Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Employees Think They’re Safe From Cyber Threats On Company Devices

A research launched by Menlo Security reveals increased cyber security risks posed to employees and organisations during the 2021 holiday shopping season.

The research – which surveyed 2,000 employed people in the United States and the United Kingdom – found that while employees are concerned about threats and are taking some measures to mitigate them, they often have false confidence in their security posture.

There are now more threats to corporate devices and networks than ever as hybrid work models blur the boundaries between work and home. More than half of respondents (56% US; 53% UK) reported performing non-work-related tasks – such as online shopping – on company devices.

Furthermore, the survey found that 65% of people in the US (63% UK) are doing more online holiday shopping in 2021 compared to previous years, and nearly half of respondents (48% US; 45% UK), reported shopping for gifts this holiday season on a work-issued device such as a laptop or mobile phone.

Workers are also noticing a rise in cyber threats this holiday season, with 58% of respondents in the US (48% UK) observing an increase in scams and fraudulent messages, exemplifying that threats are rampant worldwide. This is worrying many people, as the vast majority of respondents (80% US & UK) report being somewhat to very concerned about their personal data being stolen while online shopping.

However, despite workers’ recognition and concern of cyber threats, 60% of people (65% UK) still believe they’re secure from cyberthreats if they’re using a company device.

https://www.helpnetsecurity.com/2021/12/14/employees-cybersecurity-risks/

Internet Is Scrambling To Fix Log4shell, The Worst Hack In History

Massive data breaches have become so common that we’ve gotten numb to reports detailing another hack or 0-day exploit. That doesn’t reduce the risk of such events happening, as the cat-and-mouse game between security experts and hackers continues. As some vulnerabilities get fixed, others pop up requiring attention from product and service providers. The newest one has a name that will not mean anything to most people. They call the hack Log4Shell in security briefings, which doesn’t sound very scary. But the new 0-day attack is so significant that some people see it as the worst internet hack in history.

Malicious individuals are already exploiting the Log4Shell attack, which allows them to get into computer systems and servers without a password. Security experts have seen Log4Shell in action in Minecraft, the popular game that Microsoft owns. A few lines of text passed around in a chat might be enough to penetrate the defences of a target computer. The same ease of access would allow hackers to go after any computer out there using the Log4J open-sourced java-based logging utility.

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

Apache Log4j Flaw: A Fukushima Moment for the Cyber Security Industry

Organisations around the world will be dealing with the long-tail consequences of this vulnerability, known as Log4Shell, for years to come.

The discovery of a critical flaw in the Apache Log4j software is nothing short of a Fukushima moment for the cybersecurity industry.

Ten years ago, an earthquake and subsequent tidal wave triggered the meltdown of the Fukushima nuclear power plant that continues to plague the region today. Similarly, the early exploitation of Log4j, during which attackers will go after the low-hanging fruit exposed by the vulnerability, will evolve over time to take the form of more complex attacks on more sensitive systems that have less exposure to the internet. And, just as Fukushima brought to light significant issues with longstanding processes in place at the plant, so too does the Log4j vulnerability, known as Log4Shell, highlight two crucial practices of concern:

·       How organisations capture and protect their massive troves of log data; and

·       The use of open-source code libraries as the building blocks for major enterprise applications.

The paradox of Log4j: the more you log, the worse it gets

We’re discovering new apps every minute which use Log4j in one way or another. It affects not only the code you build, but also the third-party systems you have in place. Everything from the new printer you’ve bought for the office to the ticketing system you’ve just deployed is potentially affected by this flaw. Some affected systems may be on premises, others may be hosted in the cloud but no matter where they are, the flaw is likely to have an impact.

https://www.theregister.com/2021/12/17/vmware_criticial_uem_flaw/

60% of UK Workers Have Been Victim of a Cyber-Attack, Yet Awareness Remains Low

There is a “dangerous” lack of awareness among UK workers towards cybersecurity, leaving businesses at risk of attacks, according to a new study by Armis. This is despite 60% of workers admitting they have fallen victim to a cyber-attack.

The nationwide survey of 2000 UK employees found that only around a quarter (27%) are aware of the associated cyber risks, while one in 10 (11%) don’t worry about them at all.

Even more worryingly, just one in five people said they paid for online security, putting businesses at high risk of attacks amid the shift to remote working during COVID-19.

The most prevalent types of attacks experienced by workers or their organisations were phishing (27%), data breaches (23%) and malware (20%).

The study also revealed growing concerns about the scale of the cyber-threats facing the UK. A large-scale cyber-attack was ranked as the fourth biggest future concern (21%) among the respondents, equal to the UK going to war. Two-fifths (40%) said they would like to see a minister for cyber security installed to ensure the issue is focused on more at a government level.

Russian-backed cyber-criminals were considered the biggest threat to the UK’s cybersecurity (20%) by the respondents, followed by financially motivated cyber-criminals (17%) and Chinese-backed cyber-criminals (16%).

https://www.infosecurity-magazine.com/news/uk-workers-victim-cyber-attack/

Ransomware in 2022: We're All Screwed

Ransomware is now a primary threat for businesses, and with the past year or so considered the "golden era" for operators, cybersecurity experts believe this criminal enterprise will reach new heights in the future.

Kronos. Colonial Pipeline. JBS. Kaseya. These are only a handful of 2021's high-profile victims of threat groups including DarkSide, REvil, and BlackMatter.

According to Kela's analysis of dark web forum activity, the "perfect" prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.

Over the past few years, we've seen ransomware operators evolve from disorganised splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains.

Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena -- including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker -- can be one component of attacks designed to elicit a blackmail payment from a victim organisation.

https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/

Attacks on UK Firms Increase Five-Fold During Pandemic

Attacks on UK firms surged five-fold during the pandemic and now cost way more than the global average, according to Accenture.

The global consultancy polled 500 UK executives to compile its State of Cybersecurity Resilience 2021 study.

It found that large organisations experienced 885 attempted cyber-attacks in 2020 – up from 156 the previous year and more than triple the global average of 270.

They’re also more expensive than elsewhere. Accenture calculated that incidents and breaches cost over £1.3m a year – £350,000 more than the global average.

Over 80% of respondents said the cost of staying ahead of cyber-criminals is unsustainable, a fifth more than the previous year, and a quarter said they’ve been forced to increase cybersecurity budgets by 10% or more.

Worryingly, supply chain attacks accounted for 64% of breaches in the UK last year, up by a quarter (26%) from the previous year.

https://www.infosecurity-magazine.com/news/attacks-on-uk-firms-increase/

The Log4J Software Flaw Is ‘Christmas Come Early’ for Cyber Criminals

Researchers have just identified a security flaw in a software program called Log4J, widely used by a host of private, commercial and government entities to record details ranging from usernames and passwords to credit card transactions. Since the glitch was found last weekend, the cybersecurity community has been scrambling to protect applications, services, infrastructure and even Internet of Things devices from criminals—who are already taking advantage of the vulnerability.

“For cybercriminals this is Christmas come early, because the sky’s the limit,” says Theresa Payton, a former White House chief information officer and the CEO of Fortalice Solutions, a cybersecurity consulting company. “They’re really only limited by their imagination, their technical know-how and their own ability to exploit this flaw.” Payton spoke with Scientific American about what Log4J does, how criminals can use its newly discovered weakness, and what it will take to repair the problem.

https://www.scientificamerican.com/article/the-log4j-software-flaw-is-christmas-come-early-for-cybercriminals/

Why Cloud Storage Isn't Immune to Ransomware

Ransomware is the flavour of the month for cybercriminals. The FBI reports that ransomware attacks rose 20% and losses almost tripled in 2020. And our increased use of the cloud may have played a part in that spike. A survey of CISOs conducted by IDC earlier this year found that 98% of their companies suffered at least one cloud data breach in the previous 18 months as opposed to 79% last year, and numbers got worse the more exposure they had to the cloud.

Organisations now use hundreds of cloud-based apps, which adds thousands of new identities logging in to their systems. This opens almost unlimited possibilities for hackers. Even if cloud vendors have their own identity and access management controls, vulnerabilities will emerge. In fact, recent research into cloud security found that over 70% of organisations had machines open to the public that were linked to identities whose permissions were vulnerable, under the right conditions, to being exploited to launch ransomware attacks.

A number of reasons could explain why security falls through the cracks of many cloud systems, and leaves them more vulnerable to ransomware attacks.

https://www.darkreading.com/attacks-breaches/why-cloud-storage-isn-t-immune-to-ransomware

400 Banks’ Customers Targeted with Anubis Trojan

Customers of Chase, Wells Fargo, Bank of America and Capital One, along with nearly 400 other financial institutions, are being targeted by a malicious app disguised to look like the official account management platform for French telecom company Orange S.A.

Researchers say this is just the beginning.

Once downloaded, the malware – a variant of banking trojan Anubis – steals the user’s personal data to rip them off, researchers at Lookout warned in a new report. And it’s not just customers of big banks at risk, the researchers added: Virtual payment platforms and crypto wallets are also being targeted.

“As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain,” the Lookout report said. “This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection and abuse of the device’s accessibility services.”

https://threatpost.com/400-banks-targeted-anubis-trojan/177038/

Sites Hacked With Credit Card Stealers Undetected For Months

Threat actors are gearing up for the holidays with credit card skimming attacks remaining undetected for months as payment information is stolen from customers.

Magecart skimming is an attack that involves the injection of malicious JavaScript code on a target website, which runs when the visitor is at the checkout page.

The code can steal payment details such as credit card number, holder name, addresses, and CVV, and send them to the actor.

Threat actors may then use this information for purchasing goods online or sold to other actors on underground forums and dark web marketplaces known as "carding" sites.

https://www.bleepingcomputer.com/news/security/sites-hacked-with-credit-card-stealers-undetected-for-months/

Threats

Ransomware

• Why Ransomware Attacks Happen Out Of Hours Or During The Holidays • The Register

• Conti Ransomware Gang Exploits Log4Shell Bug In Its Operations - Security Affairs

• Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware (thehackernews.com)

• HR Management Firm Kronos Needs Weeks to Recover From Ransomware Attack | SecurityWeek.Com

• Ransomware Affiliate Arrested In Romania - The Record By Recorded Future

• Police Arrests Ransomware Affiliate Behind High-Profile Attacks (Bleepingcomputer.Com)

• All Change at the Top as New Ransomware Groups Emerge - Infosecurity Magazine

• Hive Ransomware Enters Big League With Hundreds Breached In Four Months (Bleepingcomputer.Com)

• Ransomware Suspect Arrested Over Attacks On 'High-Profile' Organisations | Zdnet

• The FBI Believes The HelloKitty Ransomware Gang Operates Out Of Ukraine - The Record By Recorded Future

BEC – Business Email Compromise

• Logistics Giant Warns of BEC Emails Following Ransomware Attack (bleepingcomputer.com)

Phishing

• How A Phishing Campaign Is Able To Exploit Microsoft Outlook - Techrepublic

• Phishing Campaign Uses PowerPoint Macros To Drop Agent Tesla (Bleepingcomputer.Com)

• New Microsoft Exchange Credential Stealing Malware Could Be Worse Than Phishing - TechRepublic

Other Social Engineering

• How to Guard Against Smishing Attacks on Your Phone | WIRED

Malware

• Hackers Start Pushing Malware In Worldwide Log4shell Attacks (Bleepingcomputer.Com)

• Hackers’ Log4Shell Malware Attacks Shuts Down Thousands of Government Websites | Tech Times

• Log4Shell Is Spawning Even Nastier Mutations | Threatpost

• Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials (thehackernews.com)

• A Practical and Detailed Look at Cobalt Strike Threat Actors - MSSP Alert

• New Fileless Malware Uses Windows Registry as Storage to Evade Detection (thehackernews.com)

• ‘DarkWatchman’ RAT Shows Evolution in Fileless Malware | Threatpost

• New PseudoManuscrypt Malware Infected Over 35,000 Computers in 2021 (thehackernews.com)

Mobile

• China: Man Lifts Sleeping Ex's Eyelids, Unlocks Phone, Steals $24k (insider.com)

• Malicious Joker App Scores Half-Million Downloads on Google Play | Threatpost

• Apple Patches 42 Security Flaws in Latest iOS Refresh | SecurityWeek.Com

• How to Figure Out If Your Phone Has Malware | PCMag

• How to Guard Against Smishing Attacks on Your Phone | WIRED

IoT

• Modern Cars: A Growing Bundle Of Security Vulnerabilities - Help Net Security

• Are Your Home Security Cameras Vulnerable To Hacking? - cnet

Data Breaches/Leaks

• Personal Details Of 80,000 South Australian Public Servants Stolen In Cyber-Attack | South Australia | The Guardian

• Oregon Medical Group Notifies 750,000 Patients Of Data Breach | Zdnet

Organised Crime & Criminal Actors

• Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group (thehackernews.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Log4j Attackers Switch To Injecting Monero Miners Via RMI (bleepingcomputer.com)

• Hackers Are Using the Blockchain to Make Bulletproof Botnets (gizmodo.com)

• Botnet Steals Half A Million Dollars In Cryptocurrency From Victims - Techrepublic

• Hackers Steal $140 Million From Users of Crypto Gaming Company (vice.com)

Insider Risk and Insider Threats

Fraud & Financial Crime

• “Sadistic” Online Extortionist Jailed for 32 Years - Infosecurity Magazine

• Experts: Public Should Freeze Credit Post-Breach - Infosecurity Magazine

Nation State Actors

• Wary Of Chinese Tech Prowess, British MI6 Says China Bigger Threat To UK Than Russia, Iran & Global Terrorism (eurasiantimes.com)

• China, Iran Among Those Exploiting Apache Cyber Vulnerability, Researchers Say (Yahoo.Com)

• Documents Link Huawei To Uyghur Surveillance Projects, Report Claims | Huawei | The Guardian

• Huawei Documents Show Chinese Tech Giant’s Involvement In Surveillance Programs - The Washington Post

• Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability | SecurityWeek.Com

Cloud

• Convergence Ahoy: Get Ready for Cloud-Based Ransomware | Threatpost

Privacy

• Adtech Vendors Still Tracking EU Users Who Deny Consent Via IAB’s TCF, Study Suggests | TechCrunch

Spyware and Espionage

• iPhone Hack: NSO Malware Builds A Computer Inside Your Phone To Steal Data | New Scientist

• Meta Acts Against 7 Entities Found Spying on 50,000 Users (darkreading.com)

• A New Spyware-For-Hire, Predator, Caught Hacking Phones Of Politicians And Journalists | Techcrunch

Vulnerabilities

• 4 Ways To Properly Mitigate The Log4j Vulnerabilities (And 4 To Skip) | CSO Online

• Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges (thehackernews.com)

• New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability (thehackernews.com)

• Patching Isn't Enough For December's Patch Tuesday | Computerworld

• Windows 10 Patch Tuesday (Kb5008212) Is Out — Here's What's New And What's Broken - Neowin

• Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware (thehackernews.com)

• Adobe Addresses Over 60 Vulnerabilities In Multiple Products - Security Affairs

• Hackers Launch More Than 1.2m Attacks Through Log4J Flaw | Financial Times (ft.com)

• Google Pushes Emergency Chrome Update To Fix Zero-Day Used In Attacks (Bleepingcomputer.Com)

• Over Log4j? VMware Has Another Critical Flaw For You To Fix - The Register

• CISA Urges VMware Admins To Patch Critical Flaw In Workspace ONE UEM (bleepingcomputer.com)

Sector Specific

SMBs – Small and Medium Businesses

What the Log4Shell Bug Means for SMBs: Experts Weigh In | Threatpost

Security Priorities Are Geared Toward Ongoing Remote And Hybrid Work - Help Net Security

Transport and Aviation

Nation State Threat Group Targets Airline with Aclip Backdoor (securityintelligence.com)

Other News

• Why Tech Companies Must Come Clean About The Latest Cyber Security Crisis | Fortune

• “Worst-Case Scenario” Exploit Travels the Globe - Infosecurity Magazine

• Log4j Hack Raises Serious Questions About Open-Source Software | Financial Times

• Why Log4j Mitigation Is Fraught With Challenges (darkreading.com)

• Security Flaws Found In A Popular Guest Wi-Fi System Used In Hundreds Of Hotels | TechCrunch

• Experts: Log4j Bug Could Be Exploited for “Years” - Infosecurity Magazine

• 2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns | Threatpost

• Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips (thehackernews.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.