Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

Cyber Criminals Shifting Focus: IT Sector Most Targeted In 2021

Darktrace reported that the IT and communications sector was globally the most targeted industry by cybercriminals in 2021.

Darktrace’s data is developed by ‘early indicator analysis’ that looks at the breadcrumbs of potential cyber-attacks at several stages before they are attributed to any particular actor and before they escalate into a full-blown crisis. Findings show that its artificial intelligence autonomously interrupted an average of 150,000 threats per week against the sector in 2021.

The IT and communications sector includes telecommunications providers, software developers, and managed security service providers, amongst others. There was also a growing trend of hackers targeting backup servers in an attempt to deliberately disable or corrupt backup files by deleting a single index file that would render all backups inaccessible. Attackers could then launch ransomware attacks against the clients of the backup vendor, preventing recovery and forcing payment.

In 2020, the most attacked industry was the financial and insurance sector, showing that cyber-criminals have shifted their focus over the last 12 months.

Over the last 12 months, it is clear that attackers are relentlessly trying to access the networks of trusted suppliers in the IT and communications sector. Quite simply, it is a better return on investment than, for example, going after one company in the financial services sector. SolarWinds and Kaseya are just two well-known and recent examples of this. Sadly, there is likely to be more in the near term.

The findings of this research mark one year since the compromise of US software company SolarWinds rattled the security industry. This landmark supply-chain attack made thousands of organisations vulnerable to infiltration by inserting malicious code into the Orion system. Over the last 12 months, there has been a continued spate of attacks against the IT and communications sector, including the high-profile attacks on Kaseya and Gitlab.

https://www.helpnetsecurity.com/2021/12/22/cybercriminals-it-sector/

New Ransomware Variants Flourish Amid Law Enforcement Actions

Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cyber crime gangs to prevent them from victimizing additional companies.

"Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] groups dominating the ecosystem at this point in time are completely different than just a few months ago," Intel 471 researchers said in a report published this month. "Yet, even with the shift in the variants, ransomware incidents as a whole are still on the rise."

Sweeping law enforcement operations undertaken by government agencies in recent months have brought about rapid shifts in the RaaS landscape and turned the tables on ransomware syndicates like Avaddon, BlackMatter, Cl0p, DarkSide, Egregor, and REvil, forcing the actors to slow down or shut down their businesses altogether.

https://thehackernews.com/2021/12/new-ransomware-variants-flourish-amid.html

93% of Tested Networks Vulnerable to Breach, Pen Testers Find

Data from dozens of penetration tests and security assessments suggest nearly every organisation can be infiltrated by cyber attackers.

The vast majority of businesses can be compromised within a month by a motivated attacker using common techniques, such as compromising credential, exploiting known vulnerabilities in software and Web applications, or taking advantage of configuration flaws, according to an analysis of security assessments by Positive Technologies.

In 93% of cases, an external attacker could breach a target company's network and gain access to local devices and systems, the company's security service professionals found. In 71% of cases, the attacker could affect the businesses in a way deemed "unacceptable." For example, every bank tested by the security firm could be attacked in a way that disrupted business processes and reduced the quality of their service.

https://www.darkreading.com/attacks-breaches/93-of-tested-networks-vulnerable-to-breach-pentesters-find

Dridex Malware Trolls Employees With Fake Job Termination Emails

A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season's greeting message.

Dridex is a banking malware spread through malicious emails that was initially developed to steal online banking credentials. Over time, the developers evolved the malware to use different modules that provide additional malicious behaviour, such as installing other malware payloads, providing remote access to threat actors, or spreading to other devices on the network.

This malware was created by a hacking group known as Evil Corp, which is behind various ransomware operations, such as BitPaymer, DoppelPaymer, WastedLocker variants, and Grief. Due to this, Dridex infections are known to lead to ransomware attacks on compromised networks.

https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/

More Than 35,000 Java Packages Impacted By Log4j Flaw, Google Warns

The Google Open Source Team scanned the Maven Central Java package repository and found that 35,863 packages (8% of the total) were using versions of the Apache Log4j library vulnerable to Log4Shell exploit and to the CVE-2021-45046 RCE.

“More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry.” reads the report published by Google. “As far as ecosystem impact goes, 8% is enormous.”

The Google experts used the Open Source Insights, a project used to determine open source dependencies, to assess all versions of all artifacts in the Maven Central Repository.

The experts pointed out that the direct dependencies account for around 7,000 of the affected packages. Most of the affected artifacts are related to indirect dependencies.

Since the vulnerability was disclosed, 13% of all vulnerable packages have been fixed (4,620).

https://securityaffairs.co/wordpress/125845/security/log4j-java-packages-flaws.html

Log4j Flaw: Attackers Are 'Actively Scanning Networks' Warns New Guidance, Joint Advisory from Cyber Agencies in US, Australia, Canada, New Zealand and the United Kingdom

A new informational Log4J advisory has been issued by cybersecurity leaders from the US, Australia, Canada, New Zealand and the United Kingdom. The guide includes technical details, mitigations and resources to address known vulnerabilities in the Apache Log4j software library.

The project is a joint effort by the US' Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).

The organisations said they issued the advisory in response to "active, worldwide exploitation by numerous threat actors, including malicious cyber threat actors." Numerous groups from North Korea, Iran, Turkey and China have been seen exploiting the vulnerability alongside a slate of ransomware groups and cybercriminal organisations.

https://www.zdnet.com/article/cisa-cybersecurity-centers-from-australia-nz-uk-and-canada-release-log4j-advisory/

Conti Ransomware Gang Has Full Log4Shell Attack Chain

The Conti gang was the first professional-grade, sophisticated ransomware group to weaponise Log4j2, now with a full attack chain.

The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.

The sophisticated Russia-based Conti group – which Palo Alto Networks has called “one of the most ruthless” of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.

As of Monday the attack chain has taken the following form, AdvIntel’s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.

https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/

Second Ransomware Family Exploiting Log4j Spotted In US, Europe

This was quickly followed by a second ransomware group when researchers found a second family of ransomware has been growing in usage for attack attempts that exploit the critical vulnerability in Apache Log4j, including in the US and Europe.

A number of researchers, including at cybersecurity giant Sophos, have now said they’ve observed the attempted deployment of a ransomware family known as TellYouThePass. Researchers have described TellYouThePass as an older and largely inactive ransomware family — which has been revived following the discovery of the vulnerability in the widely used Log4j logging software.

https://venturebeat.com/2021/12/21/second-ransomware-family-exploiting-log4j-spotted-in-u-s-europe/

Threat actors steal $80 million per month with fake giveaways, surveys

Scammers are estimated to have made $80 million per month by impersonating popular brands asking people to participate in fake surveys or giveaways.

Researchers warn of this new trend in global fraud schemes involving targeted links to make investigation and take-down increasingly challenging.

According to current estimates, these massive campaigns resulted in an estimated $80,000,000 per month, stolen from 10 million people in 91 countries.

The scam themes are the typical and "trustworthy" fake surveys and giveaways from popular brands with the holiday season making targets more susceptible to fraudulent gift offerings.

According to a report by Group-IB, there are currently 60 known scam networks that use targeted links in their campaigns, impersonating 121 brands in false giveaways.

Each network uses an average of 70 different Internet domain names as part of their campaigns, but some find great success with fewer domains, which indicates that quality beats quantity when it comes to scams.

https://www.bleepingcomputer.com/news/security/threat-actors-steal-80-million-per-month-with-fake-giveaways-surveys/

Microsoft Teams might have a few serious security issues

Security researchers have discovered four separate vulnerabilities in Microsoft Teams that could be exploited by an attacker to spoof link previews, leak IP addresses and even access the software giant's internal services.

These discoveries were made by researchers at Positive Security who “stumbled upon” them while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron according to a new blog post. For those unfamiliar, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.

During their investigation into the matter, the researchers found that they could bypass the SOP in Teams by abusing the link preview feature in Microsoft's video conferencing software by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.

https://www.techradar.com/news/microsoft-teams-might-have-a-few-serious-security-issues

The Future of Work Has Changed, and Your Security Mindset Needs to Follow

VPNs have become a vulnerability that puts organisations at risk of cyber attacks.

When businesses first sent employees to work from home in March 2020 — thinking it'd only be for two weeks — they turned to quick fixes that would enable remote work for large numbers of people as quickly as possible. While these solutions solved the short-term challenge of allowing distributed workforces to connect to a company's network from anywhere, they're now becoming a security vulnerability that is putting organisations at risk of growing cyberattacks.

Now that almost two years have passed and work has fundamentally shifted, with fully or hybrid remote environments here to stay, business and security leaders need solutions that better fit their unique and increasingly complex needs. In fact, a new survey from Menlo Security has found that 75% of organisations are re-evaluating their security strategies for remote employees, exemplifying that accommodating remote work is a top priority for the majority of business leaders.

To successfully manage the risks that distributed workforces entail, leaders must shift their mindset away from the hub-and-spoke approach of providing connectivity to the entire network, instead segmenting access by each individual private application, wherever it is deployed, as threats of cyberattacks loom across all industries. As organisations grapple with the added security challenges that remote and hybrid work environments bring, adopting a zero-trust approach will be critical for end-to-end network and endpoint protection.

https://www.darkreading.com/attacks-breaches/the-future-of-work-has-changed-and-your-security-mindset-needs-to-follow

Threats

Ransomware

• Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros - Infosecurity Magazine

• PYSA Emerges as Top Ransomware Actor in November | Threatpost

• AvosLocker Ransomware Reboots In Safe Mode To Bypass Security Tools (bleepingcomputer.com)

• Rook Ransomware Is Yet Another Spawn Of The Leaked Babuk Code (bleepingcomputer.com)

• PYSA Ransomware Behind Most Double Extortion Attacks In November (bleepingcomputer.com)

• This Ransomware Strain Just Started Targeting Lots More Businesses | ZDNet

Phishing

• How Likely Are Employees To Fall Prey To A Phishing Attack? - Help Net Security

• Dridex Omicron Phishing Taunts With Funeral Helpline Number (bleepingcomputer.com)

• New Phishing Campaign Claims $80m Per Month - IT Security Guru

Malware

• Log4j Vulnerability Now Used To Install Dridex Banking Malware (bleepingcomputer.com)

• New BLISTER Malware Using Code Signing Certificates to Evade Detection (thehackernews.com)

IoT

• Honeypot Experiment Reveals What Hackers Want From IoT Devices (bleepingcomputer.com)

Cryptocurrency/Cryptomining/Cryptojacking

• Example Of How Attackers Are Trying To Push Crypto Miners Via Log4Shell - SANS Internet Storm Center

Insider Risk and Insider Threats

• Cyber Crime Cops Arrest NHS Workers - Infosecurity Magazine

Scams, Fraud & Financial Crime

• Robocalls More Than Doubled in 2021, Cost Victims $30B | Threatpost

Insurance

• Cyber Insurance Trends: Insurers And Insurees Must Adapt Equally To Growing Threats - Help Net Security

Dark Web

• 2easy Now A Significant Dark Web Marketplace For Stolen Data (bleepingcomputer.com)

OT, ICS, IIoT and SCADA

• Lights Out: Cyber Attacks Shut Down Building Automation Systems (darkreading.com)

• Walk-Through Metal Detectors Can Be Hacked, New Research Finds (gizmodo.com)

Nation State Actors

• FBI: State Hackers Exploiting New Zoho Zero-Day Since October (bleepingcomputer.com)

Passwords

• UK National Crime Agency Finds 225 Million Previously Unexposed Passwords • The Register

Parental Controls and Child Safety

• Fisher Price Chatter Bluetooth Telephone Has Serious Privacy Issues - Security Affairs

Vulnerabilities

• Microsoft Teams Bug Allowing Phishing Unpatched Since March (bleepingcomputer.com)

• FBI: Another Zoho ManageEngine Zero-Day Under Active Attack | Threatpost

• Active Directory Bugs Could Let hackers Take Over Windows Domain Controllers (thehackernews.com)

• New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw (thehackernews.com)

• All in One SEO Plugin Bug Threatens 3M Websites with Takeovers | Threatpost

• Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software (thehackernews.com)

• Crooks Bypass A Microsoft Office Patch For CVE-2021-40444 To Spread Formbook Malware - Security Affairs

• Microsoft Admits To Azure App Service Source Code Leak Bug • The Register

• Expert Details macOS Bug That Could Let Malware Bypass Gatekeeper Security (thehackernews.com)

• New Dell BIOS Updates Cause Laptops And Desktops Not To Boot (bleepingcomputer.com)

• Western Digital Warns Customers To Update Their My Cloud Devices (Bleepingcomputer.Com)

• New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G (thehackernews.com)

Sector Specific

Health/Medical/Pharma Sector

• Escalation in Healthcare Data Breaches - Infosecurity Magazine

Retail

• The Retail Sector Needs To Know When And Not If It Will Be Hacked - Help Net Security

Transport and Aviation

• Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector (thehackernews.com)

Other News

• How Confident Can Organisations Be In Their Managed Services Security? - Help Net Security

• Experts Discover Backdoor Deployed on the US Federal Agency's Network (thehackernews.com)

• Half-Billion Compromised Credentials Lurking on Open Cloud Server | Threatpost

• New Log4J Flaw Caps Year of Relentless Cyber Security Crises - WSJ

• Log4Shell Is A Dumpster Fire That Should Have Been Avoided - Help Net Security

• The Log4j Flaw Is The Latest Reminder That Quick Security Fixes Are Easier Said Than Done - CyberScoop

• 7 of the Most Impactful Cyber Security Incidents of 2021 (darkreading.com)

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.