Black Arrow Cyber Threat Briefing 20 November 2020
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities and cyber related news from the last week.
Top Cyber Headlines of the Week
Cyber crime is 'a constant threat' to SMEs
Criminals are diversifying and growing more dangerous, while SMEs remain complacent and mostly oblivious to the threats.
With a quarter of small and medium-sized enterprises (SME) falling victim to a cyberattack in the last 12 months, the threat towards these organizations is constant. This is according to a new report from Direct Line – Business, which claims that businesses aren't doing all they can to stay safe.
The report states that, if a cyber attack were to occur, many organisations would find themselves in a seriously dangerous position given they hold less than $13,000 in cash reserves. Besides financial damage, many should also expect damaged client and customer relationships due to eroded trust.
With cybercriminals diversifying into different methods of attack, SMEs need to stay vigilant on multiple fronts. Phishing is still the most popular weapon for criminals, the report states, but malware and ransomware, as well as DDoS attacks, are also notable mentions.
https://www.itproportal.com/features/cybercrime-is-a-constant-threat-to-smes/
The most common passwords of 2020 are atrocious
Bottom line: Choosing secure passwords has never been humanity’s strong suit and let’s face it, it’s never going to be. People simply have too many accounts to protect these days, leading to poor practices such as simplifying passwords to make them easier to remember and reusing the same password across multiple accounts.
https://www.techspot.com/news/87657-most-common-passwords-2020-atrocious.html#Share
Why ransomware is still so successful: Over a quarter of victims pay the ransom
Over a quarter of organisations that fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now more than $1 million.
Cyber crime is maturing. Here are 6 ways organisations can keep up
In 2020, the world has experienced many challenges. Among them, hastened digitalisation has brought new opportunities but also new risks. According to the World Economic Forum Global Risks Report 2020, cyber attacks rank first among global human-caused risks and RiskIQ predicts that by 2021 cyber crime will cost the world $11.4 million each minute.
https://www.weforum.org/agenda/2020/11/how-to-protect-companies-from-cybercrime/
Ransomware-as-a-service: The pandemic within a pandemic
Ransomware is a massive problem. But you already knew that.
Technical novices, along with seasoned cyber security professionals, have witnessed over the past year a slew of ransomware events that have devastated enterprises around the world. Even those outside of cyber security are now familiar with the concept: criminals behind a keyboard have found a way into an organization’s system, prevented anyone from actually using it by locking it up, and won’t let anyone resume normal activity until the organization pays a hefty fee.
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
CISOs say a distributed workforce has critically increased security concerns
73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.
The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.
https://www.helpnetsecurity.com/2020/11/18/distributed-workforce-security/
Threats
Ransomware
Capcom confirms Ragnar Locker ransomware attack, data exposure
Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records.
This week, the Japanese gaming giant confirmed that the company had fallen prey to "customized ransomware" which gave attackers unauthorised access to its network -- as well as the data stored on Capcom Group systems.
Ransomware attack forces web hosting provider Managed.com to take servers offline
One of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack.
The ransomware impacted the company's public facing web hosting systems, resulting in some customer sites having their data encrypted.
The incident only impacted a limited number of customer sites, which the company said it immediately took offline.
https://www.zdnet.com/article/web-hosting-provider-managed-shuts-down-after-ransomware-attack/
Phishing
Office 365 phishing campaign detects sandboxes to evade detection
Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets.
"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defence evasion and social engineering," Microsoft said.
"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."
Malware
Adult site users targeted with ZLoader malware via fake Java update
A malware campaign ongoing since the beginning of the year has recently changed tactics, switching from exploit kits to social engineering to target adult content consumers.
The operators use an old trick to distribute a variant of ZLoader, a banking trojan that made a comeback earlier this year after an absence of almost two years, now used as an info stealer.
Lazarus malware strikes South Korean supply chains
Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.
Cyber security researchers reported the abuse of the certificates, stolen from two separate, legitimate South Korean companies.
https://www.zdnet.com/article/lazarus-malware-strikes-south-korean-supply-chains/
Malware activity spikes 128%, Office document phishing skyrockets
The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.
https://www.helpnetsecurity.com/2020/11/13/malware-activity-q3-2020/
Cloud
Attackers can abuse a misconfigured IAM role across 16 Amazon services
Researchers at Palo Alto’s Unit 42 have confirmed that they have compromised a customer’s AWS cloud account with thousands of workloads using a misconfigured identity and access management (IAM) role.
Vulnerabilities
More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug
A year and a half after Microsoft disclosed the BlueKeep vulnerability impacting the Windows RDP service, more than 245,000 Windows systems still remain unpatched and vulnerable to attacks.
The number represents around 25% of the 950,000 systems that were initially discovered to be vulnerable to BlueKeep attacks during a first scan in May 2019.
Windows Kerberos authentication breaks due to security updates
Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released to address CVE-2020-17049 during this month's Patch Tuesday, on November 10.
Cisco Patches Critical Flaw After PoC Exploit Code Release
A critical path-traversal flaw exists in Cisco Security Manager that lays bare sensitive information to remote, unauthenticated attackers.
A day after proof-of-concept (PoC) exploit code was published for a critical flaw in Cisco Security Manager, Cisco has hurried out a patch.
https://threatpost.com/critical-cisco-flaw-sensitive-data/161305/
Widespread Scans Underway for RCE Bugs in WordPress Websites
WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.
Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers.
According to the Wordfence Threat Intelligence team, more than 7.5 million probes targeting these vulnerabilities have been observed, against more than 1.5 million WordPress sites, just since Tuesday.
https://threatpost.com/widespread-scans-rce-bugs-wordpress-websites/161374/
Webex fixed some seriously spooky security flaws
Cisco has patched several troubling security vulnerabilities in its Webex video conferencing service.
The flaws in the video conferencing software were flagged. Researchers took a deeper look at the collaboration tools being used for day-to-day work to better understand how they could impact sensitive meetings now being held virtually. During its investigation, the company's security researchers discovered three vulnerabilities in Webex.
https://www.techradar.com/news/cisco-webex-had-some-very-spooky-security-flaws
Data Breaches
Animal Jam was hacked, and data stolen; here’s what parents need to know
WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.
Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.
https://techcrunch.com/2020/11/16/animal-jam-data-breach/
Crown Prosecution Service guilty of ‘serious’ data breaches
Prosecutors are routinely guilty of “serious” data breaches that can endanger the public by disclosing addresses of people who report crimes, a watchdog has revealed.
Independent assessors of the Crown Prosecution Service found that prosecutors in England and Wales were responsible for “a significant number of data security breaches”.
Privacy
MacOS Big Sur reveals Apple secretly hates your VPN and firewall
If you're using a Mac VPN and recently updated your device to Big Sur, your privacy may be at risk as it was discovered that Apple apps are able to bypass both firewalls and VPN services in the company's latest version of macOS.
Twitter user mxswd first spotted the issue back in October and provided more details in a tweet which reads: “Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running”.
https://www.techradar.com/uk/news/macos-big-sur-reveals-apple-secretly-hates-your-vpn-and-firewall
Server failure unearths massive macOS tracking plans
More serious doubts have been raised about Apple's snooping tactics following fresh revelations about the company's macOS software. We’ve already reported how apps in the latest release of macOS can bypass firewalls and VPNs and how the release was bricking some older MacBook Pro machines.
https://www.techradar.com/news/server-failure-unearths-massive-macos-tracking-plans
Employee surveillance software demand increased as workers transitioned to home working
As people hunkered down to work from home during COVID-19, companies turned to employee surveillance software to track their staff.
What does the rise of intrusive tools such as employee surveillance software mean for workers at home?
A new study shows that the demand for employee surveillance software was up 55% in June 2020 compared to the pre-pandemic average. From webcam access to random screenshot monitoring, these surveillance software products can record almost everything an employee does on their computer.
Los Angeles police ban facial recognition software and launch review after officers accused of unauthorized use
The Los Angeles police department (LAPD) has banned commercial facial recognition software and launched a review after 25 officers were accused of using it unofficially to try to identify people.
https://www.theregister.com/2020/11/19/lapd_facial_recogntion/
Nation State Actors
More than 200 systems infected by new Chinese APT 'FunnyDream'
A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.
The malware infections are part of a widespread cyber-espionage campaign carried out by a group named FunnyDream, according to a new report published today by security firm Bitdefender.
The attacks have primarily targeted Southeast Asian governments. While Bitdefender has not named any victim countries, a report published earlier this spring by fellow security firm Kaspersky Lab has identified FunnyDream targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam.
https://www.zdnet.com/article/more-than-200-systems-infected-by-new-chinese-apt-funnydream/
Massive, China-state-funded hack hits companies around the world, report says
Attacks are linked to Cicada, a group believed to be funded by the Chinese state.
Researchers have uncovered a massive hacking campaign that’s using sophisticated tools and techniques to compromise the networks of companies around the world.
The hackers, most likely from a well-known group that’s funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon, the name given to a Windows server vulnerability, patched in August, that can give attackers instant administrator privileges on vulnerable systems.
Other News
Hackers are leaning more heavily on cloud resources
Underground cloud services may seem like an oxymoron, but they are quite real, and criminals are using them to speed up attacks and leave very little room for compromised businesses to react.
This is according to a new report from cybersecurity firm Trend Micro, which found terabytes of internal business data and logins - including for Google, Amazon and PayPal - for sale on the dark web.
https://www.itproportal.com/news/hackers-are-leaning-more-heavily-on-cloud-resources/
CEOs Will Be Personally Liable for Cyber-Physical Security Incidents by 2024
Digital attack attempts in industrial environments are on the rise. In February 2020, IBM X-Force reported that it had observed a 2,000% increase in the attempts by threat actors to target Industrial Control Systems (ICS) and Operational Technology (OT) assets between 2018 and 2020. This surge eclipsed the total number of attacks against organizations’ industrial environments that had occurred over the previous three years combined.
Reports Published in the Last Week
Sophos 2021 Threat Report: Navigating cybersecurity in an uncertain world
https://nakedsecurity.sophos.com/2020/11/18/sophos-threat-report-2021/
Verizon Releases First Cyber-Espionage Report
https://www.infosecurity-magazine.com/news/verizon-releases-first-cyber/
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.