Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 17 July 2023 – Cisco SD-WAN vManage Vulnerable to Remote Unauthenticated Access

Black Arrow Cyber Advisory 17 July 2023 – Cisco SD-WAN vManage Vulnerable to Remote Unauthenticated Access

Executive Summary

A critical vulnerability has been identified and addressed in Cisco's network management software, SD-WAN vManage. The vulnerability allows a remote unauthenticated attacker to gain read or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the command line interface.

What’s the risk to me or my business?

A successful exploitation of the critical vulnerability allows a remote unauthenticated threat actor to read sensitive information from the compromised system, modify certain configurations, disrupt network operations. This will compromise the confidentiality, integrity, and availability of data in your organisation.

The following Cisco SD-WAN vManage versions are affected by the vulnerability:

  • v20.6.3.3 – fixed in v20.6.3.4

  • v20.6.4 – fixed in v20.6.4.2

  • v20.6.5 – fixed in v20.6.5.5

  • v20.7 – Migrate to fixed version v20.8 – Migrate to fixed version

  • v20.9 – fixed in v20.9.3.2

  • v20.10 – fixed in v20.10.1.2

  • v20.11 – fixed in v20.11.1.2

What can I do?

There are no workarounds for the critical vulnerability. As such, it is advised that patches are applied immediately. For versions v20.7 and v20.8, Cisco advises customers to migrate to a fixed release. Cisco has given advice on how to reduce the attack surface for this attack, this includes actions such as monitoring logs for the REST API and limiting instances to specified instances. If you are unsure check with your MSP or network team to ensure these are in place.

More information on the Cisco SD-WAN vManage vulnerability can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 14 July 2023

Black Arrow Cyber Threat Briefing 14 July 2023:

-Cyber Attacks Are a War We'll Never Win, but We Can Defend Ourselves

-Helping Boards Understand Cyber Risks

-Enterprise Risk Management Should Inform Cyber Risk Strategies

-Law Firms at High Risk of Attack as Ransomware Groups Begin to Focus Attention

-20% of Malware Attacks Bypass Antivirus Protection

-Ransomware Payments and Extortion Spiked Compared to 2022

-AI, Trust, and Data Security are Key Issues for Finance Firms and Their Customers

-Caution: Microsoft Warns of Office Zero-Day Attacks with No Patch Available

-Scam Page Volumes Surge 304% Annually

-Financial Industry Faces Soaring Ransomware Threat

-The Need for Risk-Based Vulnerability Management to Combat Threats

-Government Agencies Breached in Microsoft 365 Email Attacks

-Concerns Raised as Report Questions UK’s “Completely Inadequate” Defence to Threats from China

-Hackers Backed by North Korea have Stolen Billions of Dollars Over the Last Five Years

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Attacks Are a War We'll Never Win, But We Can Defend Ourselves

The cyber threat landscape is constantly evolving, with hackers becoming more creative in their exploitation of businesses and personal data. As the frequency and sophistication of cyber attacks increase, it's clear that the cyber security war is an endless series of battles that demand constant innovation and vigilance. Recognising the necessity of having built-in security, organisations should integrate security measures into their systems and foster a culture of security awareness.

Acknowledging that breaches are an inevitable risk, an orchestrated team response, well-practiced recovery plan, and effective communication strategy are key to managing crises. Organisations must also invest in proactive security measures, including emerging technologies to spot intrusions early. Ultimately, cyber security isn't just a technical concern, it's a cultural and organisational imperative, requiring the incorporation of security measures into every aspect of an organisation's operations and philosophy.

https://www.darkreading.com/attacks-breaches/cyberattacks-are-a-war-we-ll-never-win-but-we-can-defend-ourselves

  • Helping Boards Understand Cyber Risks

A difference in perspective is a fundamental reason board members and the cyber security team are not always aligned. Board members typically have a much broader view of the organisation’s goals, strategies, and overall risk landscape, where CISOs are responsible for assessing and mitigating cyber security risk.

It’s often a result of the board lacking cyber security expertise among its members, the complexity with understanding the topic and CISOs who focus too heavily on technical language during their discussions with the board which can cause a differing perspective. For organisations to be most effective in their approach to cyber security, they should hire CISOs or vCISOs who wear more than one hat and are able to understand cyber in context to the business. In addition, having cyber expertise on the board will pay dividends; this can be achieved by direct hiring or upskilling of board members.

Black Arrow supports clients as their vCISO or Non-Executive Director (NED) with specialist experience in cyber security risk management in a business context.

https://www.helpnetsecurity.com/2023/07/11/david-christensen-plansource-board-ciso-communication/

  • Enterprise Risk Management Should Inform Cyber Risk Strategies

While executives and boards once viewed cyber security as a primarily technical concern, many now recognise it as a major business issue. A single serious data breach could result in debilitating operational disruptions, financial losses, reputational damage, and regulatory penalties.

Cyber security focuses on protecting digital assets from threats, while enterprise risk management adopts a wider approach, mitigating diverse risks across several domains beyond the digital sphere. Rather than existing in siloes, enterprise risk management and cyber risk management strategies should complement and inform each other. By integrating cyber security into their risk management frameworks, organisations can more efficiently and effectively protect their most valuable digital assets.

https://www.techtarget.com/searchsecurity/tip/Enterprise-risk-management-should-inform-cyber-risk-strategies

  • Law Firms at High Risk of Attack as Ransomware Groups Begin to Focus Attention

Three of the largest US law firms have been newly hit by the Cl0p cyber syndicate as part of dozens of ransomware attacks across industries that so far have affected more than 16 million people. All three law firms feature on Cl0p’s leak site, which lists organisations who Cl0p have breached.

This comes as the UK National Cyber Security (NCSC) noted in a report the threat to the legal sector. Law firms are a particularly attractive target for the depth of sensitive personal information they hold from individuals and companies, plus the dual threat of publishing it publicly should a ransom demand go unmet. In Australia, law firm HWL Ebsworth confirmed several documents relating to its work with several Victorian Government departments and agencies had been released by cyber criminals to the dark web following a data breach announced in April 2023.

The extortion of law firms allows extra opportunities for an attacker, including exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice. Based on the above, it is no wonder the Solicitors Regulation Authority (SRA) in the UK found that 75% of the law firms they visited has been a victim of a cyber attack.

https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/cl0p-hackers-hit-three-of-the-biggest-u-s-law-firms-in-large-ransomware-attack/

https://www.helpnetsecurity.com/2023/07/10/law-firm-cyberattack/

  • 20% of Malware Attacks Bypass Antivirus Protection

In the first half of 2023, researchers found that 20% of all recaptured malware logs had an antivirus program installed at the time of successful malware execution. Not only did these solutions not prevent the attack, they also lack the automated ability to protect against any stolen data that can be used in the aftermath.

The researchers found that the common entry points for malware are permitting employees to sync browser data between personal and professional devices (57%), struggling with shadow IT due to employees' unauthorised use of applications and systems (54%), and allowing unmanaged personal or shared devices to access business applications (36%).

Such practices expose organisations to subsequent attacks, like ransomware, resulting from stolen access credentials. Malware detection and quick action on exposures are critical; however, many organisations struggle with response and recovery with many firms failing to have robust incident response plans.

https://www.helpnetsecurity.com/2023/07/13/malware-infections-responses/

  • Ransomware Payments and Extortion Spiked Compared to 2022

A recent report from Chainalysis found that ransomware activity is on track to break previous records, having extorted at least $449.1 million through June. For all of 2022, that number didn’t even reach $500 million. Similarly, a separate report using research statistics from Action Fraud UK, the UK’s national reporting centre for fraud, found cyber extortion cases surged 39% annually.

It’s no wonder both are on the rise, as the commonly used method of encrypting data behind a ransom is being combined with threatening to leak data; this gives bad actors two opportunities to gain payment. With this, the worry about the availability of your data now extends to the confidentiality and integrity of it.

https://www.infosecurity-magazine.com/news/cyber-extortion-cases-surge-39/

https://www.bleepingcomputer.com/news/security/ransomware-payments-on-record-breaking-trajectory-for-2023/

  • AI, Trust, and Data Security are Key Issues for Finance Firms and Their Customers

Business leaders have been warned to expect more instability and uncertainly following on from the unpredictable nature of events during the past few years, from COVID-19 to business restructurings, the Russian invasion of Ukraine and the rise of generative artificial intelligence (AI). A recent report found that customers feel they lack appropriate guidance from their financial providers during times of economic uncertainty; the lack of satisfactory experience and a desire for a better digital experience is causing 25% of customers to switch banks.

The report also found that 23% of customers do not trust AI and 56% are neutral. This deficit in trust can swing in either direction based on how Financial Services Institutions (FSIs) use and deliver AI-powered services. While the benefits of AI are unclear, an increased awareness of personal data security has made trust between providers and customers more crucial than ever. In fact, 78% of customers say they would switch financial service providers if they felt their data was mishandled.

https://www.zdnet.com/article/ai-trust-and-data-security-are-key-issues-for-finance-firms-and-their-customers/

  • Caution: Microsoft Warns of Office Zero-Day Attacks with No Patch Available

Russian spies and cyber criminals are actively exploiting still-unpatched security flaws in Microsoft Windows and Office products, according to an urgent warning from Microsoft. While Microsoft recently released patches for 130 vulnerabilities, including 9 criticals, 6 which are actively being exploited (see our advisory here), a series of remote code execution vulnerabilities were not addressed, and attackers have been actively exploiting them because the patches are not yet available.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. All an attacker would have to do is to convince the victim to open the malicious file. Microsoft have stated that a security update may be released out of cycle to address these flaws.

https://www.securityweek.com/microsoft-warns-of-office-zero-day-attacks-no-patch-available/

  • Scam Page Volumes Surge 304% Annually

Security researchers have recorded a 62% year-on-year increase in phishing websites and a 304% surge in scam pages in 2022. The Digital Risk Trends 2023 report classifies phishing as a threat resulting in the theft of personal information and a scam as any attempt to trick a victim into voluntarily handing over money or sensitive information.

It found that the average number of instances in which a brand’s image and logo was appropriated for use in scam campaigns increased 162% YoY, rising to 211% in APAC. Scams are also becoming more automated, as the ever-increasing number of new tools available to would-be cyber criminals has lowered the barrier of entry. We expect to see AI also play a greater role in scams in the future.

https://www.infosecurity-magazine.com/news/scam-page-volumes-surge-304/

  • Financial Industry Faces Soaring Ransomware Threat

The financial industry has been facing a surge in ransomware attacks over the past few years, said cyber security provider SOCRadar in a threat analysis post. This trend started in the first half of 2021, when Trend Micro saw a staggering 1,318% increase in ransomware attacks targeting banks and financial institutions compared to the same period in 2020. Sophos also found that over half (55%) of financial service firms fell victim to at least one ransomware attack in 2021, a 62% increase from 2020.

https://www.infosecurity-magazine.com/news/financial-industry-faces-soaring/

  • The Need for Risk-Based Vulnerability Management to Combat Threats

Cyber attacks are increasing as the number of vulnerabilities found in software has increased by over 50% in the last 5 years. This is a result of unpatched and poorly configured systems as 75% of organisations believe they are vulnerable to a cyber attack due to unpatched software. As vulnerabilities continue to rise and security evolves, it is becoming increasingly apparent that conventional vulnerability management programs are inadequate for managing the expanding attack surface. In comparison, a risk-based strategy enables organisations to assess the level of risk posed by vulnerabilities. This approach allows teams to prioritise vulnerabilities based on their assessed risk levels and remediate those with higher risks, minimising potential attacks in a way that is continuous, and automated.

By enhancing your vulnerability risk management process, you will be able to proactively address potential issues before they escalate and maintain a proactive stance in managing vulnerabilities and cloud security. Through the incorporation of automated threat intelligence risk monitoring, you will be able to identify significant risks before they become exploitable.

https://www.bleepingcomputer.com/news/security/the-need-for-risk-based-vulnerability-management-to-combat-threats/

  • Government Agencies Breached in Microsoft 365 Email Attacks

Microsoft disclosed an attack against customer email accounts that affected US government agencies and led to stolen data. While questions remain about the attacks, Microsoft provided some details in two blog posts on Tuesday, including attribution to a China-based threat actor it tracks as Storm-0558. The month long intrusion began on 15 May and was first reported to Microsoft by a federal civilian executive branch (FCEB) agency in June.

Microsoft said attackers gained access to approximately 25 organisations, including government agencies. While Microsoft has mitigated the attack vector, the US Government Cybersecurity and Infrastructure Security Agency (CISA) was first to initially detect the suspicious activity. The government agency published an advisory that included an attack timeline, technical details and mitigation recommendations. CISA said an FCEB agency discovered suspicious activity in its Microsoft 365 (M365) environment sometime last month.

https://www.techtarget.com/searchsecurity/news/366544735/Microsoft-Government-agencies-breached-in-email-attacks

  • Concerns Raised as Report Questions UK’s “Completely Inadequate” Defence to Threats from China

Britain’s spy watchdog has slammed the UK Government for a “completely inadequate” response to Chinese espionage and interference which risked an “existential threat to liberal democratic systems”. In a bombshell 207 page report, Parliament’s Intelligence and Security Committee issued a series of alarming warnings about how British universities, the nuclear sector, Government and organisations alike were being targeted by China.

https://www.standard.co.uk/news/politics/britain-risk-china-intelligence-security-committee-report-government-b1094118.html

  • Hackers Backed by North Korea have Stolen Billions of Dollars Over the Last Five Years

Hackers have developed a list of sophisticated tricks that allow them to weasel their way into the networks of possible targets, including organisations. Sometimes a North Korean hacker would pose as a recruitment officer to get an employee’s attention. The cyber criminal would then share an infected file with the unsuspecting company employee. This was the case of the famous 2021’s Axie Infinity hack that allowed the North Koreans to steal more than $600 million after one of the game developers was offered a fake job by the hackers.

https://www.pandasecurity.com/en/mediacenter/security/north-korea-stolen-crypto/

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Hybrid/Remote Working

Attack Surface Management

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Travel

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Misinformation, Disinformation and Propaganda

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage

Russia

China

Iran

North Korea

Vulnerability Management

Vulnerabilities

OT/ICS Vulnerabilities

Tools and Controls

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 12 July 2023 – Microsoft Patch Tuesday, including 6 actively exploited vulnerabilities, and Adobe Updates

Black Arrow Cyber Advisory 12 July 2023 – Microsoft Patch Tuesday, including 6 actively exploited vulnerabilities, and Adobe Updates

Executive summary

Microsoft’s July 2023 Patch Tuesday provides updates to address 138 security issues across its product range, including six actively exploited zero-day vulnerability. The exploited zero-day vulnerabilities use a range of Microsoft Windows products to bypass security features, elevate privileges and perform remote code execution. Among the updates provided by Microsoft 9 addressed critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with standard user access, to gain elevated privileges, or install kernel drivers, depending on the exploit used. Other risks such as bypassing security features of Microsoft Outlook and performing remote code execution can occur. This could allow an attacker to further compromise the confidentiality, integrity and availability of the organisation’s information assets.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities.  Other mitigations have been provided by Microsoft and can be found below in the further detail’s section.

Technical Summary

CVE-2023-32046 – The actively exploited vulnerability targets MSHTML Platform which could allow an attacker to elevate their privileges to the rights the user that is running the affected application is.

CVE-2023-32049 – This actively exploited vulnerability targets Windows SmartScreen allowing an attacker to bypass security features including the security warning prompt.

CVE-2023-36874 – This actively exploited vulnerability targets the Windows Error Reporting Service allowing an attacker to elevate privileges allowing them to gain administrator privileges.

CVE-2023-36884 – This actively exploited vulnerability targets the Office and Windows HTML allowing an attacker to perform remote code execution.

CVE-2023-35311 – This actively exploited vulnerability targets Microsoft Outlook and bypasses a security feature however to exploit this an attacker would have to have a user click in a specially crafted link through phishing or social engineering.

ADV230001 – This is a Microsoft signed driver that has been maliciously used in post-exploitation activity which abused a Windows policy loophole to install malicious kernel-mode drivers.

Adobe

This month, Adobe released fixes for 4 vulnerabilities, of which 3 were rated critical across Adobe InDesign and Adobe ColdFusion. At current, Adobe are not aware of any active exploitation of the listed vulnerabilities, however the advice is to update the affected products using their priority rating which can be found in the details below. The vulnerabilities include remote code execution, memory leak and security bypass.

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/  

Further details about CVE-2023-32046 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32046

Further details about CVE-2023-32049 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32049

Further details about CVE-2023-36874 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874

Further details about CVE-2023-36884 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Further details about CVE-2023-35311 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311

Further details about ADV230001 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230001

Further details of the vulnerabilities addressed in Adobe InDesign can be found here:

https://helpx.adobe.com/security/products/indesign/apsb23-38.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 07 July 2023

Black Arrow Cyber Threat Briefing 07 July 2023:

-Cyber Attacks Against Mobile Devices Growing Fast

-One Third of Security Breaches Go Unnoticed by Security Professionals

-Cyber Security Experts Have Become Targets for Board Seats

-Phishing Attack Prevention as Email Attacks Surge Over 450%

-Outsmarting Business Email Compromise Scammers

-Small Organisations Face Security Threats on a Limited Budget

-Cloud Security: Sometimes the Risks May Outweigh the Rewards

-Cl0p's MOVEit Campaign Represents a New Era in Cyber Attacks

-75% of Consumers Prepared to Ditch Brands Hit by Ransomware

-Scammers Using AI Voice Technology to Commit Crimes

-What are the Causes of Data Loss and What it the Impact on Your Organisation?

-Ransomware Affiliates, Triple Extortion, and the Dark Web Ecosystem

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Attacks Against Mobile Devices Growing Fast

A rise in mobile-powered businesses is creating vulnerability gaps that are being exploited by cyber criminals and nation-states, according to a new report. 43% of all compromised devices were fully exploited, not just jailbroken or rooted, which is an increase of 187% year-over-year.  The report found that the average user is 6 to 10 times more likely to fall for an SMS phishing attack than an email based attack.

It was also found that there was a 138% increase in critical Android vulnerabilities discovered in 2022, while Apple iOS accounted for 80% of the zero-day vulnerabilities actively being exploited in the wild. With malware increasingly spreading through legitimate channels, such as official marketplaces and ads in popular apps. This is true for both scam apps and dangerous mobile banking malware. For organisations, no matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical.

https://www.msspalert.com/cybersecurity-services-and-products/mobile/cyber-attacks-against-mobile-devices-growing-fast/

https://www.darkreading.com/endpoint/mobile-cyberattacks-soar-andoird-users

  • One Third of Security Breaches Go Unnoticed by Security Professionals

While surface-level confidence around hybrid cloud security is high, with 94% of global respondents stating their security tools and processes provide them with complete visibility and insights into their IT infrastructure, the reality is nearly one third of security breaches are not spotted by IT and security professionals, according to a recent report.

The report highlighted that 50% of IT and security leaders lack confidence when it comes to knowing where their most sensitive data is stored and how it is secured. The issue is that 31% of breaches are being identified later down the line, rather than pre-emptively using security and observability tools either by data appearing on the dark web, files becoming inaccessible, or users experiencing slow application performance (likely due to DoS or inflight exfiltration). This number rises to 48% in the US, and 52% in Australia.

https://www.helpnetsecurity.com/2023/07/03/hybrid-cloud-security-breaches/

  • Cyber Security Experts Have Become Targets for Board Seats

The need for strong cyber security programs is a vital part of doing business today, and a good reflection of that is adding security executives to Boards. The trend is for chief information security officers (CISOs) to be elevated to the board of directors, as risk and regulatory compliance become more visible in an organisation, many of the initiatives and controls will be security related, addressing those controls usually falls to the CISO.

The research also showed that 90% of public companies lack even one qualified cyber expert, showing a significant cyber board supply-demand gap. With only 15% of CISOs have broader traits required for board level positions, such as a holistic understanding of the business, a global perspective and ability to navigate a range of stakeholders, with another 33% having a subset of those necessary traits.

CISOs are hard to come by and few have the requisite Board level experience. To fill this gap Black Arrow provide a virtual CISO (vCISO) where you get a whole team of highly skilled and experienced professionals for less than you would pay for one permanent resource, and firms can also take advantage of Black Arrow’s Cyber NED, incorporating Board, Governance, Finance, HR and Risk experience with specialist cyber expertise and experience.

https://www.cnbc.com/2023/07/03/cybersecurity-experts-have-become-targets-for-board-seats.html

  • Phishing Attack Prevention as Email Attacks Surge Over 450%

A Recent report found that email attacks had surged 464% this year compared to the previous year as phishing attacks remain amongst the most used tactics by attackers due to their high success rate and the ease in which they can be conducted. For preventing such attacks, the following principles will help mitigate: not clicking on unknown links, not trusting unknown sites, enabling multi-factor authentication, hardly disclosing personal information and having increased phishing awareness.

In an organisation, such awareness and principles can be highlighted and continually reinforced through having an effective awareness training programme. This in turn, will help to create a cyber aware culture and reduce the risk of someone in the organisation falling victim to phishing.

https://cybersecuritynews.com/phishing-attack-prevention-checklist/

https://www.msspalert.com/cybersecurity-research/email-cyberattacks-spiked-nearly-500-in-first-half-of-2023-acronis-reports/

  • Outsmarting Business Email Compromise (BEC) Scammers

Last year the FBI registered over 21,000 complaints about business email fraud, with adjusted losses of over $2.7 billion. Today this line of attack shows no sign of slowing down. Business email compromise (BEC) techniques are increasingly sophisticated and cyber crime-as-a-service (CaaS) along with AI have lowered the barrier to entry for threat actors.

There are six key elements which can help to mitigate the impact of BEC, these are; inbox protection, strong authentication, secure emails, zero-trust control, secure payment processes and education. Putting the brakes on this con game takes the entire organisation, from the C-suite and IT, compliance, and risk management teams to every business unit. Awareness, backed by policy and technology, is the crucial factor in a consistently strong defence.

https://www.darkreading.com/microsoft/6-steps-to-outsmarting-business-email-compromise-scammers

  • Small Organisations Face Security Threats on a Limited Budget

Small organisations face the same security threats as larger organisations overall but have less resources to address them. The most common security incidents faced are phishing, ransomware, and user account compromise also known as business email compromise (BEC). However, smaller organisations usually have fewer resources and experience with which to address security threats. Indeed, lack of budget is their top security challenge, reported by one in two small companies.

The lack of budget won’t stop a threat actor from attacking however, and so small organisations need to be able to effectively identify, prioritise and mitigate against security incidents. This may require small organisations outsourcing some of their cyber strategy, to allow them access to expertise.

https://www.helpnetsecurity.com/2023/07/05/small-organizations-security-threats/

  • Cloud Security: Sometimes the Risks May Outweigh the Rewards

Threat actors are well-aware of the vulnerabilities in the cloud infrastructure. IT teams and decision-leadersmakers must have a clear understanding of the types of cloud services and the associated risk of cyber attacks associated. Around two in five (39%) businesses experienced a data breach in their cloud environment in 2022, a rise of 4% compared with 2021, a new report has found. The leading cause of cloud data breaches was human error, at 55%, according to the report. This was significantly above the next highest factor identified by respondents (21%), which was exploitation of vulnerabilities.

Other issues can arise from the cloud as it gives organisations the opportunity to create large amounts of infrastructure quickly and easily, which leaves it exposed to the possibility of substandard security configurations being applied to it. Due to the ease of use of cloud services, companies might become negligent in terms of their security.

https://cyber-reports.com/2023/07/03/cloud-security-sometimes-the-risks-may-outweigh-the-rewards/

https://www.infosecurity-magazine.com/news/human-error-cloud-data-breaches/

  • Cl0p's MOVEit Campaign Represents a New Era in Cyber Attacks

A number of organisations impacted by the mass hacks exploiting a security flaw in the MOVEit file transfer tool, including energy giant Shell and US-based First Merchants Bank, have confirmed that hackers accessed sensitive data. The ransomware group shows an evolution of its tactics with the MOVEit zero-day, potentially ushering in a new normal when it comes to extortion supply chain cyber attacks, experts say.

From what the industry has seen in recent Cl0p breaches, GoAnywhere, MFT and MOVEit, they have not executed ransomware to encrypt data within the target environments. The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion. The MOVEit vulnerability isn't an easy or straightforward one, it required extensive research into the MOVEit platform to discover, understand, and exploit this vulnerability. The skill set required to uncover and exploit this vulnerability isn't easily learned and is hard to come by in the industry. This operation isn't something Cl0p ransomware group usually does, which is another clue leading to suspect Cl0p acquired the MOVEit zero-day vulnerability rather than developing it from scratch. Something future groups may decide to adopt.

https://www.darkreading.com/attacks-breaches/c10p-moveit-campaign-new-era-cyberattacks

https://techcrunch.com/2023/07/06/more-organizations-confirm-moveit-related-breaches-as-hackers-claim-to-publish-stolen-data

  • 75% of Consumers Prepared to Ditch Brands Hit by Ransomware

As 40% of consumers harbour scepticism regarding organisations’ data protection capabilities, 75% would shift to alternate companies following a ransomware attack a recent report found. Furthermore, consumers request increased data protection from vendors, with 55% favouring companies with comprehensive data protection measures such as reliable backup and recovery, password protection, and identity and access management strategies.

While 37% of Gen Z prefers an apology from companies experiencing a ransomware attack, ranking 12% higher than monetary compensation, Baby Boomers are less forgiving. 74% of them agree their trust in the vendor is irreparably damaged after suffering more than one ransomware attack, compared to only 34% of Gen Z.

https://www.helpnetsecurity.com/2023/07/05/consumers-data-protection-request/

  • Scammers Using AI Voice Technology to Commit Crimes

The usage of platforms like Cash App, Zelle, and Venmo for peer-to-peer payments has experienced a significant surge, with scams increasing by over 58%. Additionally, there has been a corresponding rise of 44% in scams stemming from the theft of personal documents according to a recent report.

The report also highlights the rise of AI voice scams as a significant trend in 2023. AI voice technology enables scammers to create remarkably realistic voices and convincingly imitate family members, friends and other trusted individuals. With just a short voice clip usually taken from social media, a scammer can clone a loved one’s voice and call a victim pretending to be that person. The scammer deceives the victim into thinking their loved one is in distress to get them to send money, provide personal information or perform other actions. AI voice technology has gotten to the point where a mother can’t tell the difference between her child’s voice and a machine, and scammers have pounced on this to commit crimes.

https://www.helpnetsecurity.com/2023/07/07/ai-voice-cloning-scams/

  • What are the Causes of Data Loss and What it the Impact on Your Organisation?

In today’s digital age, data has become the lifeblood of organisations, driving critical decision-making, improving operational efficiency, and allowing for smoother innovation. Simply put, businesses heavily rely on data. In an era where data has become the cornerstone of business operations, the loss of vital information can result in severe setbacks and irreparable damage. Whether it’s due to accidental deletion, hardware failure, cyber-attacks, or natural disasters, the loss of valuable data can have devastating impacts on an organisation.

It's imperative that businesses understand different types of data (structured, unstructured, semi-structured, metadata) and deploy tailored protection strategies. A significant 26% of companies suffered data loss in 2022, underlining the need for robust data security measures like regular backups, cyber security protocols, employee training, and data encryption. Effective data loss prevention can shield organisations from severe impacts like intellectual property theft, operation disruption, and legal repercussions.

https://securityaffairs.com/148086/security/impacts-of-data-loss.html

  • Ransomware Affiliates, Triple Extortion, and the Dark Web Ecosystem

Many people associate the dark web with drugs, crime, and leaked credentials, but in recent years the dark web has emerged as a complex and interdependent cyber crime ecosystem, exemplified by the increasingly complex methods used to extort companies.

One of the more recent trends we see is that groups are now setting up infrastructure, in some cases outsourcing actual infection (and in some cases negotiation) to “affiliates” who effectively act as contractors to the Ransomware as a Service (RaaS) group and split the profits at the end of a successful attacks. The world of cyber crime is ever-evolving and it is no easy task to stay on top of the changing landscape.

https://www.bleepingcomputer.com/news/security/ransomware-affiliates-triple-extortion-and-the-dark-web-ecosystem/

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Attack Surface Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory – 06 July 2023 – Microsoft Teams Vulnerability Allows Malware Delivery from External Accounts

Black Arrow Cyber Advisory – 06 July 2023 – Microsoft Teams Vulnerability Allows Malware Delivery from External Accounts

Executive Summary

A vulnerability has been discovered in Microsoft Teams, which allows malicious actors to circumvent the application's built-in restrictions for files originating from external sources. The ‘TeamsPhisher’ application which has been developed by the US Navy’s Red Team which is freely available, takes advantage of this technique to easily allow an attacker to send a malicious attachment to a targeted set of Teams users. Exploiting this vulnerability enables attackers to distribute malware to users using accounts that are external to a targets Microsoft Tennant, posing significant risks to individuals and businesses.

What’s the risk to me or my business?

Exploiting this vulnerability enables malicious actors to engage in social engineering and phishing attacks by leveraging Microsoft Teams as a communication platform. Furthermore, it bypasses all built-in security restrictions, allowing the delivery of malicious payloads directly to users' inboxes. Clicking or launching these payloads can grant attackers further access to your systems, compromising the confidentiality, integrity, and availability of your organization's data.

What can I do?

At this time Microsoft has not yet issued a fix to this problem but has provided the following statement to ‘Bleeping Computer’: “We’re aware of this report and have determined that it relies on social engineering to be successful.

We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

To mitigate the risk, it is advised that you turn off communication with external tenants. However if this is not possible due to needing to regularly communicate with clients it is advised to change the security settings to only whitelist certain required domains. Both actions can be done in Microsoft Teams Admin Center > External Access. It is important to emphasise within your organisation that phishing attacks can happen in various forms, other than emails. Therefore, it is essential to maintain constant vigilance in all aspects of online communication. 

 More information on the Microsoft Teams Phishing can be found here:

https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/

https://github.com/Octoberfest7/TeamsPhisher

https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Insight 06 July 2023 – NHS Trust Breached, Personal Information Leaked

Black Arrow Cyber Insight 06 July 2023 – NHS Trust Breached, Personal Information Leaked

Executive Summary

Last weekend, Barts Health NHS trust was breached in a cyber attack, with Russian-linked cyber crime gang ALPHV, also known as BlackCat. The attackers claimed to have acquired seven terabytes of internal documents from the trusts’ systems.  A selection of files including copies of driving licenses, passports and correspondence have already been leaked. It is believed that more is to come. This comes after other recent cyber attacks, such as the MOVEit hack, which has impacted over 130 organisations and 15 million individuals.

What’s the risk to me or my business?

The availability of such detailed personal information poses an increased risk of threat actors exploiting it for phishing purposes, and also increases the likelihood that the information could be used for identity fraud. With access data such as previous email chains with an individual, phishing attacks can appear more authentic as responses to legitimate requests, making them more likely to succeed.

What can I do?

To help mitigate the risk, Black Arrow strongly recommend maintaining a high level of vigilance and awareness. It is crucial to understand that the presence of personal or confidential information alone does not guarantee authenticity. Take the time to double-check any suspicious communication or requests before sharing sensitive information. By remaining cautious and verifying the legitimacy of any unexpected or unusual messages, you can reduce the likelihood of falling victim to phishing attacks. It is also recommended that individuals monitor their own personal accounts for suspicious activity including the information stored with credit unions such as Equifax and Transunion to identify potential cases of identity theft.

More information on the NHS Breach can be found here: https://www.telegraph.co.uk/news/2023/06/30/russia-may-have-hacked-nhs-trust-with-two-million-patients/

More information on the MOVEit attack can be found here: https://www.securityweek.com/over-130-organizations-millions-of-individuals-believed-to-be-impacted-by-moveit-hack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 30 June 2023

Black Arrow Cyber Threat Briefing 30 June 2023:

-Zurich Insurance Group Secures Data Leak After Leaving Sensitive Data Publicly Accessible

-Employees Worry Less About Cyber Security Best Practices in the Summer

-Businesses are Ignoring Third-Party Security Risks

-Fear Trumps Anger When It Comes to Data Breaches – Angry Customers Vent, But Fearful Customers Don’t Come Back

-Over 130 Organisations and Millions of Individuals Believed to Be Impacted by MOVEit Hack, it Keeps Growing

-Widespread BEC Attacks Threaten European Organisations

-Lloyd’s Syndicates Sued Over Cyber Insurance

-95% Fear Inadequate Cloud Security Detection and Response

-The Growing Use of Generative AI and the Security Risks They Pose

-The CISO’s Toolkit Must Include Political Capital Within The C-Suite

-Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers as War Ministers Reliant on Cyber Crime

-SMBs Plagued by Exploits, Trojans and Backdoors

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Zurich Insurance Group Secures Data Leak After Leaving Sensitive Data Publicly Accessible

Zurich Insurance Group is a major player in the insurance game, with over 55 million clients. They have recently just fixed a sensitive file that they had left publicly accessible. The file in question contained a range of credentials including database credentials, admin credentials, credentials for the actively exploited MOVEit software, credentials for their HR system and more. All of which could be utilised by threat actors to inflict serious damage. This was not the only vulnerability stemming from the insurance group; researchers found that Zurich were also running an outdated website, which contained a large number of vulnerabilities.

The case is alarming as Zurich Insurance Group provides cyber insurance and the instance above reinforces the need for organisations to be proactive in identifying cyber risks in their environment; it is simply not enough to rely on having insurance or meeting insurance requirements.

https://cybernews.com/zurich-insurance-data-leak/

  • Employees Worry Less About Cyber Security Best Practices in the Summer

IT teams are struggling to monitor and enforce BYOD (Bring Your Own Device) policies during summer months according to a new report. The report found that 55% of employees admitted to relying solely on their mobile devices while working remotely in the summer. 25% of all respondents claim that they aren’t concerned about ensuring network connections are secure when accessing their company’s data.

In the same report, 45% of employees in the US and UK said no specific measures to educate and remind employees on security best practices are taken during the summer, with only 24% of UK respondents receiving access to online cyber security training and guides and even less (17%) in the US. This comes as a separate report found that the number of phishing sites targeting mobile devices increased from 75% to 80% year-on-year in 2022, and this is likely to continue rising. Worryingly, it was also found that the average user is between six and ten times more likely to fall for an SMS phishing attack than email.

https://www.helpnetsecurity.com/2023/06/30/summer-byod-policies/

https://www.infosecurity-magazine.com/news/mobile-malware-and-phishing-surge/

  • Businesses are Ignoring Third-Party Security Risks

With 58% of companies managing over 100 vendors, 8% of which manage over 1,000, the need for a robust Third-Party Security Risk Management process becomes abundantly clear. Despite this, only 13% of organisations continuously monitor the security risks of their third parties. This is worrying, when considering the knock-on effects of third party breaches from the likes of Capita, SolarWinds and 3CX, and the recent MOVEit attack, impacting organisations whose only relationship with MOVEit was that their supplier used it.

https://www.helpnetsecurity.com/2023/06/30/third-party-relationships-risks/

  • Fear Trumps Anger When It Comes to Data Breaches – Angry Customers Vent, But Fearful Customers Don’t Come Back

When a person is notified of a data breach involving their personal information, if they react with a feeling of fear, as opposed to anger, they’re more likely to stop using the site. A report found that positive attitudes toward the website before the breach did not meaningfully affect whether consumers reengaged with the website after the breach, as some prior research has indicated. Instead, the emotional response of fear weighed heavily on customers and outweighed any earlier positive sentiment towards the organisation.

When a company has been breached in the past they have dealt with angry customers and negative press. To do so, companies may engage crisis managers to contain the damage, partner with identity protection services, pay fines or settlements, or try to lure back customers with free services. However, the study shows that companies need to address fearful customers differently after a data breach has occurred if they want to avoid customer loss. To do this, companies can work with their IT departments to identify customers who are no longer active after a breach and then reach out to them directly to assuage their fears.

https://theconversation.com/fear-trumps-anger-when-it-comes-to-data-breaches-angry-customers-vent-but-fearful-customers-dont-come-back-203109

  • Over 130 Organisations and Millions of Individuals Believed to be Impacted by MOVEit Hack, it Keeps Growing

The dramatic fallout continues in the mass exploitation of a critical vulnerability in a widely used file-transfer program, with at least three new victims coming to light in the past few days. They include the New York City Department of Education and energy companies Schneider Electric and Siemens Electric. These join others, including PwC, Sony and EY. If the attack has shown us one thing, it’s that any organisation can be a victim.

https://www.securityweek.com/over-130-organizations-millions-of-individuals-believed-to-be-impacted-by-moveit-hack/

https://arstechnica.com/security/2023/06/casualties-keep-growing-in-this-months-mass-exploitation-of-moveit-0-day/

  • Widespread BEC Attacks Threaten European Organisations

Based on an analysis of email attack trends between June 2022 and May 2023, total email attacks in Europe increased by 7 times and the US 5 times. For business email compromise (BEC) specifically, Europe saw an alarming 10 times the amount it had previously and the US saw a 2 times increase.

BEC continues to remain a high priority threat for many organisations and if someone already has a legitimate business email which they have compromised to use for BEC attacks on your organisation, it is very likely that your technical processes will be ineffective, leaving your people and operational processes to stop an attack. Is your organisation cyber aware? Are they undergoing regular awareness training?

This is one of many areas that Black Arrow can help improve your organisation’s security through robust employee cyber security Awareness Behaviour and Culture training.

https://www.helpnetsecurity.com/2023/06/27/bec-attacks-frequency/

  • Lloyd’s Syndicates Sued Over Cyber Insurance

The University of California (UCLA) is suing a number of insurance firms for refusing to pay out on cyber policies nearly 10 years after hackers breached data on millions of patients at its health system. The dispute is over a cyber attack from 2014 through 2015 that exposed personal information of patients at UCLA Health.

UCLA Health allege that the syndicates refused to engage in dispute resolution by asserting that the statue of limitations applying to the claims had expired. The insurers, who could not be named, are said to have refused every claim saying that UCLA Health failed to satisfy cyber security requirements under the contract terms. It’s important for organisations with cyber insurance to understand their insurance in detail and to know where they stand in the event of a cyber incident.

https://www.wsj.com/articles/university-of-california-sues-lloyds-syndicates-over-cyber-insurance-da4675f5

  • 95% Fear Inadequate Cloud Security Detection and Response

A recent report found 95% of respondents expressed concern in their organisation’s ability to detect and respond to a security event in their cloud environment. The same study also found that 50% of total respondents had reported a data breach due to unauthorised access to their cloud environment.

It is often the case that issues in the cloud come from the perception of the responsibility of the cloud environment. Organisations must realise that they share responsibility for securing their cloud environment, including its configuration. The report found that, despite the number of breaches and concerns in their organisation’s ability, more than 80% of respondents still felt their existing tooling and configuration would sufficiently cover their organisation from an attack. Organisations must ask themselves what they are doing to protect their cloud environment.

https://www.helpnetsecurity.com/2023/06/27/cloud-environment-security/

  • The Growing Use of Generative AI and the Security Risks They Pose

A recent survey by Malwarebytes revealed 81% of people are concerned about the security risks posed by ChatGPT and generative AI, and 52% of respondents are calling for a pause on ChatGPT for regulations to catch up, while 7% think it will improve internet security. A key concern about the data produced by generative AI platforms is the risk of "hallucinations" whereby machine learning models produce untruths. This becomes a serious issue for organisations if its content is heavily relied upon to make decisions, particularly those relating to threat detection and response.

Another recent report on the risks brought by Large Language Model AIs showed that the rise in opensource AI adoption is developed insecurely; this results in an increased threat with substantial security risks to organisation.

https://www.csoonline.com/article/643516/survey-reveals-mass-concern-over-generative-ai-security-risks.html

https://www.darkreading.com/operations/malwarebytes-chatgpt-survey-reveals-81-are-concerned-by-generative-ai-security-risks

https://www.darkreading.com/vulnerabilities-threats/generative-ai-projects-cybersecurity-risks-enterprises

  • The CISO’s Toolkit Must Include Political Capital Within The C-Suite

Over the past 18 months, there has been a sea change in the chief information security officer (CISO) role. Fundamentally, the CISO is responsible for the protection of an entity's information. The US Securities and Exchange Commission (SEC) has issued a proposed rule change on cyber security risk management, strategy, governance, and incident response disclosure by public companies that requires publicly traded companies to provide evidence of the board's oversight of cyber security risk. Couple this with the former CISO of Uber being found guilty on charges of "obstruction of the proceedings of the Federal Trade Commission" and it is clear that the hand at the helm must be able to navigate all types of seas in their entity's political milieu. In this regard, the CISO needs to acquire political capital. CISO’s should have the capability to talk in understandable terms and clearly demonstrate value to the other board members.

https://www.csoonline.com/article/643199/the-cisos-toolkit-must-include-political-capital-within-the-c-suite.html

  • Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers as War Ministers Reliant on Cyber Crime

Russia's diminishing position on the world stage has limited its physical options on the ground, leaving Putin's regime increasingly reliant on cyber crime to carry out its oppositional activities against Ukraine and Europe. Microsoft has disclosed that it has detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

This comes as Switzerland's Federal Intelligence Service (FIS) released its 2023 security assessment, predicting that Russia will increasingly launch cyber attacks as part of its war strategy not just in Ukraine, but against NATO member states as well.

https://www.darkreading.com/threat-intelligence/russia-reliant-on-cybercrime-as-international-pariah

https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html

  • SMB’s Plagued as Cyber Attackers Still Rely on Decades Old Security Weaknesses and Tactics

Despite best cyber security efforts, small and mid-sized businesses (SMBs) continue to struggle to thwart attacks and harden defences in response to remote working and other newer challenges.

This future focus can lead to a neglection of older weaknesses. Cyber attackers are typically relying on tried-and-tested tactics and old security weaknesses to target organisations, a recent Barracuda threat spotlight found. Hackers are returning to proven methods to gain remote control of systems, install malware, steal information and disrupt or disable business operations through denial-of-service attacks, Barracuda reports. The report found that between February to April 2023, the top malicious tactics found to be used were vulnerabilities from 2008.

The report highlights the fact that there are no cutoff dates for vulnerabilities and attackers will use whatever is at their disposal to try and infiltrate your organisation. This can be protected by having strong policies and controls in place alongside frequent penetration testing to ensure these vulnerabilities are being patched.

https://www.msspalert.com/cybersecurity-research/cyberattackers-still-rely-on-decades-old-security-weaknesses-tactics-barracuda-reports/

https://www.scmagazine.com/news/malware/smbs-plagued-by-exploits-trojans-and-backdoors

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Deepfakes

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Identity and Access Management

Encryption

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Travel

Cyber Bullying, Cyber Stalking and Sextortion

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare and Cyber Espionage

Russia

China

Iran

North Korea

Misc/Other/Unknown

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory - 26 June 2023 – Organisations Urged to Address Critical Vulnerability Found in Fortinet’s FortiNAC Products

Black Arrow Cyber Advisory - 26 June 2023 – Organisations Urged to Address Critical Vulnerability Found in Fortinet’s FortiNAC Products

Executive summary

A critical vulnerability has been identified and addressed in Fortinet FortiNAC products. Fortinet’s FortiNAC is a network access control solution and successful exploitation of the critical vulnerability allows a threat actor to remotely execute code without requiring authentication. In addition, another vulnerability which allowed improper local access in FortiNAC has been addressed.

What’s the risk to me or my business?

The vulnerabilities, if exploited, could allow an attacker to remotely execute code as well as copy local files. Both of which compromise the confidentiality, integrity and availability of data in your organisation.

Technical Summary

CVE-2023-33299– This critical vulnerability is an untrusted object deserialization, allowing an unauthenticated user to execute code or commands via specifically crafted requests.

CVE-2023-33300- This vulnerability allows an unauthenticated attacker to copy local files to other local folders of a device, through specially crafted input fields. It requires local access.

What can I do?

There is no mitigation advice for the critical vulnerability (CVE-2023-33299). As such, customers are urged to immediately upgrade their FortiNAC version depending on the affected product in use. There is no upgrade available for any FortiNAC products running version 8.x. The other vulnerability, CVE-2023-33300, requires users on affected versions to upgrade to 9.4.4 or above or 7.2.2 or above.

Affected products for the critical vulnerability and their patches include:

FortiNAC version 9.4.0 through 9.4.2 upgrade to 9.4.3 or above

FortiNAC version 9.2.0 through 9.2.7 upgrade to 9.2.8 or above

FortiNAC version 9.1.0 through 9.1.9 upgrade to 9.1.10 or above

FortiNAC version 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

FortiNAC 8.8 all versions

FortiNAC 8.7 all versions

FortiNAC 8.6 all versions

FortiNAC 8.5 all versions

FortiNAC 8.3 all versions

Affected products for CVE-2023-33300 include:

FortiNAC 9.4.0 through 9.4.3 upgrade to 9.4.4. or above

FortiNAC 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

Further details on Fortinet’s advisories for the critical vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-074

Further details on Fortinet’s advisory for CVE-2023-33300 can be found here

https://www.fortiguard.com/psirt/FG-IR-23-096

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 23rd June 2023

Black Arrow Cyber Threat Briefing 23 June 2023:

-How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools

-Attackers Discovering Exposed Cloud Assets Within Minutes

-Majority of Users Neglect Best Password Practices

-One in Three Workers Susceptible to Phishing

-Ransomware Misconceptions Abound, to the Benefit of Attackers

-Threat Actors Scale and Commoditise Uncommon Tools and Techniques

-Goodbyes are Difficult, IT Offboarding Processes Make Them Harder

-Security Budget Hikes are Missing the Mark, CISOs Say

-Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security

-Emerging Ransomware Group 8Base Releasing Data on SMBs Globally

-Cyber Security Industry Still Fighting to Recruit and Retain Talent

-Financial Firms to Build Resilience in Face of Growing Cyber-Threats

-Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber Security Industry Still Fighting to Recruit and Retain Talent

Cyber security teams are struggling to find the right talent, with the right skills, and to retain experienced employees. The situation is only likely to worsen, as inflation and a tight labour market push up wages. Universities produce graduates with a strong focus on technical knowledge, but not always the broader skills they need to operate in a business environment. This includes the lack of communications skills, understanding of how businesses operate and even emotional intelligence. One solution is to outsource to a corporate cyber security provider or outsource to infill shortages whilst trying to recruit permanent staff.

https://www.infosecurity-magazine.com/news/cybersecurity-industry-recruit/

  • How the MOVEit Breach Shows Hackers' Interest in Corporate File Transfer Tools

The world of managed file transfer (MFT) software has become a lucrative target for ransom-seeking hackers, with significant breaches including those of Accellion Inc's File Transfer Appliance in 2021 and Fortra's GoAnywhere MFT earlier this year. These MFT programs, corporate versions of popular file sharing programs like Dropbox or WeTransfer, are highly desirable to hackers for the sensitive data they often transfer between organisations and partners. The recent mass compromise tied to Progress Software Corp's MOVEit transfer product has prompted governments and companies worldwide to scramble in response.

Hackers are shifting their tactics, with an increasing focus on MFT programs which typically face the open internet, making them more vulnerable to breaches. Once inside these file transfer points, hackers have direct access to a wealth of data. In addition, there's a noticeable shift from ransomware groups encrypting a company's network and demanding payment to unscramble it, to a simpler tactic of pure extortion by threatening to leak the data.

https://www.reuters.com/technology/how-moveit-breach-shows-hackers-interest-corporate-file-transfer-tools-2023-06-16/

  • Attackers Discovering Exposed Cloud Assets within Minutes

The shift to cloud services, increased remote work, and reliance on third-parties has led to widespread use of Software-as-a-Service (SaaS) applications. This has also opened avenues for attackers to exploit weak security configurations and identities. Over the past year, attackers have intercepted authorisation tokens, bypassed multifactor authentication, and exploited misconfigured systems, targeting critical applications like GitHub, Microsoft 365, Google Workspace, Slack, and Okta. A study revealed alarmingly fast rates of breach discovery and compromise of exposed cloud assets, with assets being discovered within as little as two minutes for some and others within an hour.

https://www.techtarget.com/searchsecurity/news/366542352/Attackers-discovering-exposed-cloud-assets-within-minutes

https://www.darkreading.com/dr-tech/growing-saas-usage-means-larger-attack-surface

  • Majority of Users Neglect Best Password Practices

The latest Password Management Report by Keeper Security has shed light on the concerning state of password security practices. The survey found that only 25% of respondents used solid and unique passwords. In comparison, 34% admitted to using repeat variations of passwords, and 30% still relied on simple and easily guessable passwords. The survey also found that 44% of individuals who claimed to have well-managed passwords still admitted to using repeated variations, while 20% acknowledged having had at least one password involved in a data breach or available on the dark web. The document also revealed that 35% of respondents feel overwhelmed when it comes to improving their cyber security. Furthermore, 10% admitted to neglecting password management altogether. More generally, Keeper Security said the survey’s findings highlight a significant gap between perception and reality regarding password security.

https://www.infosecurity-magazine.com/news/users-neglect-best-password/

  • One in Three Workers Susceptible to Phishing

More than one in three workers in the UK and Ireland are susceptible to falling for phishing attacks, according to the new 2023 Phishing by Industry Benchmarking Report by KnowBe4. The study found that 35% of users who had received no security training were prone to clicking on suspicious links or engaging in fraudulent actions. Regular training and continual reinforcement can get this figure down but even with training very few organisations ever get click rates down to zero, and you only need one person to click to cause potentially devastating consequences.

Globally, ransomware was responsible for 24% of all data breaches in 2023, with human error accounting for 74% of these incidents. Phishing attacks can often lead to significant reputational damage, financial loss and disruption to business operations.

https://www.infosecurity-magazine.com/news/one-in-three-phishing/

  • Ransomware Misconceptions Abound, to the Benefit of Attackers

There is a common ransomware misperception that there's no capability to fight this all too common hostage taking of business data. This is not true. Proactive organisations are increasingly making more strategic use of threat intelligence to prevent or disrupt attacks.

Ransomware has evolved into a massive, often state-sponsored, industry where operators buy, develop, and resell ransomware code, infiltrate networks, and collect ransoms. The perception that a speedy response is critical to prevent data encryption and loss is outdated; attackers now focus on data exfiltration, using ransomware as a distraction. They often target smaller organisations that are linked to larger ones through supply chains, using them as stepping stones. It is important to use in-depth defence measures, including email security to prevent phishing and efficient detection and response systems to identify and recover from changes.

https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers

  • Threat Actors Scale and Commoditise Uncommon Tools and Techniques

Proofpoint’s 2023 Human Factor report highlights significant developments in the cyber attack landscape in 2022. Following two years of pandemic-induced disruption, cyber criminals returned to their usual operations, honing their social engineering skills and commoditising once sophisticated attack techniques. There was a noticeable increase in brute-force and targeted attacks on cloud tenants, conversational smishing attacks, and multifactor authentication (MFA) bypasses. Microsoft 365 formed a large part of organisations' attack surfaces and faced broad abuse, from Office macros to OneNote documents.

Despite some advances in security controls, threat actors continue to innovate and scale their bypasses. Techniques like MFA bypass and telephone-oriented attack delivery are now commonplace. Attackers consistently exploit people, who remain the most critical variable in the attack chain.

https://www.proofpoint.com/uk/newsroom/press-releases/proofpoints-2023-human-factor-report-threat-actors-scale-and-commoditise

  • Goodbyes are Difficult, IT Offboarding Processes Make Them Harder

A recent survey found that 68% of organisations recognise the offboarding process as a major cyber security risk, but only 36% have adequate controls in place to secure data access when employees depart. The study revealed that 60% of organisations have discovered former employees still had access to corporate applications after leaving, and 52% have had security incidents linked to former employees. Interestingly, IT professionals are not always alerted when employees leave, leading to access not being revoked and IT assets being mishandled 34% of the time.

https://www.helpnetsecurity.com/2023/06/19/it-offboarding-processes/

  • Security Budget Hikes are Missing the Mark, CISOs Say

Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. A recent report found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security defences. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom.

The report found that just 9% of CISOs said information security is always in the top three priorities on the boardroom’s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes. Talking to the board about cyber security in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organisation.

https://www.csoonline.com/article/3700073/security-budget-hikes-are-missing-the-mark-cisos-say.html

https://www.helpnetsecurity.com/2023/06/22/average-cybersecurity-budget-increase/

  • Understanding Cyber Resilience: Building a Holistic Approach to Cyber Security

In today’s interconnected world, the threat of cyber attacks is a constant concern for organisations of all sizes and across all industries. Cyber resilience entails not only making it difficult for attackers to infiltrate your systems but also ensuring that your organisation can bounce back quickly and continue operations successfully.

Cyber resilience offers a holistic approach to cyber security, emphasising the ability to withstand and recover from cyber attacks. By adopting the right mindset, leveraging advanced technology, addressing cyber hygiene, and measuring key metrics, organisations can enhance their cyber resilience. Additionally, collaboration within industries and proactive board engagement are crucial for effective risk management. As cyber threats continue to evolve, organisations must prioritise cyber resilience as an ongoing journey, continuously adapting and refining their strategies to stay ahead of malicious actors.

https://informationsecuritybuzz.com/understanding-cyber-resilience-building-a-holistic-approach-to-cybersecurity/

  • Emerging Ransomware Group 8Base Releasing Confidential Data from SMBs Globally

A ransomware group that operated under the radar for over a year has come to light in recent weeks, thanks to a series of business data leaks on the Dark Web. Since at least April 2022, 8base has been conducting double-extortion attacks against small and midsized businesses (SMBs). It all came to a head in May, when the group dumped data belonging to 67 organisations on the cyber underground.

Not much is known yet about the group's tactics, techniques, and procedures (TTPs), likely due to the low profile of their victims. The victims span science and technology, manufacturing, retail, construction, healthcare, and more, with victims from as far afield as India, Peru, Madagascar and Brazil, amongst others.

https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally

  • Financial Firms to Build Resilience in Face of Growing Cyber-Threats

Cyber resilience is now a key component of operational resilience for the UK’s financial markets, according to a Bank of England official. Cyber attacks have increased by 38% in 2022, and the range of firms and organisations being impacted seems to grow broader and broader.

Regulators want to see how financial firms will cope with an attack, and its impact on the wider financial services ecosystem. Similar work is being done at an international level by the G7, which has its own cyber expert group. In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between firms, regulators, the Bank and the Treasury, and penetration testing including CBEST. Financial services firms should have scenario specific playbooks, to set out how to contain intruders and stop them spreading to clients and counterparties. In the past, simulation exercises have been used to model terrorist incidents and pandemics and they are now being used to model cyber attacks.

https://www.infosecurity-magazine.com/news/financial-firms-to-build-resilience/

  • Fulfilling Expected SEC Requirements for Cyber Security Expertise at Board Level

The US Securities and Exchange Commission (SEC) is expected to introduce a rule requiring demonstration of cyber security expertise at the board level for public companies. A recent study found that currently up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise. The simplest and speediest solution would be to promote the existing CISO, provided they have the appropriate qualities and experience, to the board but that would require transplanting a focused operational executive into a strategic business advisory role. A credible alternative is to bring in a cyber focused Non-Executive Director with the appropriate skills and experience.

https://www.securityweek.com/fulfilling-expected-sec-requirements-for-cybersecurity-expertise-at-board-level/

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Shadow IT

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Digital Transformation

Regulations, Fines and Legislation

Models, Frameworks and Standards

Secure Disposal

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 22 June 2023 – Rising Threats Facing the Apple Ecosystem, affecting Mac and iOS Devices

Black Arrow Cyber Advisory 22 June 2023 – Rising Threats Facing the Apple Ecosystem, affecting Mac and iOS Devices

Executive Summary

Open Sources Intelligence (OSINT) conducted by Black Arrow Cyber have identified a number of threats against the Apple ecosystem, with some threats reported to have nation state involvement. It is important to highlight that any internet-abled product can be a target for attackers, therefore appropriate protective controls should always be considered for all devices, especially those that are used to directly access sensitive information.

MacOS “Migraine” Vulnerability

Recently, Microsoft revealed a new macOS vulnerability dubbed “Migraine” (CVE-2023-3269) which impacts vulnerable apple devices which run macOS. The vulnerability allows an attacker with root access, which is the highest level of permissions to bypass the built in security protections, gaining remote code execution and the ability to create undeletable malware, tamper with the integrity of systems and expand the attack to the rest of the network. Apple has released a security patch which addresses this vulnerability, further details can be found at the bottom of this post.

iOS “Operation Triangulation”

Reports have identified a new mobile state-sponsored advanced persistent threat group that has been targeting iOS devices as part of an attack campaign labelled “Operation Triangulation”. the campaign is carried out using an invisible iMessage with a malicious attachment, which when executed on a device installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers; this includes microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device. This trojan is targeting middle and upper management staff with the only workaround currently being a complete reset of the device.

Complex toolkit with files allowing backdoor capabilities targeting macOS

Bitdefender researchers have recently discovered a set of malicious files that are part of a sophisticated toolkit targeting Apple macOS systems. This malicious attack allows an attacker to gather system information, run commands, download and execute files on the victim’s machine, and to terminate the exploit script. The malicious files predominantly target macOS Monterey (version 12) and newer.

Growing Malware Threats to macOS

In addition to this, additional growing threats to macOS have been recorded in the wild. This includes:

- Threat actor groups Lazarus and BlueNoroff have been using malware dubbed “RustBucket” in financially motivated attacks to target users and steal victim’s data.  

- Reports identifying ransomware gangs, including the infamous Lockbit, developing encryption that targets macOs, specifically their M1 chips. There is no current working version of this malware.

- A rise in the use of XCSSET malware, which exploits multiple zero-days found in the Apple safari browser to download a developer version of the app on the target’s device giving it access to data from other apps such as Skype, Telegram, notes, and screen recorders.

An increase in the use of malware-as-a-service (MaaS), such as Atomic macOS Stealer which is capable of stealing passwords, credentials, cookies, browser data, auto-fills, and other important information and MacStealer, which extracts information from compromised systems.

- The well known 3CX attack in which the state-sponsored APT’s had altered the MacOS version of the 3CX desktop client to deliver further malware, and exfiltrate it.

Mac Vulnerabilities

Looking at the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalogue, there have been 36 actively recorded exploits relating to devices running macOS devices since 2021.  

What’s the risk to me or my business?

An organisation which excludes the security of any asset, relying on reputation or built-in protections alone, is leaving themselves open to potential compromise of the confidentiality, integrity and availability of the data which is held on the asset and is accessed through the asset, which includes Apple devices. Such assets include devices that are purchased by the organisation to be used as corporate devices and those that are personally owned by employees being used as part of Bring Your Own Device schemes.

What can I do?

Endpoint Protective Technologies and Security Hardening including anti-malware, Firewalls and detective solutions should be considered for all endpoints, including those that run Windows, macOS, Linux, Android and iOS.

Organisation should ensure that their asset registers are up to date and include all assets which hold or access organisational information. The better view an organisations has of its attack surface, the greater their cyber resilience will be. This should be supplemented with an effective threat intelligence programme, allowing organisations to keep up to date with emerging threats.

Further information can be found here:

macOs “Migraine” Vulnerability: https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Lockbit Encryptors found targeting macOS: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/

iOS Operation Triangulation: https://usa.kaspersky.com/blog/triangulation-attack-on-ios/28444/

6 Growing Malware Threats to macOS: https://www.darkreading.com/endpoint/top-macos-malware-threats-proliferate

Malicious Files with Backdoor targeting macOS attack: https://www.bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory - 22 June 2023 – Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

Black Arrow Cyber Advisory - 22 June 2023 – Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

  • iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

  • iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

  • macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

  • watchOS 9.5.2 - Apple Watch Series 4 and later

  • watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

  • Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory - 22 June 2023 – Critical RCE flaw in VMware exploited in the wild

Black Arrow Cyber Advisory - 22 June 2023 – Critical RCE flaw in VMware exploited in the wild

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 16 June 2023

Black Arrow Cyber Threat Briefing 16 June 2023:

-Hacker Gang Clop Deploys Extortion Tactics Against Global Companies

-Social Engineering Drives BEC Losses to $50B Globally

-Creating A Cyber-Conscious Culture—It Must Be Driven from the Top

-Artificial Intelligence is Coming to Windows: Are Your Security Policy Settings Ready?

-Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs

-Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands

-A Recent Study Shows Over One in Ten Brits are Willing to Engage in ‘Illegal or Illicit’ Online Behaviour as the Cost of Living Crisis Worsens, Driving Insider Threat Concerns

-Microsoft Office 365 Phishing Reveals Signs of Much Larger BEC Campaign

-Europol Warns of Metaverse and AI Terror Threat

-What is AI, and is it Dangerous?

-Cyber Liability Insurance Vs. Data Breach Insurance: What's the Difference?

-Exploring the Dark Web: Hitmen for Hire and the Realities of Online Activities

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Hacker Gang Clop Deploys Extortion Tactics Against Global Companies

The Russian-speaking gang of hackers that compromised UK groups such as British Airways and the BBC has claimed it has siphoned off sensitive data from more institutions including US-based investment firms, European manufacturers and US universities. Eight other companies this week made it onto Clop’s list on the dark web. That adds to the news last week that UK groups, including Walgreens-owned Boots, informed employees that their data had been compromised. The issue also targeted customers of Zellis, a UK-based payroll provider that about half of the companies on the FTSE 100 use.

The hacking group is pushing for contact with the companies on the list, according to a post on Clop’s dark web site, as the gang demands a ransom that cyber security experts and negotiators said could be as much as several million dollars.

https://www.ft.com/content/c1db9c5c-cdf1-48bc-8e6b-2c2444b66dc9

  • Social Engineering Drives BEC Losses to $50B Globally

Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing businesses worldwide more than $50 billion in the last 10 years - a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.

Security professionals attribute BEC's continued dominance in the cyber threat landscape to several reasons. A key one is that attackers have become increasingly savvy in how to socially-engineer messages so that they appear authentic to users, which is the key to being successful at this scam. And with the increase in availability of artificial intelligence, the continued success of BEC means these attacks are here to stay. Organisations will be forced to respond with even stronger security measures, security experts say.

https://www.darkreading.com/threat-intelligence/social-engineering-drives-bec-losses-to-50b-globally

  • Creating A Cyber Conscious Culture—It Must Be Driven from the Top

Businesses are facing more frequent and sophisticated cyber threats and they must continuously learn new ways to protect their revenues, reputation and maintain regulatory compliance. With hybrid and remote working blurring traditional security perimeters and expanding the attack surface, the high volumes of sensitive information held by organisations are at increased risk of cyber attacks.

The increase had led to cyber elevating to the board level; after all the board is responsible for cyber security. It doesn’t stop there however, as everyone in an organisation has responsibility for upholding cyber security. The board must aim to create a cyber-conscious culture, where users are aware of their role in cyber security. One important way such a culture can be achieved is through providing regular education and training to all users.

https://www.forbes.com/sites/forbestechcouncil/2023/06/12/creating-a-cyber-conscious-culture-it-must-be-driven-from-the-top/sh=6a0bb36426cc

  • Artificial Intelligence is Coming to Windows: Are Your Security Policy Settings Ready?

What’s in your Windows security policy? Do you review your settings on an annual basis or more often? Do you provide education and training regarding the topics in the policy? Does it get revised when the impact of an incident showcases that an internal policy violation led to the root cause of the issue? And, importantly, do you have a security policy that includes your firm’s overall policies around the increasing race towards artificial intelligence, which is seemingly in nearly every application released these days?

From word processing documents to the upcoming enhancements to Windows 11, which will include AI prompting in the Explorer platform, organisations should review how they want their employees to treat customer data or other confidential information when using AI platforms. Many will want to build limits and guidelines into their security plans that specify what is allowed to be entered into platforms and websites that may store or share the information online. However, confidential information should not be included in any application that doesn’t have clearly defined protections around the handling of such data. The bottom line is that AI is coming to your network and your desktop sooner than you think. Build your policies now and review your processes to determine if you are ready for it today.

https://www.csoonline.com/article/3698517/artificial-intelligence-is-coming-to-windows-are-your-security-policy-settings-ready.html

  • Cyber Crooks Targeting Employees, Organisations Fight Back with Training Programs

Cyber criminals are increasingly targeting an organisation’s employees, figuring to trick an untrained staffer to click on a malicious link that starts a malware attack, Fortinet said in a newly released study of security awareness and training.

More than 80% of organisations faced malware, phishing and password attacks last year, which were mainly targeted at users. This underscores that employees can be an organisation’s weakest point or one of its most powerful defences.

Fortinet’s research revealed that more than 90% of the survey’s respondents believe that increased employee cyber security awareness would help decrease the occurrence of cyber attacks. As organisations face increasing cyber risks, employees serving as an organisation’s first line of defence in protecting their organisation from cyber crime becomes of paramount importance.

https://www.msspalert.com/cybersecurity-research/cyber-crooks-targeting-employees-organizations-fight-back-with-training-programs/

  • Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands

A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry, Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face and others.

A recent report found the campaign relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones. The campaign had a significant activity spike between January and February 2023, adding 300 new fake sites monthly. The domain names follow a pattern of using the brand name together with a city or country, followed by a generic TLD such as ".com." Additionally, any details entered on the checkout pages, most notably the credit card details, may be stored by the website operators and resold to cyber criminals.

https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-uses-6-000-sites-to-impersonate-100-brands/

  • Over One in Ten Brits are Willing to Engage in ‘Illegal or Illicit’ Online Behaviour

A recent study found that 11% of Brits were tempted to engage in ‘illegal or illicit online behaviour’ in order to help manage the fallout from the cost of living crisis. This statistic becomes even more concerning when focused on younger people, with almost a quarter of 25–35 year old respondents (23%) willing to consider illegal or illicit online activity. Of those willing to engage in this kind of behaviour, 56% suggested it was because they are desperate and struggling to get by, and need to find alternative means of supporting their families.

Nearly half (47%) of UK business leaders believe their organisation has been at a greater risk of attack since the start of the cost-of-living crisis. Against this backdrop, many SME business leaders are understandably worried about the impact on employees. Of those who think their organisation is more exposed to attack, 38% believe it’s due to malicious insiders and 35% to overworked and distracted staff making mistakes. Organisations not doing so already, should look to incorporate insider threat into their security plans. Insider threat should focus on areas such as regular education and monitoring and detection.

The report found that 44% of respondents have also noticed an uptick in online scams hitting their inboxes since the cost of living crisis began in late 2021/early 2022. Another worrying finding is that this uptick is proving devastatingly effective for scammers: over one in ten (13%) of UK respondents have already been scammed since the cost of living crisis began. This rises to a quarter (26%) of respondents in the 18-25 age range, reflecting a hyper-online lifestyle and culture that scammers can work to exploit effectively.

https://www.itsecurityguru.org/2023/06/15/it-security-guru-study-shows-over-one-in-ten-brits-are-willing-to-engage-in-illegal-or-illicit-online-behaviour-as-the-cost-of-living-crisis-worsens 

https://www.infosecurity-magazine.com/news/costofliving-crisis-drives-insider/

  • Microsoft Office 365 Phishing Reveals Signs of Much Larger BEC Campaign

Recently, Microsoft discovered multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attacks against banking and financial services organisations. The attackers are successfully phishing employees’ accounts with fake Office 365 domains. This allows them to bypass authentication, exfiltrate data and send further phishing emails against other employees and several targeted external organisations. In some cases, threat actors have registered their own device to the employee’s account, to evade MFA defences and achieve persistent access.

https://securityaffairs.com/147327/hacking/aitm-bec-attacks.html

https://thehackernews.com/2023/06/adversary-in-middle-attack-campaign.html

https://www.csoonline.com/article/3699122/microsoft-office-365-aitm-phishing-reveals-signs-of-much-larger-bec-campaign.html

  • Europol Warns of Metaverse and AI Terror Threat

New and emerging technologies like conversational AI, deepfakes and the metaverse could be utilised by terrorists and extremists to radicalise and recruit converts to their cause, Europol has warned. The report stated that the online environment lowers the bar for entering the world of terrorism and extremism, broadens the range of people that can become exposed to radicalisation and increases the unpredictability of terrorism and extremism.

Europol also pointed to the potential use of deepfakes, augmented reality and conversational AI to enhance the efficiency of terrorist propaganda. Both these technologies and internet of things (IoT) tools can also be deployed in more practical tasks such as the remote operation of vehicles and weapons used in attacks or setting up virtual training camps. Digital currencies are also playing a role in helping to finance such groups while maintaining the anonymity of those contributing the funding, Europol said.

https://www.infosecurity-magazine.com/news/europol-warns-metaverse-and-ai/

  • What is AI, and is it Dangerous?

Recently, we saw the release of the first piece of EU regulation on AI. This comes after a significant rise in the usage of tools such as ChatGPT. Such tools allow for even those with limited technical ability to perform sophisticated actions. In fact, usage has risen 44% over the last three months alone, according to a report.

Rather worryingly, there is a lack of governance on the usage of AI, and this extends to how AI is used within your own organisation. Whilst the usage can greatly improve actions performed within an organisation, the report found that 6% of employees using AI had pasted sensitive company data into an AI tool. Would your organisation know if this happened, and how damaging could it be to your organisation if this data was to be leaked? Continuous monitoring, risk analysis and real-time governance can help aid an organisation in having an overview of the usage of AI.

https://www.bbc.co.uk/news/technology-65855333

https://thehackernews.com/2023/06/new-research-6-of-employees-paste.html

  • Cyber Liability Insurance Vs. Data Breach Insurance: What's the Difference?

With an ever-increasing number of cyber security threats and attacks, companies are becoming motivated to protect their businesses and customer data both technically and financially. Finding the right insurance has become a key part of the security equation.

Companies looking to protect themselves have most likely heard the terms “cyber liability insurance” and “data breach insurance.” Put simply, cyber liability insurance refers to coverage for third-party claims asserted against a company stemming from a network security event or data breach. Data breach insurance, on the other hand, refers to coverage for first-party losses incurred by the insured organisation that has suffered a loss of data.

https://www.csoonline.com/article/3698297/cyber-liability-insurance-vs-data-breach-insurance-whats-the-difference.html

  • Exploring the Dark Web: Hitmen for Hire and the Realities of Online Activities

The dark web makes up a significant portion of the internet. Access can be gained through special browser, TOR, also known as the onion Router. The service bounces around IP addresses, constantly changing to protect the anonymity of the user.

This dark web contains an array of activities and sites, which include hitmen for hire, drugs for sale, and stolen credit card databases amongst others. Sometimes these aren’t real however, and are actually a trap to steal money from users on the basis that these users are unlikely to report it to law enforcement when the victim was trying to break the law in the first place. What we do know however, is that the dark web contains a plethora of information, and this could include data from your organisation.

https://news.clearancejobs.com/2023/06/07/exploring-the-dark-web-hitman-for-hire-and-the-realities-of-online-activities/

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Training, Education and Awareness

Digital Transformation

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Tools and Controls

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 14 June 2023 – June Microsoft Patch Tuesday Addresses 78 Security Issues, 6 Critical Updates

Black Arrow Cyber Advisory 14 June 2023 – June Microsoft Patch Tuesday Addresses 78 Security Issues, 6 Critical Updates

Executive summary

Microsoft’s June Patch Tuesday provides updates to address 78 security issues across its product range, including 6 critical vulnerabilities. June’s patch Tuesday does not include any zero-day vulnerabilities or actively exploited bugs. The critical vulnerabilities include privilege escalation in Microsoft SharePoint, remote code execution in Microsoft Exchange Server, Windows PGM, .NET, .NET Framework and Visual Studio and finally, a denial of service in Windows Hyper-V.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited allow an attacker to gain system privileges, remotely execute code and cause a denial of service compromising the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible, especially those that have a critical severity rating.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/06/13/the-windows-june-2023-security-patches-are-here-and-address-these-issues/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory - 12 June 2023 – Organisations Urged to Address Critical Vulnerabilities Found Fortinet and PaperCut Products

Black Arrow Cyber Advisory - 12 June 2023 – Organisations Urged to Address Critical Vulnerabilities Found Fortinet and Papercut Products

Executive summary

A recent report has highlighted the most notable software vulnerabilities in the first half of 2023, which included 2 critical actively exploited vulnerabilities in PaperCut MF and NG and Fortinet FortiOS products. This comes as Fortinet have recently released a patch for a separate critical vulnerability in FortiOS.  All three vulnerabilities allow an attacker to remotely execute unauthorised code and compromise the confidentiality, integrity and availability of data.

Fortinet

CVE-2023-27997 – This recent critical vulnerability targets an secure socket layer virtual private network  (SSL-VPN) flaw which allows an unauthenticated attacker remote code execution and to interfere with VPN connections even if Mulit-Factor Authentication (MFA) is in place. SSL-VPN is used to allow users to establish a secure, encrypted connection between the public internet and the corporate network.

CVE-2022-41328 – This is a vulnerability in improper limitation of a pathname, allowing an attacker to access restricted files with read and write access. Exploitation allows the attacker to remotely install and execute malware.

What can I do?

Fortinet has released fixes that address the vulnerability CVE-2023-27997. Customers must immediately apply the firmware updates as a matter of urgency. The following versions of FortiOS include patches for the vulnerability: 7.2.5, 7.0.12, 6.4.13, 6.2.15. An advisory has not been publicly announced yet. Results from Shodan indicate around 250,000 publicly discoverable devices are vulnerable.

For CVE-2022-41328, customers are recommended to update the affected products immediately as this is being actively exploited.

Affected products include:

-          FortiOS version 7.2.0 through 7.2.3 (Patched in version 7.2.4 or above)

-          FortiOS version 7.0.0 through 7.0.9 (Patched in version 7.0.10 or above)

-          FortiOS version 6.4.0 through 6.4.11 (Patched in version 6.4.12 or above)

-          FortiOS version 6.2.0 through 6.2.13 (Patched in version 6.2.14 or above)

-          FortiOS 6.0 all versions (No longer supported)

PaperCut

CVE – 2023-27350 – This vulnerability allows an unauthenticated attacker to pull information about a user stored within PaperCut MF or NG. This data includes usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut created users only.

The following PaperCut MF and NG versions and components are affected by CVE-2023-27350 on all OS platforms:

-          version 8.0.0 to 19.2.7  

-          version 20.0.0 to 20.1.6

-          version 21.0.0 to 21.2.10

-          version 22.0.0 to 22.0.8

What can I do?

PaperCut has recommended that customers upgrade all application servers and site servers and to patch any of the affected products. This vulnerability has been addressed in Papercut MF and NG versions 20.1.7, 21.2.11, and 22.0.9 and later.

Further details on the Fortinet vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

Further details on the Fortinet CVE-2022-41328 vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-22-369

Further details on the PaperCut vulnerability can be found here:

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 9th June 2023

Black Arrow Cyber Threat Briefing 09 June 2023:

-74% of Breaches Involve Human Element- Make Employees Your Best Asset

-Cyber Security Agency Urges Vigilance as MOVEit Attack Impacts Major Companies Including British Airways, Boots and the BBC

-CISOs and IT Lack Confidence in Executives’ Cyber Defence Knowledge as the Spotlight Falls on the Boardroom

-Only 1 in 10 CISOs are Board-ready as Nearly Half of Boards Lack Cyber Expertise

-BEC Volumes and Ransomware Costs Double in a Year

-Hackers are Targeting C-Suite Executives Through Their Personal Email

-Proactive Detection is Crucial as Organisations Lack Effective Threat Research

-Number of Vulnerabilities Exploited Rose by 55%

-Ransomware Behind Most Cyber Attacks, with Record-breaking May

-4 Areas of Cyber Risk That Boards Need to Address

-North Korea Makes 50% of Income from Cyber Attacks

-Going Beyond “Next Generation” Network Security

-Worldwide 2022 Email Phishing Statistics and Examples

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • 74% of Breaches Involve Human Element- Make Employees Your Best Asset

Verizon’s recent data breach report analysed 16,312 security incidents and 5,199 breaches. A total of 74% of breaches involved a human element, highlighting the role of employees in achieving good cyber resilience. Organisations looking to improve their resilience should therefore consider how well and how frequently they train their users. In a recent report, Fortinet found that 90% of leaders believed that increasing their employee cyber security awareness would help decrease the occurrence of cyber attacks. Worryingly, despite 85% of leaders having an awareness and training programme in place, 50% believed their employees still lacked cyber security knowledge.

With an effective training programme, organisations can increase their employees’ cyber risk awareness and empower them in defending the organisation, laying the foundation for a strong cyber security culture.

https://www.helpnetsecurity.com/2023/06/06/verizon-data-breach-investigations-report-2023-dbir/

https://www.helpnetsecurity.com/2023/06/09/employees-cybersecurity-knowledge/

  • Cyber Security Agency Urges Vigilance as MOVEit Attack Impacts Major Companies Including British Airways, Boots and the BBC

The recent cyber attacks on file transfer software MOVEit have impacted a number of major companies through their supply chain. The attack, which hit UK-based HR and payroll provider Zellis has had a huge knock-on effect, with major companies such as British Airways, Boots and the BBC suffering as a result of using Zellis in their supply chain. The UK’s National Cyber Security Centre (NCSC) has emphasised the need for organisations to exercise heightened vigilance.

Organisations must be aware of supply chain risks, and how an attack on a supplier or service provider can impact their own organisation. It is important for organisations to manage supply chain security, assess third party risks, communicate with suppliers and keep on top of emerging threats; it’s no simple task.

https://www.securityweek.com/several-major-organizations-confirm-being-impacted-by-moveit-attack/

https://www.ibtimes.co.uk/british-cybersecurity-agency-urges-vigilance-major-companies-fall-victim-software-hack-1716493

  • CISOs and IT Lack Confidence in Executives’ Cyber Defence Knowledge as the Spotlight Falls on the Boardroom

Nearly three-quarters of data breaches include an element of human failure, and senior business leaders were particularly at risk, according to a recent report. Not only do business leaders possess the most sensitive information, but they are often the least protected, with many organisations making security protocol exemptions for them. Such factors have pushed the boardroom into the spotlight more.

In another report, it was found that only 28% of IT professionals were confident in their executives’ ability to recognise a phishing email. The report found that as many as 71% of executives were reusing compromised passwords from personal accounts inside the company. Technology alone won’t solve the problem: user awareness training is required and this includes the boardroom.

https://www.csoonline.com/article/3698708/cisos-it-lack-confidence-in-executives-cyber-defense-knowledge.html

https://www.computerweekly.com/news/366539293/Cyber-spotlight-falls-on-boardroom-privilege-as-incidents-soar

  • Only 1 in 10 CISOs are Board-ready as Nearly Half of Boards Lack Cyber Expertise

A recent study has found that only 1 in 10 chief information security officers (CISOs) have all the key traits thought to be crucial for success on a corporate board, with many lacking governance skills and experience and other attributes needed for board readiness. Worryingly, nearly half of the 1,000 companies in the study lacked at least one director with cyber security expertise. This is concerning as good cyber security starts from the board: the board is responsible for understanding the business risks of a cyber incident and for endorsing whether the cyber controls in place have reduced those risks to a level that the board is happy with. Similarly, the board would not sign off financial risks without ensuring they had someone with financial experience and qualifications present. The Black Arrow vCISO service is ideal for organisations that need expertise in assessing and managing cyber risks, underpinned by governance reporting and metrics presented to enable the board to make educated and informed decisions.

https://www.csoonline.com/article/3698291/only-one-in-10-cisos-today-are-board-ready-study-says

  • BEC Volumes and Ransomware Costs Double in a Year

The number of recorded business email compromise (BEC) attacks doubled over the past year, with the threat comprising nearly 60% of social engineering incidents studied by Verizon for its 2023 Data Breach Investigations Report. The report this year was based on analysis of 16,312 security incidents and 5,199 breaches over the past year.

Pretexting, which is commonly using in BEC attacks, is now more common than phishing in social engineering incidents, although the latter is still more prevalent in breaches, the report noted. The median amount stolen in pretexting attacks now stands at $50,000. The vast majority of attacks (97%) over the past year were motivated by financial gain rather than espionage.

https://www.infosecurity-magazine.com/news/bec-volumes-ransomware-costs/

  • Hackers are Targeting C-Suite Executives Through Their Personal Email

As companies rely on chief financial officers (CFOs) to mitigate risk, cyber attacks and the costs associated with them are a major concern. Now there is also a growing trend of cyber criminals targeting C-suite executives in their personal lives, where it is easier to pull off a breach as there are fewer, if any, protections, instead of targeting them through their business accounts. Once attackers have access, they then try to use this to gain entry to the corporate systems. The report found that 42% of companies have experienced cyber criminal attacks on their senior-level corporate executives, which can compromise sensitive business data. The report found that 58% of respondents stated that cyber threat prevention for executives and their digital assets are not covered in their cyber, IT and physical securities strategies and budgets.

https://fortune.com/2023/06/08/hackers-targeting-c-suite-executives-personal-email-cybersecurity

  • Proactive Detection is Crucial as Organisations Lack Effective Threat Research

In a recent study, it was found that CISOs are spending significantly less time on threat research and awareness, despite 58% having an increase in their budget for cyber security; the same number reported that their team is so busy, they may not detect an attack. In a different report, keeping up with threat intelligence was identified as one of the biggest challenges faced.

https://www.helpnetsecurity.com/2023/06/06/cisos-cybersecurity-spending/

  • Number of Vulnerabilities Exploited Rose by 55%

A recent report from Palo Alto Networks’ Unit 42 found that the number of vulnerabilities that attackers are exploiting has grown by 55% compared to 2021, with most of the increase resulting from supply chain vulnerabilities; along with this was a 25% rise in the number of CVE’s, the term used for identified vulnerabilities. Worryingly ChatGPT scams saw a 910% increase in monthly domain registrations, pointing to an exponential growth in fraudulent activities taking advantage of the widespread usage and popularity of AI-powered chatbots.

Such growth puts further strain on cyber security staff, making it even harder for organisations to keep up. A strong threat management programme is needed, to help organisations prioritise threats and use organisational resources effectively to address said threats.

https://www.infosecurity-magazine.com/news/exploitation-vulnerabilities-grew/

https://www.infosecurity-magazine.com/news/cves-surge-25-2022-another-record/

  • Ransomware Behind Most Cyber Attacks, with Record-breaking May

2022 saw ransomware account for nearly one in four (24%) cyber attacks, with 95% of events resulting in a loss costing upwards of $2.25 million during 2021-2022. Ransomware remains a significant threat as evidenced by a different report, which stated that May 2023 saw a 154% spike in ransomware compared to May 2022. Other key findings include unreported attacks being five times more likely than reported attacks.

https://www.msspalert.com/cybersecurity-research/ransomware-hit-new-attack-highs-in-may-2023-blackfog-report-says/

https://www.scmagazine.com/analysis/ransomware/ransomware-attacks-have-room-to-grow-verizon-data-breach-report-shows

  • 4 Areas of Cyber Risk That Boards Need to Address

As technological innovations such as cloud computing, the Internet of Things, robotic process automation, and predictive analytics are integrated into organisations, it makes them increasingly susceptible to cyber threats. This means that governing and assessing cyber risks becomes a prerequisite for successful business performance. This need for transparency has been recognised by the regulators and facilitated by the new cyber security rules to ensure companies maintain adequate cyber security controls and appropriately disclose cyber-related risks and incidents.

To ensure they fulfil the requirements, organisations should focus on the following areas: position security as a strategic business enabler; continuously monitor the cyber risk capability performance; align cyber risk management with business needs through policies and standards; and proactively anticipate the changing threat landscape by utilising threat intelligence sources for emerging threats.

https://hbr.org/2023/06/4-areas-of-cyber-risk-that-boards-need-to-address

  • North Korea Makes 50% of Income from Cyber Attacks

The North Korean regime makes around half of its income from cyber attacks on cryptocurrency and other targets. A 2019 UN estimate claimed North Korea had amassed as much as $2bn through historic attacks on crypto firms and traditional banks.

North Korean hackers have been blamed for some of the biggest ever heists of cryptocurrency, including the $620m stolen from Sky Mavis’ Ronin Network last year and the $281m taken from KuCoin in 2020 and $35m from Atomic Wallet just this last weekend.

They are using increasingly sophisticated techniques to get what they want. The 3CX supply chain attacks, in which backdoor malware was implanted into a legitimate-looking software update from the eponymous comms provider, is thought to have been a targeted attempt at hitting crypto exchanges.

https://www.infosecurity-magazine.com/news/north-korea-makes-50-income/

  • Going Beyond “Next Generation” Network Security

Over a decade ago, the phrase “next generation” was used in the network security space to describe the introduction of application-layer controls with firewalls. It was a pivotal moment for the space, setting a new standard for how we protected the perimeter. A lot has happened in the last decade though, most notably, the rapid adoption of cloud and multicloud architectures and the loss of the “perimeter.” Today, 82% of IT leaders have adopted hybrid cloud architectures, and 58% of organisations use between two and three public Infrastructure as a Service (IaaS) clouds. On top of that, 95% of web traffic is encrypted which limits visibility. Applications are everywhere, access privileges are unstructured, increasing the attack surface, and businesses expect near-perfect availability and resilience. To make things more complicated, enterprises have tried to solve these challenges with disparate solutions, leading to vendor sprawl among security stacks and operational inefficiency. What was once considered “next-generation” network security no longer cuts it.

https://blogs.cisco.com/security/going-beyond-next-generation-network-security-cisco-platform-approach

  • Worldwide 2022 Email Phishing Statistics and Examples

Remote and hybrid work environments have become the new norm. The fact that email has become increasingly integral to business operations, has led malicious actors to favour email as an attack vector. According to a report by security company Egress, 92% of organisations have fallen victim to phishing attacks in 2022, a 29% increase in phishing incidents from 2021. Phishing attacks aimed at stealing info and data, also known as credential phishing, saw a 4% growth in 2022, with nearly 7 million detections. Rather worryingly, there was a 35% increase in the number of detections that related to business email compromise (BEC); these attacks mostly impersonated executives or high-ranking management personnel. With the increase in AI tools, it is expected that cyber criminals will be better able to create and deploy more sophisticated phishing attacks.

https://www.trendmicro.com/en_us/ciso/23/e/worldwide-email-phishing-stats-examples-2023.html

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Artificial Intelligence

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT             

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

Deepfakes

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Shadow IT

Encryption

API

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Data Protection

Careers, Working in Cyber and Information Security

Privacy, Surveillance and Mass Monitoring

Vulnerability Management

Vulnerabilities

Tools and Controls

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 08 June 2023 – Barracuda, Cisco, and VMware Address Critical Security Flaws

Black Arrow Cyber Advisory 08 June 2023 – Barracuda, Cisco, and VMware Address Critical Security Flaws

Executive summary

This week, Barracuda, Cisco, and VMware have all addressed vulnerabilities in their products. The vulnerabilities allow an attacker to elevate privileges to the highest available and remotely execute. Both Cisco and VMware have applied patches, whilst Barracuda have urged users to immediately replace appliances impacted by the vulnerability.

Barracuda

CVE-2023-2868: This is a remote code injection vulnerability which has been exploited for at least seven months, allowing a successful attacker to steal information from Barracuda Email Security Gateway (ESG) devices.

Impacted versions include:

  • ESG devices on version 5.1.3.001 through 9.2.0.006

What can I do?

Barracuda have stated that regardless of the patch version level, customers must immediately replace impacted ESG appliances. If you are unsure, Black Arrow recommend to check with your MSP.

CISCO

CVE-2023-20178: This vulnerability, if exploited, can allow an attacker to execute code with SYSTEM privileges, the highest available.

 Impacted versions include:

  • Cisco AnyConnect Secure Mobility Client Software for Windows (version 4.10 and earlier)

  • Cisco Secure Client Software for Windows (version 5.0). For releases earlier than 5.0, this is known as Cisco AnyConnect Secure Mobility Client for Windows.

CVE-2023-20105: A vulnerability which allows an administrator with read-only access to elevate to have the ability to write to files.

CVE-2023-20192: A vulnerability which allows an authenticated local user to execute commands and modify configuration files. For this to be successful, the vulnerable version must have granted command line interface access (CLI) to a read-only administrator of the system.

Impacted versions include:

Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier.

What can I do?

Patches are available in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2 should be applied. No workarounds are available.

For Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier, the first fixed releases are 14.2.1. for CVE-2023-20105 and 14.3.0 for CVE-2023-20192. As a mitigation for CVE-2023-20192, Cisco have recommended ensure CLI access is disabled for read-only users; this should be disabled by default.

VMware

CVE-2023-20887: A command injection vulnerability, allowing an attacker to execute code remotely.

CVE-2023-20888: An authentication deserialization vulnerability, allowing remote code execution.

CVE-2023-20889: An information disclosure vulnerability, where an attacker with network access can inject commands to force information out.

Impacted versions include:

  • VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches available for versions: 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.

Further details on the Barracuda ESG vulnerabilities can be found here: https://www.barracuda.com/company/legal/esg-vulnerability

Further details on the Cisco vulnerability can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Further details on the VMware vulnerabilities can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details of the patches available for VMware can be found here: https://kb.vmware.com/s/article/92684

Need help understanding your gaps, or just want some advice? Get in touch with us

#threatadvisory #threatintelligence #cybersecurity

 

 

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 06  June 2023 – Zyxel Firewall Vulnerability Under Active Exploitation - Patch Now

Black Arrow Cyber Advisory 06  June 2023 – Zyxel Firewall Vulnerability Under Active Exploitation - Patch Now

Executive Summary

A number of recently disclosed vulnerabilities in Zyxel firewalls are now known to be being actively exploited by malicious actors.

Two of these exploited vulnerabilities are buffer overflows which enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. In addition, a further critical vulnerability has been disclosed which allows an unauthenticated attacker to execute operating system commands to remotely send packets to a device.

These vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog: Known Exploited Vulnerabilities Catalog | CISA

What’s the risk to me or my business?

The vulnerabilities, if exploited, allow an attacker to execute remote code and cause a denial of service. If this occurs it can allow an attacker to disable or modify the firewall rules, allowing further malicious attacks to breach the network – all of which impact the confidentiality, integrity and availability of data of the organisation.

Technical Summary

CVE-2023-3309 – A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even remotely execute code on an affected device.

CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even motely execute code on an affected device.

CVE-2023-28771 – Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some operating system commands remotely by sending crafted packets to an affected device.

The affected firewall products and versions are patched in version ZLD V5.36 Patch 2:

- ATP – versions: ZLD V4.32 to V5.36 Patch 1

- USG FLEX – versions: ZLD V4.50 to V5.36 Patch 1

- USG FLEX50(W)/USG20(W)-VPN – versions: ZLD V4.25 to V5.36 Patch 1

- VPN – versions: ZLD V4.30 to V5.36 Patch 1

The following affected product and versions are patched in version ZLD V4.73 Patch 2:

-  ZyWALL/USG – versions: ZLD V4.25 to V4.73 Patch 1

What can I do?

It is recommended that patches are applied immediately for the impacted products. Zyxel has also issued guidance to disable HTTP/HTTPS services from the Wide Area Network (WAN) unless absolutely required, and to disable UDP ports 500 and 4500 if not in use. If you are unsure, it is advised to check with your MSP.

Further information can be found here:

https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

 

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory - 05 June 2023 – MOVEit Vulnerability Exploited Impacting Millions, with several Major UK Businesses Already Affected, including BA, Boots and the BBC

Black Arrow Cyber Advisory - 05 June 2023 – MOVEit Vulnerablity Exploited Impacting Millions, with several Major UK Businesses Already Affected, including BA, Boots and the BBC

Executive summary

A few days ago, a critical flaw in file transfer software Moveit was exploited, and millions could be impacted. The flaw (CVE-2023-34362) is under active exploitation, with the recent announcement of breaches against UK Payroll provider Zellis, who support services to hundreds of services in the UK. The breach against Zellis has further impacted companies that use Zellis, including the BBC, major UK airline British Airways and major UK retailer, Boots. In addition, the US Government’s Cybersecurity and Infrastructure Agency (CISA)  has ordered agencies to patch the flaw.

What’s the risk to me or my business?

The flaw, which has been linked by Microsoft to Lace Tempest, known for ransomware operations & running the Clop extortion site, is being used to exfiltrate data, impacting the confidentiality, integrity and availability of the data an organisation holds. Exploitation of the flaw allows a successful threat actor to gain unauthenticated, remote access to the MOVEit database, allow them to execute code.

Technical Summary:

CVE-2023-34362 – A SQL injection vulnerability in the MOVEit Transfer web application which if exploited, could allow unauthorised access to MOVEit Transfer’s database.

The table below has been taken from MOVEit’s security bulletin:

 
 

What can I do?

It is important that organisations not only consider themselves and whether they are using MOVEit Transfer software, but also whether any of their suppliers are using it. In both cases, the relevant fixed version should be installed.

The breaches further reinforce the importance of the supply chain and the impact it can have on organisations. It’s not just about your own security, but also any provider who your organisation uses.

Further details the patch can be found here:

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 02 June 2023

Black Arrow Cyber Threat Briefing 02 June 2023:

-How to Keep Cyber Attacks from Tanking Your Balance Sheet

-Company Size Doesn’t Matter When It Comes to Cyber Attacks

-‘Exceptional’ Cyber Attacks Now Normal, says BT Security Chief

-How State-Sponsored/Advanced Persistent Threat Groups (APTs) Target SMBs

-Phishing Campaigns Thrive as Evasive Tactics Outsmart Conventional Detection

-Don't be Polite When you Get a Text from a Wrong Number

-Capita Cyber Attack: 90 Downstream Organisations Reported Data Breaches

-Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives

-Organisations Spend 100 Hours Battling Post-Delivery Email Threats

-Ransomware Gangs Adopting Business-like Practices to Boost Profits

-The Sobering Truth About Ransomware—For The 80% Who Paid Up

-The Great CISO Resignation: Why Security Leaders are Quitting in Droves

-When is it Time for a Cyber Hygiene Audit?

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • How to Keep Cyber Attacks from Tanking Your Balance Sheet

According to a recent Forrester report, last year saw 1 billion records exposed in the top 35 breaches, $2.6 billion stolen in the top nine cryptocurrency breaches, and $2.7 billion in fines levied to the top 35 violators.

The average cost of a data breach reached $4.35 million in 2022, according to IBM’s Cost of a Data Breach Report for that year, which represents a 2.6% increase over the prior year, and a 12.7% increase from 2020. For ransomware, a report found the average payment in 2021 was approximately $1.85 million, more than double the $760,000 figure from 2020. These are just direct costs; indirect costs are far greater and can include lost business, lost customers, reputational loss and regulatory fines.

When it comes to managing cyber risk, corporate boards should look to understand cyber security as a strategic business enabler, understand the impacts, align risk-management with business needs, ensure the organisation supports cyber security, incorporate cyber security expertise into governance and encourage systemic resilience.

https://hbr.org/2023/06/how-to-keep-cyberattacks-from-tanking-your-balance-sheet

  • Company Size Doesn’t Matter When It Comes to Cyber Attacks

65% of large organisations suffered a cyber attack within the last 12 months, which is similar to the results among companies of all sizes (68%), according to a recent report. The most common security incidents were the same for all companies; these were phishing, ransomware and user account compromise, also known as business email compromise (BEC).

Smaller companies often underestimate their risk, with the reasoning that cyber criminals want the biggest targets as they will likely have more intellectual property, however all businesses have valuable data and are therefore a target. Additionally, smaller organisations can sometimes be seen as a way into larger organisations that use their services.

https://www.helpnetsecurity.com/2023/05/29/larger-organizations-cyberattacks/

  • ‘Exceptional’ Cyber Attacks Now Normal, says BT Security Chief

The threat of cyber attacks is growing at an “unprecedented” pace, according to the chief security officer at multinational teleco BT, Howard Watson, but it is not just large organisations such as BT who will be impacted by this increase.

Watson highlighted that the increase in sophisticated technology poses the biggest threat in the long run: “Technological advancement, as ever, is a double-edged sword in security. Quantum and AI have great potential for benefits in the right hands, or to cause massive damage in the wrong hands. But we know that cyber criminals will utilise these technologies, so we have to be able to respond in kind.”  Adding to this, the chief security officer highlighted that events that were previously considered as ‘exceptional’ need to be assessed and planned for as a probability, rather than a possibility.

https://www.thetimes.co.uk/article/exceptional-cyberattacks-now-normal-says-bt-security-chief-nd2kfp3gc

  • How State-Sponsored/Advanced Persistent Threat Groups (APTs) Target SMBs

Small and medium businesses (SMBs) are not exempt from being targeted by advanced persistent threat (APT) actors, according to Proofpoint researchers who collected data from over 200,000 SMB customers. Proofpoint identified a rise in phishing campaigns originating from such state-sponsored APT groups, who are highly skilled and typically state-sponsored groups with distinct strategic goals. These goals range from espionage and intellectual property theft to destructive attacks, state-sponsored financial theft, and disinformation campaigns.

Unfortunately, SMBs often lack adequate cyber security measures, making them vulnerable to all kinds of cyber threats. APT actors exploit this weakness by targeting SMBs as a stepping stone towards achieving their larger goals.

Alongside phishing campaigns, it was identified that APTs are increasingly targeting regional outsourced IT providers/Managed Service Providers (MSPs) to mount supply chain attacks. By compromising regional MSPs within geographies that align with the strategic collection requirements of APT actors, threat actors can gain access to multiple SMBs to extract sensitive information or execute further attacks.

https://www.helpnetsecurity.com/2023/05/31/apt-targeting-smbs/

  • Phishing Campaigns Thrive as Evasive Tactics Outsmart Conventional Detection

According to research, 2022 saw a 25% increase in the use of phishing kits. These phishing kits are a set of tools that enable cyber criminals to effortlessly create and maintain large scale sophisticated phishing campaigns. It is this sophistication that allows cyber criminals to circumnavigate conventional detections; in fact, the research found a 40% increase in the use of anti-bot technologies designed to prevent automated scanners from identifying content as phishing.

In some cases (11% of observed phishing kits) malicious links would not be detected when tested by anti-phishing controls because those controls do not use the exact device parameters, geolocation and referrer of the intended target victim’s profile; therefore the malicious link is allowed to be delivered to the intended target.

https://www.helpnetsecurity.com/2023/06/01/advanced-detection-evasion-techniques/

  • Don't be Polite When you Get a Text from a Wrong Number

You should immediately be suspicious of any text you get from a number not in your contacts, even if it may be innocent looking. Your first reaction may be to be polite and let them know they have the wrong number, but this person is a stranger. Strangely, despite teaching our children not to talk to strangers, many are comfortable with divulging information to them. Although letting them know they made a mistake seems harmless, responding opens you up to being scammed and you’ve just let them know you’re a real person. Every bit of helpful information you provide has the potential to be leveraged by an attacker.

https://www.kens5.com/article/money/consumer/wrong-number-text-messages/273-c94cd68b-6117-4add-bf16-e010f7e16726

  • Capita Cyber Attack: 90 Downstream Organisations Reported Data Breaches

90 organisations have reported breaches of personal information held by Capita after the outsourcing group had suffered a cyber attack, according to Britain’s data watchdog. The attack on Capita, which occurred in March, is still impacting businesses, with the UK Information Commissioners Office (ICO) making enquiries. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach.

The impact of the attack, and its knock-on effect, highlights the need for organisations to consider their third party security, no matter the size of the third party they use.

https://www.theguardian.com/business/2023/may/30/capita-cyber-attack-data-breaches-ico

  • Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives

A recent survey from McAfee found that nearly a third (30%) of adults have fallen victim or know someone who has fallen victim to an online scam when bargain hunting for travel deals during the summer season, with a full two-thirds of victims losing up to $1,000.

This has extended to the corporate environment, with threat actors impersonating the HR department and exploiting the trust users place in their employers, a report has found. The attack leverages regular HR procedures associated with holiday requests and taps into the anticipation and excitement surrounding the summer travel season, to capitalise on exploiting the user.

https://www.darkreading.com/endpoint/travel-themed-phishing-bec-campaigns-smarter-summer-season

  • Organisations Spend 100 Hours Battling Post-Delivery Email Threats

Nearly every victim of a spear-phishing attack in the last 12 months saw impacts on their organisation, including malware infections, stolen data, and reputational damage, according to Barracuda Networks. The research shows that cyber criminals continue to barrage organisations with targeted email attacks, and many companies are struggling to keep up.

While spear-phishing attacks are low-volume, they are widespread and highly successful compared to other types of email attacks. On average, organisations take nearly 100 hours to identify, respond to, and remediate a post-deliver email threat: 43 hours to detect the attack and 56 hours to respond and remediate after the attack is detected.

Users at companies with more than a 50% remote workforce report higher levels of suspicious emails: 12 per day on average, compared to 9 per day for those with less than a 50% remote workforce. Companies with more than a 50% remote workforce also reported that it takes longer to both detect and respond to email security incidents: 55 hours to detect and 63 hours to respond and mitigate, compared to an average of 36 hours and 51 hours respectively for organisations with fewer remote workers.

https://www.helpnetsecurity.com/2023/05/30/2023-spear-phishing-trends/

  • Ransomware Gangs Adopting Business-like Practices to Boost Profits

Ransomware gangs are using a variety of business-like practices to boost profits, making it more difficult for defenders to differentiate various groups, a new report by WithSecure has surmised. This move towards mirroring legitimate businesses practices means that tactics, techniques and procedures (TTPs) are blurring.

The underground marketplace now includes entities including ransomware-as-a-service (RaaS) groups, Initial Access Brokers (IAB), crypter-as-a-service (CaaS), cryptojackers, malware-as-a-service (MaaS) groups and nation-state actors. This allows nation-states to use tools available on the underground market to gain access to networks and systems without being detected. Ultimately, this trend towards professionalisation makes the expertise and resources to attack organisations accessible to lesser-skilled or poorly resourced threat actors.

https://www.infosecurity-magazine.com/news/ransomware-gangs-business-practices/

  • The Sobering Truth about Ransomware—for the 80% Who Paid Up

Newly published research of 1,200 organisations impacted by ransomware reveals a sobering truth that awaits many of those who decide to pay the ransom. According to research, 80% of the organisations surveyed decided to pay the demanded ransom in order to both end the ongoing cyber attack and recover otherwise lost data. This is despite 41% of those organisations having a “do not pay” policy in place, which only goes to reinforce the cold hard fact that cyber crime isn’t an easy landscape to navigate. This is something that’s especially true when your business is facing the real-world impact of dealing with a ransomware attack.

Of the 960 organisations that paid a ransom, 201 of them (21%) were still unable to recover their lost data. The same number also reported that ransomware attacks were now excluded from their insurance policies. Of those organisations with cyber insurance cover, 74% reported a rise in premiums. Another report, published by Sophos, revealed that 32% of those surveyed opted to pay the ransom but a shocking 92% failed to recover all their data and 29% were unable to recover more than half of the encrypted data.

Some groups have switched to stealing sensitive customer or corporate data instead, with the ransom demanded in return for them not selling it to the highest bidder or publishing it online. Many groups combine the two for a double extortion ransomware attack.

https://www.forbes.com/sites/daveywinder/2023/05/30/the-sobering-truth-about-ransomware-for-the-80-percent-who-paid-up 

  • The Great CISO Resignation: Why Security Leaders are Quitting in Droves

With the rise in AI tools such as ChatGPT broadening an attacker’s arsenal, this places greater and greater pressure on security leaders who are already dealing with shrinking budgets, skeleton crew staff and a conglomeration of security tools and protocols — so much so that they are increasingly quitting. A recent report found that nearly a third (32%) of CISOs in the US and UK were considering leaving their current organisation and 9 out of 10 reported themselves as “moderately” or “tremendously” stressed.

This so-called Great CISO Resignation is concerning, because what happens when there’s nobody guarding the gate and rallying the troops?

https://www.sdxcentral.com/articles/analysis/the-great-ciso-resignation-why-security-leaders-are-quitting-in-droves/2023/05/

  • When is it Time for a Cyber Hygiene Audit?

Effective cyber hygiene practices limit threats against your systems, devices and users, preventing breaches that could compromise sensitive business information, database information, and personal data. But cyber hygiene isn’t a static or one-off process. It requires routine execution and, occasionally, a full audit. This audit typically covers a range of aspects including encryption, documentation, authentication, patches, security and ongoing cyber hygiene.

Good cyber hygiene is a necessary part of maintaining IT security. Setting up processes and procedures within your organisation’s regular operating procedures is an effective way to maintain cyber hygiene. Although the responsibilities may differ by position, everyone in the organisation plays a role.

An audit provides important information on where and where you need to improve. It also provides a baseline for measuring improvement and effectiveness. The key to success is to integrate hygiene into routine process starting top down from policies into every part of the business and making use of third party experts to help aid in the process.

https://www.trendmicro.com/en_us/devops/23/e/cyber-hygiene-audit-best-practices.html

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Artificial Intelligence

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Shadow IT

Identity and Access Management

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Travel

Parental Controls and Child Safety

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Misinformation, Disinformation and Propaganda

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More