at least one cyber event in the past year, compared to a slightly lower rate of 84% in non-US executives, according to a Deloitte survey.

Further, COVID-19 pandemic disruption led to increased cyber threats to US executives’ organisations (86%) at a considerably higher rate than non-US executives experienced (63%). Yet, 14% of US executives say their organisations have no cyber threat defence plans, a rate more than double that of non-US executives (6%).

The biggest fallout US execs report from cyber incidents or breaches at their organisations during the past year include operational disruption (28%), share price drop (24%), leadership change (23%), intellectual property theft (22%) and loss of customer trust (22%).

Increases in data management, perimeter and complexities (38%), inability to match rapid technology changes (35%) and a need for better prioritization of cyber risk across the enterprise (31%) all pose obstacles to US executives’ organisation-wide cybersecurity management programs.

“No CISO or CSO ever wants to tell organisational stakeholders that efforts to manage cyber risk aren’t keeping-up with the speed of digital transformations made, or bad actors’ improving tactics”. https://www.helpnetsecurity.com/2021/10/28/threat-defence-plans/

Serious Warning Issued For Millions Of Apple iPhone Users

While iPhone 13 sales continue to soar, iPhones owners have faced growing security threats, multiple App Store scams, potential privacy violations and zero day hacks. Now a shocking account of extreme iPhone hacking has been revealed.

In a remarkable report, New York Times senior reporter Ben Hubbard has revealed how his iPhone was hacked multiple times over a period of several years, and without any human interaction or knowledge the attacks were taking place. And the experience results in a stark warning: “the spyware used against me makes us all vulnerable”.

“It’s like being robbed by a ghost,” explains Hubbard, recounting the experience. “I didn’t even have to click on a link for my phone to be infected.” https://www.forbes.com/sites/gordonkelly/2021/10/27/apple-iphone-warning-pegasus-hack-upgrade-ios-15-security/

Ransomware Attacks Are Evolving. Your Security Strategy Should, Too

Ransomware is an intensifying problem for all organisations, and it’s only going to get worse. What started as a floppy disk-based attack with a $189 ransom demands has grown from a minor inconvenience for organisations into a multi-billion dollar cyber crime industry.

The organisational threat of these types of attacks goes well beyond encryption of sensitive or mission-critical data – for many companies, the thought of a breach and data becoming publicly available on the internet makes a high ransom seem worth it. No wonder ransomware is on the rise: Organisations pay an average of $220,298 and suffer 23 days of downtime following an attack. https://threatpost.com/ransomware-attacks-evolving-security-strategy/175835/

Solarwinds Hackers Are Targeting The Global IT Supply Chain, Microsoft Says

The Russian-linked hacking group that’s been blamed for an attack on the US government and a significant number of private US companies last year is targeting key players in the global technology supply chain, according to cybersecurity experts at Microsoft.

Nobelium, as the hacking group is known, is infamous for the SolarWinds hack.

On Monday, Tom Burt, Microsoft corporate vice president of customer security and trust, said Nobelium has “been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain.”

“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers” https://www.cnbc.com/2021/10/25/solarwinds-hackers-targeting-global-it-supply-chain-microsoft-says.html

Defenders Worry Orgs Are More Vulnerable Than Last Year

Enterprise security defenders find themselves in a rough spot: The number of threats against their organisations is growing and that they're vulnerable to attacks. Data from Dark Reading's 2021 Strategic Security Survey suggest that even though most IT and security leaders are confident about the security defences they have implemented, they also believe their organisations are more vulnerable to attacks compared with a year ago.

The reasons for this pessimism vary. For 67% of respondents, the biggest concern lies in the fact that there are more attacks this year than there were last year. However, 56% say the increased sophistication of the threats they are facing is why their organisations are more vulnerable to compromise. Other reasons include the surge in ransomware attacks and shortage of skilled security professionals to detect and respond to threats. https://www.darkreading.com/edge-threat-monitor/defenders-worry-orgs-are-more-vulnerable-than-last-year

Threats

Ransomware

• These Companies Are Most at Risk for Ransomware Attacks | PCMag

• Ransomware: How Bad Is It Going To Get? - Help Net Security

• As Fewer Victims Pay Ransoms, Conti Gang Looks To Sell Victim Data | Sc Media (Scmagazine.Com)

• Europol Announces “Targeting” Of 12 Suspects In Ransomware Attacks – Naked Security (Sophos.Com)

• Police Arrest Suspected Ransomware Hackers Behind 1,800 Attacks Worldwide (thehackernews.com)

• SEO Poisoning Used to Distribute Ransomware (darkreading.com)

• FBI Warns Of Ranzy Locker Ransomware Threat, As Over 30 Companies Hit (Tripwire.Com)

• Ransomware Has Disrupted Almost 1,000 Schools in the US This Year (vice.com)

• Chaos Ransomware Targets Gamers Via Fake Minecraft Alt Lists (Bleepingcomputer.Com)

Phishing

• These Phishing Emails Use QR Codes To Bypass Defences And Steal Microsoft 365 Usernames And Passwords | ZDNet

• Phishing as a Ransomware Precursor - MSP Insights - MSSP Alert

• Teen Rakes in $2.74M Worth of Bitcoin in Phishing Scam | Threatpost

Other Social Engineering

• How Deepfakes Enhance Social Engineering And Authentication Threats, And What To Do About It | CSO Online

Malware

• Squid Game Malware Might Be The Scariest Thing You See This Halloween | Techradar

• TA575 Criminal Group Using 'Squid Game' Lures For Dridex Malware | ZDNet

• Snake Malware Biting Hard On 50 Apps For Only $25 (Bleepingcomputer.Com)

• New WSlink Malware Loader Runs as a Server and Executes Modules in Memory (thehackernews.com)

Mobile

• 6 Ways Your Cell Phone Can Be Hacked—Are You Safe? (makeuseof.com)

• Millions Of Android Users Targeted In Subscription Fraud Campaign (Bleepingcomputer.Com)

• New AbstractEmu Malware Roots Android Devices, Evades Detection (Bleepingcomputer.Com)

IOT

• Cyber Criminals Take Aim at Connected Car Infrastructure (darkreading.com)

Vulnerabilities

• All Windows Versions Impacted By New LPE Zero-Day Vulnerability (Bleepingcomputer.Com)

• Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs (thehackernews.com)

• Adobe's Surprise Security Bulletin Dominated by Critical Patches | Threatpost

• WordPress Plugin Bug Lets Subscribers Wipe Sites | Threatpost

• Over 1 Million WordPress Sites Affected by OptinMonster Plugin Flaws - Security Affairs

• Cisco SD-WAN Flaw Could Lead To Arbitrary Code Execution, Patch It Now! Security Affairs

Data Breaches/Leaks

• Millions Of Healthcare Records Reportedly Exposed In Mega Data Breach | Techradar

• Location Data Collection Firm Admits Privacy Breach - BBC News

• HIV Scotland Reveals Patient-Advocates' Names In Email Fail • The Register

Organised Crime & Criminal Actors

• Suspected Trickbot Malware Developer Faces 60 Years in Jail - Infosecurity Magazine (infosecurity-magazine.com)

• Reading INTERPOL the African Cyberthreat Assessment Report 2021 - Security Affairs

Dark Web

• Police Arrest 150 Dark Web Vendors Of Illegal Drugs And Guns (Bleepingcomputer.Com)

Supply Chain

• The SolarWinds Hackers Are Looking for Their Next Big Score | WIRED

• North Korean Lazarus Attackers Turn to the IT Supply Chain | Threatpost

• 6 Eye-Opening Statistics About Software Supply Chain Security (darkreading.com)

Nation State Actors

• North Korea-linked Lazarus APT targets the IT supply chainSecurity Affairs

• Microsoft Says Russia Hacked At Least 14 IT Service Providers This Year - The Record By Recorded Future

Other News

• All Sectors Are Now Prey as Cyber Threats Expand Targeting | Threatpost

• Attack The Block – How A Security Researcher Cracked 70% Of Urban WiFi Networks In One Hit | The Daily Swig (Portswigger.Net)

• Microsoft Warns Over Uptick In Password Spraying Attacks | ZDNet

• Increased Risk Tolerances Are Making Digital Transformation Programs Vulnerable - Help Net Security

• MITRE and CISA Publish The 2021 List of Most Common Hardware Weaknesses - Security Affairs

• Enterprises Allocating More IT Dollars on Cybersecurity (darkreading.com)

• Cyber-Attack Hits UK Internet Phone Providers - BBC News

• Despite Spending Millions On Bot Mitigation, 64% Of Organisations Lost Revenue Due To Bot Attacks - Help Net Security

• Threat Actor Leaks Mercedes-Benz Platform’s Source Code | CyberNews

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Many Organisations Lack Basic Cyber Hygiene Despite High Confidence In Their Cyber Defences

A new report released this week analysed IT security leaders’ perceived threat of ransomware attacks and the maturity of their cyber security defences. The report found that while 81% of those surveyed consider their security to be above average or exceptional, many lack basic cyber hygiene – 41% lack a password complexity requirement, one of the cheapest, easiest forms of protection, and only 55.6% have implemented multi-factor authentication (MFA). https://www.helpnetsecurity.com/2021/10/21/organizations-cyber-hygiene/

83% Of Ransomware Victims Paid Ransom

A new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.

Cybersecurity company ThycoticCentrify released its "2021 State of Ransomware Survey & Report" on Tuesday, featuring the insights of IT leaders who have dealt with ransomware attacks over the last year. https://www.zdnet.com/article/83-of-ransomware-victims-paid-ransom-survey/

Ransomware Affected 72% Of Organisations In Past Year

72% of organisations were affected by ransomware at least once within the past twelve months, with 18% impacted more than six times in the past year. Organizations of all sizes were affected nearly to the same extent, with the exception of those with more than 25,000 employees. https://venturebeat.com/2021/10/20/report-ransomware-affected-72-of-organizations-in-past-year/

Ransomware: Looking For Weaknesses In Your Own Network Is Key To Stopping Attacks

Ransomware is a major cybersecurity threat to organisations around the world, but it's possible to reduce the impact of an attack if you have a thorough understanding of your own network and the correct protections are in place.

While the best form of defence is to stop ransomware infiltrating the network in the first place, thinking about how the network is put together can help slow down or stop the spread of an attack, even if the intruders have successfully breached the perimeter. https://www.zdnet.com/article/ransomware-looking-for-weaknesses-in-your-own-network-is-key-to-stopping-attacks/

A Hacker Warns: Give Up Trying To Keep Me Out — And Focus On Your Data

There is a misconceived notion that the security arena is a battlefield. It is not. It is a chess board and requires foresight and calculated pawn placement to protect the king — your data. If your main focus lies on keeping hackers out of your environment, then it’s already check mate. Your mission should be to buy time, slow hackers down and ultimately contain an attack.

Businesses must therefore make it as hard as possible for adversaries to exploit the relationships that allow them to move laterally through the corporate network. They can do this by distrusting anyone within their data’s environment and repeatedly corroborating that all users are who they say they are, and that they act like it too. That last part is crucial, because while identities are easy to compromise and imitate, behaviours are not. https://www.ft.com/content/93cec8b6-3fe9-4e9e-800a-62e13a0e2eac

Cyber Risk Trends Driving The Surge In Ransomware Incidents

During the COVID-19 crisis, another outbreak took place in the cyber space: a digital pandemic driven by ransomware. In a recent report, Allianz Global Corporate & Specialty (AGCS) analyzes the latest risk developments around ransomware and outlines how companies can strengthen their defenses with good cyber hygiene and IT security practices

The increasing frequency and severity of ransomware incidents is driven by several factors:

·         Growing number of different attack patterns such as double and triple extortion campaigns

·         Criminal business model around ‘ransomware as a service’ and cryptocurrencies

·         Recent skyrocketing of ransom demands

·         Rise of supply chain attacks.

Not all attacks are targeted. Criminals also adopt a scattergun approach to exploit those businesses that aren’t addressing or understanding the vulnerabilities they may have. Businesses must understand the need to strengthen their controls.

Cyber intrusion activity globally jumped 125% in the first half of 2021 compared to the previous year, according to Accenture, with ransomware and extortion operations one of the major contributors behind this increase. According to the FBI, there was a 62% increase in ransomware incidents in the US in the same period that followed an increase of 20% for the full year 2020. https://www.helpnetsecurity.com/2021/10/18/five-ransomware-trends/

US Ransomware Victims Paid $600 Million to Hackers in 1H of 2021

US Ransomware victims coughed up nearly $600 million to cyber hijackers in the first six months of 2021, further stamping cyber extortionists as an “increasing threat” to the U.S. financial, business and public sectors, a recent report released by the Treasury Department said.

Data gathered by the Financial Crimes Enforcement Network (FinCEN) derived from financial institutions’ Suspicious Activity Reports (SARs) revealed that the 635 reports filed for the first six months of this year is already 30 percent greater than the 487 filed for all of last year. Some 458 financial transitions have been reported as of June 30, 2021 with the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 amounting to $590 million, or 42 percent more than the $416 million filed for all of 2020. https://www.msspalert.com/cybersecurity-research/victims-paid-600-millon-1h-2021/

Hacking Group Created Fake Cyber Security Companies To Hire Experts And Involve Them In Ransomware Attacks Tricking Them Of Conducting A Pentest

The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang is creating fake cyber security companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security. https://securityaffairs.co/wordpress/123673/cyber-crime/fin7-fake-cybersecurity-firm.html

Nearly Three-Quarters of Organisations Victimized by DNS Attacks in Past 12 Months

Domain name system (DNS) attacks are impacting organizations at worrisome rates. According to a new survey from the Neustar International Security Council (NISC) conducted in September 2021, 72% of study participants reported experiencing a DNS attack within the last 12 months. Among those targeted, 61% have seen multiple attacks and 11% said they have been victimized regularly. While one-third of respondents recovered within minutes, 58% saw their businesses disrupted for more than an hour, and 14% took several hours to recover. https://www.darkreading.com/attacks-breaches/nearly-three-quarters-of-organizations-victimized-by-dns-attacks-in-past-12-months

Cyber Crime Matures As Hackers Are Forced To Work Smarter

An analysis of 500 hacking incidents across a wide range of industries has revealed trends that characterize a maturity in the way hacking groups operate today.

Researchers at Kaspersky have focused on the Russian cybercrime underground, which is currently one of the most prolific ecosystems, but many elements in their findings are common denominators for all hackers groups worldwide.

One key finding of the study is that the level of security on office software, web services, email platforms, etc., is getting better, browser vulnerabilities have reduced in numbers, and websites are not as easy to compromise and use as infection vectors today.

This has resulted in making web infections too difficult to pursue for non-sophisticated threat groups.

The case is similar with vulnerabilities, which are fewer and more expensive to discover.

Instead, hacking groups are waiting for a PoC or patch to be released, and then use that information to create their own exploits. https://www.bleepingcomputer.com/news/security/cybercrime-matures-as-hackers-are-forced-to-work-smarter/

Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder.

That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting the video platform with cookie theft malware. The actors behind the infiltration have been attributed to a group of hackers recruited in a Russian-speaking forum. https://thehackernews.com/2021/10/hackers-stealing-browser-cookies-to.html

Threats

Ransomware

• 2021 Ransomware Transactions Already Exceed 2020 Numbers, Treasury Department Says - CyberScoop

• Ransomware: US Financial Institutions Report Major Increase In Payments To Cybercriminals - CNNpolitics

• DarkSide Ransomware Rushes To Cash Out $7 Million In Bitcoin (Bleepingcomputer.Com)

• Gigabyte Allegedly Hit by AvosLocker Ransomware | Threatpost

• Evil Corp Demands $40 Million In New Macaw Ransomware Attacks (Bleepingcomputer.com)

• Olympus US Hack Tied To Sanctioned Russian Ransomware Group | Techcrunch

• 81% of UK Healthcare Organizations Hit by Ransomware in Last Year - Infosecurity Magazine

BEC

• BEC Attacks: Scammers' Latest Tricks - Help Net Security

• Palo Alto Warns of BEC-As-A-Service | ZDNet

Phishing

• This Monster Of A Phishing Campaign Is After Your Passwords | ZDNet

Malware

• Cyber Criminals Have Found A Way To Get Their Malware Certified By Microsoft | Techradar

• Watch Out: ‘Squid Game’ Malware Hits Google Play As Hundreds Of Unofficial Apps Flood Store (forbes.com)

• Minecraft Declared The Most Malware-Infected Game (Hackread.Com)

Mobile

• Experts Hacked A Fully Patched iOS 15 Running On iPhone 13 At Tianfu Cup - Security Affairs

Vulnerabilities

• Update Now! Chrome Fixes More Security Issues - Malwarebytes Labs

• Patch PowerShell Now, Microsoft Tells Admins | TechRadar

• A Flaw In WinRAR Could Lead To Remote Code Execution - Security Affairs

• Injection Vulnerabilities In Popular WordPress Plugin Could Expose Credentials, Allow Admin Access | The Daily Swig (Portswigger.Net)

• SQL Is The Top Critical Risk In The Web Application Layer In Q3, 2021 - IT Security Guru

Data Breaches/Leaks

• Data Scrapers Expose 2.6 Million Instagram and TikTok Users - Infosecurity Magazine

Organised Crime & Criminal Actors

• Criminals Use Fake AI Voice To Swindle UAE Bank Out Of $35m • The Register

Insider Threats

• Most Employees Believe Backing Up Company Data Is Not Their Problem - Help Net Security

Dark Web

• The Dark Web Has Become Darker And Busier, Cyber Crime Services Cost Less Than $500 | Techspot

• Increased Activity Surrounding Stolen Data On The Dark Web - Help Net Security

• The Truth About The Dark Web's Secret Red Rooms (grunge.com)

Supply Chain

• Supply Chain Cybersecurity Breaches Have Hit Alarming Percentage Of Firms: Survey | Fox Business

OT, ICS, IIoT and SCADA

• Shared Responsibility Key to Protecting Critical Infrastructure - Infosecurity Magazine

Nation State Actors

• State-Backed Hackers Breach Telcos With Custom Malware (Bleepingcomputer.Com)

• Suspected Chinese Hackers Behind Attacks On Ten Israeli Hospitals (Bleepingcomputer.Com)

Cloud

• Russian Cyber-Criminals Switch to Cloud - Infosecurity Magazine

Privacy

• Over 80% of Brits Deluged with Scam Calls and Texts - Infosecurity Magazine

• How mobile devices can be tracked via Bluetooth analysis • The Register

• Brave Ditches Google For Its Own Privacy-Centric Search Engine (Bleepingcomputer.Com)

• A Massive ‘Stalkerware’ Leak Puts The Phone Data Of Thousands At Risk | Techcrunch

Reports Published in the Last Week

• Ransomware Report: State of Ransomware Survey & Report (thycotic.com)

Other News

• The Simmering Cybersecurity Risk of Employee Burnout (darkreading.com)

• Acer Hacked Twice In A Week By The Same Threat Actor (Bleepingcomputer.Com)

• Threat Actors Abusing Discord to Spread Malware - Infosecurity Magazine

• Mysterious Hacking Group Is Quietly Breaking Into Global Telecommunications Networks, Research Finds | Sky News

• Hacker Steals Government Id Database For Argentina's Entire Population - The Record By Recorded Future

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

The Human Element Is the Weakest Link

Within the last week, Facebook has become the subject of a whistleblowing campaign featuring thousands of documents alleging malpractice. Despite their size and expected security controls, these documents have been exfiltrated without detection, lending credence to the idea of the insider threat. https://www.darkreading.com/risk/the-human-element-is-the-weakest-link

Ransomware is the Biggest Cyber Threat to Business But Most Firms Still Aren't Ready for It

Ransomware is still the most significant cyber security threat facing organisations – ranging from critical national infrastructure providers and large enterprises to schools and local businesses – but it's a threat that can be countered. https://www.zdnet.com/article/ransomware-is-now-the-most-urgent-cyber-threat-to-business-but-most-firms-arent-ready-for-it/

Most Known Ransomware Targets Windows Devices

Recently conducted research shows that 95% of identified ransomware is targeting Windows machines. Furthermore, the stats show that Israel are submitting by far the most ransomware samples, followed by South Korea, Vietnam, and China, with the UK in 10th place. https://www.theregister.com/2021/10/14/googles_virustotal_malware/

67% of Organisations Have Been Hit by Ransomware at Least Once

A recent report found that two-thirds of surveyed organizations have suffered a ransomware attack, with about half having been hit multiple times, and 16% having been hit three or more times. https://threatpost.com/podcast-67-percent-orgs-ransomware/175339/

Russian Cyber Crime Gang Targets Finance Firms With Stealthy Macros

A new phishing campaign dubbed MirrorBlast is deploying weaponized Excel documents that are extremely difficult to detect to compromise financial service organizations. The most notable feature of MirrorBlast is the low detection rates of the campaign's malicious Excel documents by security software, putting firms that rely solely upon detection tools at high risk. https://www.bleepingcomputer.com/news/security/russian-cybercrime-gang-targets-finance-firms-with-stealthy-macros/  

70% of Businesses Can’t Ensure the Same Level of Protection for Every Endpoint

Recent research found that 86% of UK respondents believe it is not possible to fully prevent ransomware and malware attacks from compromising their organisations. It also found that the rise in the number of endpoints that businesses need to protect continues to be a key source of risk exposure. https://www.helpnetsecurity.com/2021/10/15/endpoint-protection-level/

Over 90% of Firms Suffered Supply Chain Breaches Last Year

A recent survey polled 1200 IT and procurement leaders responsible for supply chain and cyber risk management. Those polled came from global companies with 1,000+ employees and were used to compile its report: Managing Cyber Risk Across the Extended Vendor Ecosystem. The report revealed the average number of breaches experienced in the past 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-on-year increase. https://www.infosecurity-magazine.com/news/90-firms-supply-chain-breaches/

Cyber Security Shortcomings Exposed By The Pandemic

According to a survey by SecureAge, 48% of businesses have experienced a cyber breach during the COVID-19 pandemic and another 8% ‘were not sure’. In addition, 16% of employees said they personally had to deal with a cyber security incident during the same period. https://www.helpnetsecurity.com/2021/10/13/cybersecurity-shortcomings/

6 Things to Know About 'Killware,' Cyber Security's Next Big Threat

Threat actors are adopting a “killware” cyber model, which launches attacks on critical infrastructure with the intent to cause harm. Alejandro Mayorkas, secretary for Homeland Security, told USA Today he is worried about killware because it has the potential to kill. Hackers breached a water system in February this year, which was considered an unsuccessful attempt to distribute contaminated water to residents of Florida. "[The] attack was not for financial gain but rather purely to do harm,” he said. https://www.beckershospitalreview.com/cybersecurity/6-things-to-know-about-killware-cybersecurity-s-next-big-threat.html

2021 Nastiest Malware: Here to Stay and Ever Evolving

This year was yet another year with COVID-19 and malware running rampant in the headlines. Be it in person or online, the world is still struggling in the fight against viruses. This year took another turn for the worse when attacks on critical infrastructure and supply chains became a hot trend. https://www.helpnetsecurity.com/2021/10/12/nastiest-malware-2021/

Threats

Ransomware

• Since 2020, At Least 130 Different Ransomware Families Have Been Active

• AWS Ransomware Attacks: Not A Question Of If, But When

• This New Ransomware Encrypts Your Data And Makes Some Nasty Threats, Too

• UK Cyber Head Says Russia Responsible For 'Devastating' Ransomware Attacks

• What Makes AWS Buckets Vulnerable To Ransomware

• The Netherlands Declares War On Ransomware Operations

• Weir Group Suffers 'Sophisticated' Ransomware Attack

• US Ransomware Law Would Require Victims To Disclose Ransom Payments Within 48 Hours

• Ransomware: Cyber Criminals Are Still Exploiting These Old Vulnerabilities, So Patch Now

BEC

• Analyzing Email Services Abused For Business Email Compromise

Phishing

• Human Hacking Increased As Apps And Browsers Moved Completely To The Cloud

• DocuSign Phishing Campaign Targets Low-Ranking Employees

• Phishing Campaign Uses Math Symbols To Evade Detection

Malware

• FreakOut Botnet Now Attacks Vulnerable Video DVR Devices

• FontOnLake Malware Strikes Linux Systems In Targeted Attacks

• Hackers Use Stealthy ShellClient Malware On Aerospace, Telco Firms

Vulnerabilities

• NSA Warns Of Alpaca TLS Attack, Use Of Wildcard TLS Certificates[RP1] 

• October Patch Tuesday: 3 Critical Bulletins Among 71

• Update Your Windows PCs Immediately To Patch New 0-Day Under Active Attack

• Microsoft Fixes Zero-Day Flaw In WIN32 Driver

• Windows Zero-Day Actively Exploited In Widespread Espionage Campaign

• Chinese Hackers Use Windows Zero-Day To Attack Defense, IT Firms

• Apple Releases Urgent iPhone And iPad Updates To Patch New Zero-Day Vulnerability

• Sky.Com Servers Exposed Via Misconfiguration

• Apache Patch Proves Patchy – Now You Need To Patch The Patch

Data Breaches/Leaks

• Data Breach Sees Millions Of Acer Customers' Data Being Sold By Hackers

Organised Crime & Criminal Actors

• Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds

Cryptocurrency/Cryptojacking

• CryptoRom Scam Rakes In $1.4m By Exploiting Apple Enterprise Features

• Hackers Are Hijacking Copy And Paste To Steal Millions Of Dollars In Crypto Currency

Dark Web

• Dark Web: Many Cyber Crime Services Sell For Less Than $500

• What It Costs To Hire A Hacker On The Dark Web

• Warning: 24M Webcam Video Records Up For Grabs On The Dark Web

Supply Chain

• Worldwide Supply Chains Vulnerable As Businesses Lack Visibility Into Suppliers

DoS/DDoS

• Microsoft Says Azure Fended Off What Might Just Be The World's Biggest-Ever DDoS Attack

• Ukrainian Police Arrest DDoS Operator Controlling 100,000 Bots

OT, ICS, IIoT and SCADA

• Critical Infrastructure Security Dubbed 'Abysmal' By Researchers

Nation State Actors

• Google: We're Tracking 270 State-Sponsored Hacker Groups From Over 50 Countries

• Google Sent 50,000 Warnings Of State-Sponsored Attacks In 2021

• How Shape-Shifting Threat Actors Complicate Attack Attribution

• Google Warns Some Users That Fancybear’s Been Prowling Around

• Microsoft: Iran-Linked Hackers Breached Office 365 Customer Accounts

• We’re Not In Competition With China; We’re At War, Argues A Provocative New Book

Privacy

• Amazon's Ring Doorbell Can Violate Your Neighbour’s Privacy, A UK Judge Rules

• Amnesty International Links Cyber Security Firm To Spyware Operation

• Study Reveals Android Phones Constantly Snoop On Their Users

• How Apple Can Read Your Encrypted Messages

Other News

• This Is How Formula 1 Teams Fight Off Cyber Attacks

• Cyber Attack Shuts Down Ecuador's Largest Bank, Banco Pichincha[RP2] 

• 30 Mins Or Less: Rapid Attacks Extort Orgs Without Ransomware

• University Of Sunderland Is Latest To Be Hit By Cyber Attack

• Russia Excluded From 30-Country Meeting To Fight Ransomware And Cyber Crime

• Inside Apple: How MacOS Attacks Are Evolving

• Zero-Day Hunters Seek Laws To Prevent Vendors Suing Them For Helping Out And Doing Their Jobs

• Google To Give Security Keys To ‘High Risk’ Users Targeted By Government Hackers

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.