Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Contact our Experts Now
Subscribe to our Weekly Cyber Threat Intelligence Briefing
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 17 February 2023

Black Arrow Cyber Threat Briefing 17 February 2023:

-High Risk Users May be Few, but the Threat They Pose is Huge

-The Cost of Cyber Security Insurance is Soaring so Firms Need to Take Prevention More Seriously

-Cyber Attacks Worldwide Increased to an All-Time Record Breaking High

-Most Organisations Make Cyber Security Decisions Without Insights

-Ransomware Attackers Finding New Ways to Weaponise Old Vulnerabilities

-Are Executives Fluent in IT Security Speak? 5 Reasons Why the Communication Gap is Wider Than You Think

-Business Email Compromise Groups Target Firms with Multilingual Impersonation Attacks

-EU Countries Told to Step up Defence Against State Hackers

-Cyber Criminals Exploit Fear and Urgency to Trick Consumers

-How to Manage Third Party and Supply Chain Cyber Security Risks that are Too Costly to Ignore

-Russian Spear Phishing Campaign Escalates Efforts Towards Critical UK, US and European Targets

-5 Biggest Risks of Using Third Party Managed Service Providers

-Cyber Crime as a Service: A Subscription Based Model in the Wrong Hands

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • High Risk Users May be Few, but the Threat They Pose is Huge

High risk users represent approximately 10% of the worker population according to research provider, Elevate Security research. The research found that high risk users were responsible for 41% of all simulated phishing clicks, 30% of all real-world phishing clicks, 54% of all secure-browsing incidents and 42% of all malware events. This is worrying, considering the rise in sophisticated targeted phishing campaigns.

https://www.helpnetsecurity.com/2023/02/16/high-risk-behavior/

  • The Cost of Cyber Security Insurance is Soaring so Firms Need to Take Prevention More Seriously

State-backed cyber attacks are on the rise, but they are not raising the level of alarm that they should in the corporate world. Unfortunately, this is not a productive way of thinking. Come the end of March, insurance provider Lloyds will no longer cover damage from cyber attacks carried out by state or state-backed groups. In the worst cases, this reduced insurance coverage could exacerbate the trend of companies taking a passive approach toward state-backed attacks as they feel there is now really nothing they can do to protect themselves. The uncertainty however, could be the motivation for companies to take the threat of state-backed attacks more seriously.

https://fortune.com/2023/02/15/cost-cybersecurity-insurance-soaring-state-backed-attacks-cover-shmulik-yehezkel/

  • Cyber Attacks Worldwide Increased to an All-Time Record-Breaking High, Report Shows

According to a report by security provider Check Point, cyber attacks rose 38% in 2022 compared to the previous year. Some of the key trends in the report included an increase in the number of cloud-based networking attacks, with a 48% rise and non-state affiliated hacktivist groups becoming more organised and effective than ever before. Additionally, ransomware is becoming more difficult to attribute and track and extra focus should be placed on exfiltration detection.

https://www.msspalert.com/cybersecurity-research/cyberattacks-worldwide-increased-to-an-all-time-high-check-point-research-reveals/

  • Most Organisations Make Cyber Security Decisions Without Insights

A report by security provider Mandiant found some worrying results when it came to organisational understanding of threat actors. Some of the key findings include, 79% of respondents stating that most of their cyber security decisions are made without insight into the treat actors targeting them, 79% believing their organisation could focus more time and energy on identifying critical security trends, 67% believing senior leadership teams underestimate the cyber threats posed to their organisation and finally, 47% of respondents felt that they could not prove to senior leadership that their organisation has a highly effective cyber security program.

https://www.msspalert.com/cybersecurity-research/mandiant-report-most-organizations-make-cybersecurity-decisions-without-insights/

  • Ransomware Attackers Finding New Ways to Weaponise Old Vulnerabilities

Ransomware attackers are finding new ways to exploit organisations’ security weaknesses by weaponising old vulnerabilities.  A report by security provider Cyber Security Works had found that 76% of the vulnerabilities currently being exploited were first discovered between 2010-2019.

https://venturebeat.com/security/ransomware-attackers-finding-new-ways-to-weaponize-old-vulnerabilities/

  • Are Executives Fluent in IT Security Speak? 5 Reasons Why the Communication Gap is Wider Than You Think

Using data from two different reports conducted by security provider Kaspersky, the combined data showed some worrying results. Some of the results include 98% of respondents revealing they faced at least one IT security miscommunication that regularly leads to bad consequences, 62% of managers revealing miscommunication led to at least one cyber security incident, 42% of business leaders wanting their IT security team to better communicate and 34% of C-level executives struggle to speak about adopting new security solutions.

https://www.msspalert.com/cybersecurity-research/are-c-suite-executives-fluent-in-it-security-speak-five-reasons-why-the-communication-gap-is-wider-than-you-think/

  • Business Email Compromise Groups Target Firms with Multilingual Impersonation Attacks

Security providers Abnormal Security have identified two Business Email Compromise (BEC) groups “Midnight Hedgehog” and “Mandarin Capybara” which are conducting impersonation attacks in at least 13 different languages. Like many payment fraud attacks, finance managers or other executives are often targeted. In a separate report by Abnormal Security, it was found that business email compromise (BEC) attacks increased by more than 81% during 2022.

https://www.infosecurity-magazine.com/news/bec-groups-multilingual/

  • EU Countries Told to Step up Defence Against State Hackers

European states have raced to protect their energy infrastructure from physical attacks but the European Systemic Risk Board (ESRB) said more needed to be done against cyber warfare against financial institutions and the telecommunications networks and power grids they rely on. "The war in Ukraine, the broader geopolitical landscape and the increasing use of cyber attacks have significantly heightened the cyber threat environment," the ESRB said in a report. In addition, the ESRB highlight an increased risk of cyber attacks on the EU financial system, suggesting that stress tests and impact analyses should be carried out to identify weaknesses and measure resilience.

https://www.reuters.com/world/europe/eu-countries-told-step-up-defence-against-state-hackers-2023-02-14/

  • Cyber Criminals Exploit Fear and Urgency to Trick Consumers

Threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, increased during Q4 of 2022 according to a report by software provider Avast. “At the end of 2022, we have seen an increase in human-centred threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn’t order. It’s human nature to react to urgency, fear and try to regain control of issues, and that’s where cyber criminals succeed” Avast commented.

https://www.helpnetsecurity.com/2023/02/13/cybercriminals-exploit-fear-urgency-trick-consumers/

  • How to Manage Third Party and Supply Chain Cyber Security Risks that are Too Costly to Ignore

Many organisations have experienced that “after the breach” feeling — the moment they realise they have to tell customers their personal information may have been compromised because one of the organisations’ vendors had a data breach. Such situations involve spending significant amount of money and time to fix a problem caused by a third party. An organisation’s ability to handle third-party cyber risk proactively depends on its risk management strategies.

https://techcrunch.com/2023/02/10/why-third-party-cybersecurity-risks-are-too-costly-to-ignore/

  • Russian Spear Phishing Campaign Escalates Efforts Towards Critical UK, US and European Targets

Following the advisory from the NCSC, it is clear that Russian state-sponsored hackers have become increasingly sophisticated at launching phishing attacks against critical targets in the UK, US and Europe over the last 12 months. The attacks included the creation of fake personas, supported by social media accounts, fake profiles and academic papers, to lure targets into replying to sophisticated phishing emails. In some cases, the bad actor may never leverage the account to send emails from and only use it to make decisions based on intelligence collection.

https://www.computerweekly.com/news/365531158/Russian-spear-phishing-campaign-escalates-efforts-toward-critical-UK-US-and-European-targets

  • 5 Biggest Risks of Using Third Party Managed Service Providers

As business processes become more complex, companies are turning to third parties to boost their ability to provide critical services from cloud storage to data management to security. It’s often more efficient and less expensive to contract out work. But it does present risks. 5 of the biggest risks to be considered are: indirect cyber attacks, financial risks from incident costs, reputational damage, geopolitical risk and regulatory compliance risk.

https://www.csoonline.com/article/3687812/5-major-risks-third-party-services-may-bring-along-with-them.html#tk.rss_news

  • Cyber Crime as a Service: A Subscription Based Model in the Wrong Hands

Arguably nothing in tech has changes the landscape more than ‘as a Service’ offerings, the subscription-based IT service delivery model, in fact, the ‘as a Service’ offering has made its way into the cyber crime landscape. And cyber crime, for its part, has evolved beyond a nefarious hobby; today it’s a means of earning for cyber criminals. Organised cyber crime services are available for hire, particularly to those lacking resources and hacking expertise but willing to buy their way into cyber criminal activities. Underground cyber crime markets have thus emerged, selling cyber attack tools and services ranging from malware injection to botnet tools, Denial of Service and targeted spyware services.

https://www.splunk.com/en_us/blog/learn/cybercrime-as-a-service.html

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Attack Surface Management

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Backup and Recovery

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 16/02/2023 – Citrix Releases Security Updates Addressing Vulnerabilities in Workspace Apps, Virtual Apps and Desktops Products

Black Arrow Cyber Advisory 16/02/2023 – Citrix Releases Security Updates Addressing Vulnerabilities in Workspace Apps, Virtual Apps and Desktops Products

Executive Summary

This week Citrix released security updates for vulnerabilities affecting its’ Workspace Apps, Virtual Apps and Desktops products. The vulnerabilities are tracked as CVE-2023-24483, CVE-2023-24484, CVE-2023-24486 and CVE-2023-2286.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to escalate privileges and permissions from a standard user to system level. An attacker could also take over another users session and cause log files to be written to a directory which a standard user would not have permission to write to. For the exploitations to be successful, the attacker requires local access as a standard user to the Virtual Desktop Application.

What can I do?

For organisations using vulnerable versions of Workspace Apps, Virtual Apps and Desktop products, it is strongly recommended to install the patched versions as soon as possible. The affected versions are as below:

Citrix Virtual Apps and Desktops (CVE-2023-24483):

  • Current release versions before 2212

  • Long term service release (LTSTR) versions 2203 LTSR before CU2

  • 1912 LTSR before CU6

Citrix Workspace App for Windows (CVE-2023-24484 and CVE-2023-24485):

  • Citrix Workspace App versions before 2212

  • Citrix Workspace App 2203 LTSR before CU2

  • Citrix Workspace App 1912 LTSR before CU7 Hotfix 2 (19.12.7002)

Citrix Workspace App for Linux (CVE-2023-2486)

  • All supported versions of Citrix Workspace app for Linux before 2302

Further information on CVE-2023-24483 can be found here: https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-desktops-security-bulletin-for-cve202324483

Further information on CVE-2023-24484 and CVE-2023-24485 can be found here: https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windows-security-bulletin-for-cve202324484-cve202324485

Further information on CVE-2023-2486 can be found here: https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 15/02/2023 – Microsoft Patch Tuesday – 75 patches and Three Actively Exploited Vulnerabilities

Black Arrow Cyber Advisory 15/02/2023 – Microsoft Patch Tuesday – 75 patches and Three Actively Exploited Vulnerabilities

Executive summary

Microsoft’s February Patch Tuesday provides updates to address 75 security issues across its product range, including three actively exploited zero-days.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws.

The three exploited zero-day vulnerabilities include a security bypass vulnerability, remote execution vulnerability and an elevation of privileges vulnerability. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-21715: A vulnerability which allows a local user with authentication to bypass Microsoft Office macro policies used to block untrusted or malicious files.

CVE-2023-21823: A remote code execution vulnerability which allows an attacker to execute code with system privileges, effectively providing them with unlimited permission. Microsoft Store will automatically update affected customers, providing automatic updates are enabled in the Store.

CVE-2023-23376: A vulnerability which allows a successful attacker to gain SYSTEM privileges, effectively providing them with unlimited permission.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/02/14/microsoft-windows-security-updates-february-2023-overview/ 

Further details about CVE-2023-21715 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715

Further details about CVE-2023-21823 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823

Further details about CVE-2023-23376 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 10 February 2023

Black Arrow Cyber Threat Briefing 10 February 2023:

-Companies Banned from Paying Hackers After Attacks on Royal Mail and Guardian

-Fraud Set to Be Upgraded as a Threat to National Security

-98% of Attacks are Not Reported by Employees to their Employers

-UK Second Most Targeted Nation Behind America for Ransomware

-Financial Institutions are Suffering from Increasingly Sophisticated Cyber Attacks

-An Email Attack Can End Up Costing You Over $1 Million

-Cyber Crime Shows No Signs of Slowing Down

-Surge of Swatting Attacks Targets Corporate Executive and Board Members

-Phishing Surges Ahead, as ChatGPT and Artificial Intelligence Loom

-Pro-Russian Hacktivist Group is Only Getting Started, Experts Warn

-Crypto Investors Lost Nearly $4 Billion to Hackers in 2022

-PayPal and Twitter Abused in Turkey Relief Donation Scams

-Mysterious Leak of Booking.com Reservation Data is Being Used to Scam Customers

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • UK Companies Banned from Paying Ransomware Hackers After Attacks on Royal Mail and Guardian

British companies have been banned from paying ransomware hackers after a spate of attacks on businesses including Royal Mail and the Guardian newspaper.

UK Foreign Secretary James Cleverly on Thursday unveiled sanctions on seven Russian hackers linked to a gang called Conti, effectively banning any payments to the group.

Thursday’s sanctions are the first of their kind to be specifically targeted against Russian ransomware gang members.

The actions follow a spate of high-profile attacks on businesses and amid warnings from GCHQ that Russian and Iranian hackers are stepping up actions in Britain.

https://www.telegraph.co.uk/business/2023/02/09/companies-banned-paying-hackers-attacks-royal-mail-guardian/

  • Fraud Set to Be Upgraded as a Threat to National Security

Fraud is to be reclassified as a threat to national security under UK government plans that will force police chiefs to devote more officers to solving the crime.

It will be elevated to the same status as terrorism, with chief constables mandated to increase resources and combine capabilities in a new effort to combat a fraud epidemic that now accounts for 30 per cent of all crime.

It will be added to the strategic policing requirement, which means that forces will be required by ministers to treat fraud as a major priority alongside not only terrorism, but also public disorder, civil emergencies, serious and organised crime, cyber attacks and child sexual abuse.

https://www.telegraph.co.uk/news/2023/02/04/fraud-set-upgraded-threat-national-security/

  • 98% of Attacks are Not Reported by Employees to their Employers

Cyber attackers are increasingly using social engineering tactics to lure employees into opening malicious emails in an attempt to trick them into providing login credentials, updating bank account information and paying fraudulent invoices. Worryingly, research conducted by security provider Abnormal has found that 98% of attacks on organisations are not reported to the organisation’s security team. In addition to this, the report found that the volume of business email compromise attacks are spiking, growing by 175% over the past two years. The report also found that nearly two-thirds of large enterprises experiencing a supply chain compromise attack in the second half of 2022.

https://www.msspalert.com/cybersecurity-research/employees-fail-to-report-98-of-email-cyber-hacks-to-security-teams-study-finds/

  • UK Second Most Targeted Nation Behind America for Ransomware

Security research team Kraken Labs released their report earlier this week, which found that of the 101 different countries that registered victims of ransomware, the UK had registered the second highest number of victims behind the US. Currently, there are over 60 ransomware groups, with the top 3 accounting for a third of all ransomware attacks.

https://www.itsecurityguru.org/2023/02/07/uk-second-most-targeted-nation-behind-america-for-ransomware/

  • Financial Institutions are Suffering from Increasingly Sophisticated Cyber Attacks

This week security provider Contrast Security released its Cyber Bank Heists report, an annual report that exposes cyber security threats facing the financial sector. The report warns financial institutions that security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilising wipers and a record-breaking year of zero-day exploits. The report involved a series of interviews with financial sector security leaders and found some notable results. Some of the results include 64% of leaders seeing an increase in application attacks, 72% of respondents planning to increase investment in application security in 2023, 60% of respondents falling victim to destructive attacks and 50% of organisations detecting campaigns which aimed to steal non-public market information.

https://www.darkreading.com/attacks-breaches/financial-institutions-are-suffering-from-increasingly-sophisticated-cyberattacks-according-to-contrast-security

  • An Email Attack Can End Up Costing You Over $1 Million

According to a report by security provider Barracuda Network, 75% of organisations had fallen victim to at least one successful email attack in the last 12 months, with those affected facing potential costs of over $1 million for their most expensive attack. The fallout from an email security attack can be significant, with the report finding 44% of those hit had faced significant downtime and business disruption. Additionally financial services greatly impacted by the loss of valuable data (59%) and payments made to attackers (51%). When it came to organisations preparation, 30% felt underprepared when dealing with account takeover and 28% felt unprepared for dealing with business email compromise.

https://www.helpnetsecurity.com/2023/02/10/email-attack-damage-1-million/

  • Cyber Crime Shows No Signs of Slowing Down

Global risks from population pressures and climate change to political conflicts and industrial supply chain challenges characterised 2022. Cyber criminals used this turmoil to exploit these trending topics, including significant events, public affairs, social causes, and anywhere else opportunity appeared. According to security researchers at Zscaler TheatLabz, 2023 will see a rise in Crime-as-a-service (CaaS), supply chains will be bigger targets than ever, there will be a greater need for defence in depth as endpoint protection will not be enough and finally, there will be a decrease in the time between initial compromise and the final stage of an attack.

https://www.darkreading.com/zscaler/cybercrime-shows-no-signs-of-slowing-down

  • Surge of Swatting Attacks Targets Corporate Executive and Board Members

Swatting is the act of deceiving an emergency service with the purpose of the service then sending an emergency response, often armed, to a targeted persons address. Security provider Black Cloak has found that swatting incidents are now beginning to target C-suite executives and corporate board members, with the number of incidents increasing over the last few months. Malicious actors are using information from the dark web, company websites and property records to construct their swatting attacks.

https://www.csoonline.com/article/3687177/surge-of-swatting-attacks-targets-corporate-executives-and-board-members.html#tk.rss_news

  • Phishing Surges Ahead, as ChatGPT and Artificial Intelligence Loom

Artificial Intelligence (AI) is making it easier for threat actors to create sophisticated and malicious email campaigns. In their report, security provider Vade found that Q4 of 2022 saw a 36% volume increase in phishing campaigns compared to the previous quarter, with over 278.3 million unique phishing emails in that period. The researchers found in particular, new AI tools such as ChatGPT had made it easy for anyone, including those with limited skills, to conduct a sophisticated phishing campaign. Furthermore, the ability of ChatGPT to tailor phishing to different languages is an area for concern.

https://www.darkreading.com/vulnerabilities-threats/bolstered-chatgpt-tools-phishing-surged-ahead

  • Pro-Russian Hacktivist Group is Only Getting Started, Experts Warn

A pro-Russian hacktivist group's low-level distributed denial-of-service (DDoS) attacks on US critical infrastructure could be a precursor to more serious cyber attacks, health care and security officials warned this week. A DDoS attack involves overwhelming a targeted service, service or network with traffic in an attempt to disrupt it. Earlier this week Killnet, a politically motivated Russian hacking group, overloaded and took down some US healthcare organisations. The attack came after threatening western healthcare organisations for the continued NATO support of Ukraine.

https://www.axios.com/2023/02/03/killnet-russian-hackers-attacks

  • Crypto Investors Lost Nearly $4 Billion to Hackers in 2022

Last year marked the worst year on record for cryptocurrency hacks, according to analytic firm Chainalysis’ latest report. According to the report, hackers stole $3.8 billion in 2022, up from $3.3 billion the previous year. De-centralised finance products, which are products that have no requirement for an intermediary or middle-man accounted for about 82% of all crypto stolen.

https://www.cnbc.com/2023/02/04/crypto-investors-lost-nearly-4-billion-dollars-to-hackers-in-2022.html

  • PayPal and Twitter Abused in Turkey Relief Donation Scams

Scammers are now exploiting the ongoing humanitarian crisis in Turkey and Syria. This time, stealing donations by abusing legitimate platforms such as PayPal and Twitter. It has been identified that multiple scams are running which call for fundraising, linking the victim to a legitimate PayPal site. The money however, is kept by the scammer.

https://www.bleepingcomputer.com/news/security/paypal-and-twitter-abused-in-turkey-relief-donation-scams/

  • Mysterious Leak of Booking.com Reservation Data is Being Used to Scam Customers

For almost 5 years, Booking.com customers have been on the receiving end of a continuous series of scams that demonstrate criminals have obtained travel plans amongst other personally identifiable information that were provided to Booking.com. The scams have involved users receiving fake emails purporting to be from Booking.com with genuine travel details that victims had provided. These emails contain links to malicious URL’s that look nearly identical to the Booking.com website. These then display the victim’s expected travel information, requiring them to input their card details. Some of the scams have developed and involve scammers sending WhatsApp messages after payment has been made, purporting to be from hotels which have been booked by the victims.

https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Hybrid/Remote Working

Identity and Access Management

Encryption

API

Passwords, Credential Stuffing & Brute Force Attacks

Biometrics

Social Media

Malvertising

Training, Education and Awareness

Parental Controls and Child Safety

Regulations, Fines and Legislation

Governance, Risk and Compliance

Models, Frameworks and Standards

Data Protection

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 06/02/2023 – New Wave of Ransomware Exploiting VMware ESXi Hypervisors - updated 09/02/2023 and 10/02/2023 

Black Arrow Cyber Advisory 06/02/2023 – New Wave of Ransomware Exploiting VMware ESXi Hypervisors

Updated 10/02/2023

Reports indicate that at least 18,500 ESXi servers are still vulnerable to VMware bug behind initial ransomware spree, after last week’s ransomware infections hit more than 3,800 organisations across the United States, France, Italy and more.

Updated 09/02/2023

It has now been found that there is a second wave of the ransomware campaign and reports from administrators are that they are being breached, even though SLP was disabled. There is also a script released by the Cybersecurity and Infrastructure Agency (CISA) which will attempt to recover files from an impacted VMware ESXi hypervisor. It should be noted however, that it will likely not work if the VMware ESXi hypervisor was hit by the second wave of ransomware.

CISA’s advice and link to their recovery script can be found here: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/08/cisa-and-fbi-release-esxiargs-ransomware-recovery-guidance

Executive Summary

A large ransomware campaign is targeting VMware ESXi hypervisors around the world, according to the French government’s computer emergency readiness team (CERT-FR). Although not officially confirmed by VMware, multiple sources report that the ransomware exploits a vulnerability known as CVE-2021-21974, which is a heap-overflow vulnerability in which exploitation can result in remote code execution. A patch was made available by VMware in February 2021.

What’s the risk to me or my business?

According to VMware, the malicious actor needs to reside within the same network segment as VMware ESXi and have access to port 427 to be able to exploit CVE-2021-21974 and remotely execute code. This exploit only impacts organisations with VMware ESXi where OpenSLP services are in use. OpenSLP is an open-source implementation of the Service Location Protocol (SLP), which is used to allow networking applications to discover the existence, location and configuration of network services within enterprise networks. The impacted versions of VMware ESXi are as follows:

·         ESXi 7.x versions earlier than ESXi70U1c-17325551

·         ESXi 6.7.x versions earlier than ESXi670-202102401-SG

·         ESXi 6.5.x versions earlier than ESXi650-202102101-SG

What can I do?

Organisations should look to apply the available patches from VMware as soon as possible. It is recommended that organisations disable the SLP service on ESXi hypervisors that have not been patched for the mean time. Where a patch has been applied recently, a system scan should be performed to detect any indicators of compromise.

Further information on the vulnerability can be found through the original security advisory from VMware, which was published in February 2021: https://www.vmware.com/security/advisories/VMSA-2021-0002.html  

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 09/02/2023 – Reminder of Heightened Risk of Phishing Campaigns Taking Advantage of Tragic Events

Black Arrow Cyber Informational 09/02/2023 – Reminder of Heightened Risk of Phishing Campaigns Taking Advantage of Tragic Events

Executive Summary

Following the recent tragic events in Turkey and Syria this is a reminder that whenever there are catastrophes, natural disasters or other notable or particularly newsworthy events malicious actors will take advantage of these events to push related phishing emails or launch other attacks.

What’s the risk to me or my business?

Threat actors will take advantage of events of this nature, often to try to exploit the good nature and charitable intentions of people and organisations. Each event creates opportunities for threat actors to conduct phishing campaigns. These campaigns can include impersonation of those impact, smishing (SMS phishing), fake charitable pages, malicious links within emails and much more.

What can I do?

We recommend staying extra vigilant. This can be done by verifying charities and or companies through official websites, verifying phone numbers for charities, avoiding suspicious links in emails and checking individuals are who they claim to be.

Information on registered UK charities can be found here: https://register-of-charities.charitycommission.gov.uk/charity-search/

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 03 February 2023

Black Arrow Cyber Threat Briefing 03 February 2023:

-Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

-Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

-The Corporate World is Losing its Grip on Cyber Risk

-Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

-Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

-The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will come from the Inside

-98% of Organisations Have a Supply Chain Relationship That Has Been Breached

-New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

-Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

-Financial Services Targeted in 28% of UK Cyber Attacks Last Year

-Phishing Attacks are Getting Scarily Sophisticated. Here’s what to Watch Out For

-City of London on High Alert After Ransomware Attack

-Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

-JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Business Leaders Need a Hands-on Approach to Stop Cyber Crime, Says Spy Chief

Business leaders must not see cyber crime as “just a technical issue” that can be left up to IT departments, said Lindy Cameron, chief executive of the National Cyber Security Centre (NCSC).  Ms Cameron later commented that “In the world of cyber security, the new year has brought with it some sadly familiar themes - a continuation of cyber incidents affecting organisations large and small as well as the British public”.

Along with this, came the urge for business leaders to step up their efforts in combating cyber crime by taking an active interest and educating themselves on the subject.  When commenting upon board members’ level of understanding, Ms Cameron said “I’d also encourage board members to develop a basic understanding of cyber security, which can help when seeking assurances from IT teams about the resilience of an organisation - in a similar way that leaders have a certain level of understanding of finance to assess financial health”.

https://www.telegraph.co.uk/news/2023/01/28/business-leaders-need-hands-on-approach-stop-cyber-crime-says/

  • Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial Scale Cyber Attacks

Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.

"Firebrick Ostrich" is a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organisations and utilising 212 malicious domains in the process. This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.

BEC is attractive to bad actors due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack. These factors may explain why such attacks are absolutely the emerging trend, potentially even leaving even ransomware in the dust. There are literally hundreds, if not thousands, of these groups out there.

https://www.darkreading.com/remote-workforce/rising-firebrick-ostrich-bec-group-launches-industrial-scale-cyberattacks

  • The Corporate World is Losing its Grip on Cyber Risk

Lloyd's of London’s insurance market prides itself on being able to put a price on anything, from Tina Turner’s legs or Bruce Springsteen’s vocal cords, to the risk that a bounty hunter might claim the reward from Cutty Sark Whisky in the 1970s for capturing the Loch Ness monster.

But from the end of March, there will be something it won’t price: systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. In one sense, this isn’t surprising. Insurance policies typically exclude acts of war. Russia’s NotPetya attack on Ukraine in 2017 showed how state-backed cyber assaults can surpass traditional definitions of armed conflict and overspill their sovereign target to hit global businesses. It caused an estimated $10bn in damages and years of wrangling between companies like pharma group Merck and snack maker Mondelez and their insurers.

But the move is prompting broader questions about the growing pains in this corner of the insurance world. “Cyber insurance isn’t working anywhere at the moment as a public good for society,” says Ciaran Martin, former head of the UK National Cyber Security Centre. “It has a huge role to play in improving defences in a market-based economy and it has been a huge disappointment in that sense so far.”

The Lloyd’s move is designed, say insurers, to clarify rather than restrict coverage. Whether it succeeds is another matter: this is a murky world, where cyber crime groups operate with impunity in certain jurisdictions.

https://www.ft.com/content/78bfdf29-1e20-4c12-a348-06e98d5ae906

  • Microsoft Reveals Over 100 Threat Actors are Deploying Ransomware in Attacks

Microsoft revealed this week that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families, with some of the most prominent ransomware payloads in recent campaigns including Lockbit, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.

Microsoft said that defence strategies should focus less on payloads themselves but more on the chain of activities that lead to their deployment, since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.

Furthermore, while new ransomware families launch all the time, most threat actors utilise the same tactics when breaching and spreading through networks, making the effort of detecting such behaviour even more helpful in thwarting their attacks.

Attackers are increasingly relying on tactics beyond phishing to conduct their attacks, with threat actors for example capitalising on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.

https://www.bleepingcomputer.com/news/security/microsoft-over-100-threat-actors-deploy-ransomware-in-attacks/

  • Ransomware Conversations: Why the CFO is Pivotal to Discussing and Preparing for Risk

With the amount of cyber attacks in all industries, organisations are beginning to grasp the significance of cyber risk and how it is integral to protecting and maintaining an efficient business. In fact, the first half of 2022 alone saw 236.1 million cases of ransomware.

Whilst the expectation for responsibility has typically fallen on Chief Information Security Officers (CISOs), Chief Financial Officers (CFOs) are just as vital in managing cyber risk, which is now inherently also business risk.  The CFO plays an important part in determining whether cyber security incidents will become material and affect the business more seriously. Their insight is critical across many areas which include ransomware, cyber insurance, regulatory compliance and budget management.

https://www.itsecurityguru.org/2023/02/02/ransomware-conversations-why-the-cfo-is-pivotal-to-discussing-and-preparing-for-risk

  • Greater Incident Complexity, a Shift in How Threat Actors Use Stolen Data Will Drive the Cyber Threat Landscape in 2023

Insurance provider Beazley released their Cyber Services Snapshot Report which claims the cyber security landscape will be influenced by greater complexity and the way threat actors use stolen data. The report also found that as a category, fraudulent instruction experienced a growth as a cause of loss in 2022, up 13% year-over year. 

In response to vulnerabilities such as fraudulent instructions, the report suggests organisations must get smarter about educating users to spot things such as spoofed emails or domain names. The report also cautions organisations to watch for social engineering, spear phishing, bypassing of multi-factor authentication (MFA), targeting of managed service providers (MSP) and the compromise of cloud environments as areas of vulnerability.

https://www.darkreading.com/attacks-breaches/greater-incident-complexity-a-shift-in-the-way-threat-actors-use-stolen-data-and-a-rise-in-us-class-actions-will-drive-the-cyber-threat-landscape-in-2023-according-to-beazley-report

  • The Threat from Within: 71% of Business Leaders Surveyed Think Next Cyber Security Breach Will Come from the Inside

A survey conducted by IT provider EisnerAmper found that 71% of business executives worry about accidental internal staff error as one of the top threats facing their organisation and 23% of these worried about malicious intent by an employee. In comparison, 75% of business executives had concerns about external hackers. The survey also asked about current safety measures, with 51% responding that they were “somewhat prepared”. Despite this, only 50% of respondents reported conducting regular cyber security training. 

https://www.darkreading.com/vulnerabilities-threats/the-threat-from-within-71-of-business-leaders-surveyed-think-next-cybersecurity-breach-will-come-from-the-inside

  • 98% of Organisations Have a Supply Chain Relationship That Has Been Breached

A report from SecurityScorecard found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. Of course, this is keeping in mind that not all organisations disclose or even know they have been breached.

https://www.securityweek.com/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis/

  • New Survey Reveals 40% of Companies Experienced a Data Leak in the Past Year

Software provider SysKit has published a report on the effects of digital transformation on IT administrators and the current governance landscape. The report found that 40% of organisations experienced a data leak in the previous year. A data leak can have severe consequences on an organisation's efficiency and the impact can lead to large fines, downtime, and loss of business-critical certifications and customers.

In addition, the Survey found that the biggest challenge for IT administrators was a lack of understanding from superiors, huge workloads and misalignment of IT and business strategies.

https://www.darkreading.com/attacks-breaches/new-survey-reveals-40-of-companies-experienced-a-data-leak-in-the-past-year

  • Russian Hackers Launch Cyber Attack on Germany in Leopard Tank Retaliation

The websites of key German administrations, including companies and airports, have been targeted by cyber attacks, the German Federal Office for Information Security (BSI) stated.

The BSI commented they had been informed of DDoS (distributed denial of service) attacks “currently in progress against targets in Germany". This was followed by the statement that “Individual targets in the financial sector” and federal government sites were also attacked, with some websites becoming temporarily unavailable.  It is believed that this is due to the approved deployment of Leopard 2 tanks to Ukraine, with Russian hacker site Killnet taking credit.

https://www.euronews.com/2023/01/26/russian-hackers-launch-cyberattack-on-germany-in-leopard-retaliation

  • Financial Services Targeted in 28% of UK Cyber Attacks Last Year

Based on data from security provider Imperva, security researchers have identified that over a quarter (28%) of all cyber attacks in the UK hit the financial services and insurance (FSI) industry in the last 12 months. The data also found that Application Programme Interface (API) attacks, malicious automated software and distributed denial of service (DDoS) attacks were the most challenging for the industry. In addition, the data found that roughly 40% of all account takeover attempts were targeted at the FSI industry.

https://www.infosecurity-magazine.com/news/quarter-cyber-attacks-uk-financial/

  • Phishing Attacks are Getting Scarily Sophisticated. Here’s What to Watch Out For

Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords. The National Cyber Security Centre (NCSC) warns that these phishing attacks are targeting a range of sectors.

The NCSC has also released mitigation advice to help organisations and individuals protect themselves online. The mitigation advice included the use of strong passwords, separate to other accounts; enabling multi-factor authentication (MFA); and applying the latest security updates.

https://www.zdnet.com/article/phishing-attacks-are-getting-scarily-sophisticated-heres-what-to-watch-out-for/

  • City of London on High Alert After Ransomware Attack

A suspected ransomware attack on a key supplier of trading software to the City of London this week appears to have disrupted activity in the derivatives market. The company impacted, Ion Cleared Derivatives, is investigating. It is reported that 42 clients were impacted by the attack.

https://www.infosecurity-magazine.com/news/city-of-london-high-alert/

  • JD Sports Warns of 10 Million Customers Put at Risk in Cyber Attack

Sportswear retailer JD Sports said it was the victim of a cyber attack that exposed the data of 10 million customers, in the latest spate of hacks on UK companies.

JD Sports explained that the attack involved unauthorised access to a system that contained “the name, billing address, delivery address, phone number, order details and the final four digits of payment cards”. The data related to customers’ orders made between November 2018 and October 2020, with outdoor gear companies Millets and Blacks also impacted. A full review with cyber security and external specialists is underway.

https://www.ft.com/content/afe00f2f-afcd-478f-9e4d-1cf9c943fa79

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Containers

Encryption

API

Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – North Korea

Nation State Actors – Iran

Nation State Actors – Misc

Vulnerability Management

Vulnerabilities

Tools and Controls

Other News

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Cyber Security Must be Owned by the Board - ICAS Magazine February 2023

Often a Finance Director or Chief Financial Officer has responsibility for the biggest risk to the organisation’s survival, when cyber security is nestled within IT in their reporting structure. The risks are high when the FD/CFO does not have the specialist guidance and knowledge in cyber security to lead the Board in exercising strong governance. Our co-founder Bruce McDougall CA and experienced cyber security specialist talks with the editor of CA Magazine from ICAS - The Professional Body of CAs about how fellow finance leaders can help avoid the catastrophic effects of a cyber security incident.

Often a Finance Director or Chief Financial Officer has responsibility for the biggest risk to the organisation’s survival, when cyber security is nestled within IT in their reporting structure.

The risks are high when the FD/CFO does not have the specialist guidance and knowledge in cyber security to lead the Board in exercising strong governance.

Our co-founder Bruce McDougall CA and experienced cyber security specialist talks with the editor of CA Magazine from ICAS - The Professional Body of CAs about how fellow finance leaders can help avoid the catastrophic effects of a cyber security incident.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 01/02/2023 – Attackers Using Microsoft’s Verified Publisher Status to Steal Data

Black Arrow Cyber Advisory 01/02/2023 – Attackers Using Microsoft’s Verified Publisher Status to Steal Data

Executive Summary

On the 15 December Microsoft became aware of a consent phishing campaign, which involved threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP). The threat actors then used the fraudulent accounts to add a ‘verified publisher’ status to OAuth (open authorisation) apps, which then tricked users into granting permissions and allowing the fraudulent OAuth applications to access their data. As these applications appear to be verified, and are hosted within the Microsoft ecosystem, it makes it much more difficult for end users to identify fraudulent applications.

What’s the risk to me or my business?

Microsoft’s investigation determined that once consent was given to these fraudulent applications, the applications were then able to exfiltrate email from the affected users Microsoft tenant.

What can I do?

According to Microsoft, all fraudulent applications have been disabled and impacted customers have been notified with the following subject line “Review the suspicious application disabled in your [tenant name] tenant”. For those impacted, the advice is to investigate the disabled fraudulent applications by checking the applications permissions as well as Azure AD audit logs for activity relating to the application. It is strongly recommended that users do not grant permissions to unprompted applications with their Microsoft Account, as this would allow the application to be granted access to that users data. If the legitimate application is already a part of the users tenant, then further permissions should not be required.

Further information from Microsoft can be found here: https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-campaign-abusing-the-verified-publisher-process/

Microsoft’s advice to mitigating consent phishing can be found here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 30/01/2023 – GoTo Encrypted Backup and Encryption Keys Theft

Black Arrow Cyber Advisory 30/01/2023 – GoTo Encrypted Backup and Encryption Keys Theft

Executive Summary

Following on from a security incident in November 2022, GoTo, a remote access and communications software provider who also own LastPass, has announced that a threat actor exfiltrated encrypted backups from a third-party cloud storage service, along with an encryption key which allowed access to a “portion” of these encrypted backup files.

What’s the risk to me or my business?

According to GoTo, the products impacted are “Central, Pro, join.me, Hamachi, and RemotelyAnywhere”. GoTo later explain that the affected information varies depending on the product and may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings and some licensing information and product settings. In addition to this, whilst GoToMyPC and Rescue were not exfiltrated, MFA settings of a small subset of their customers were impacted.

What can I do?

As a precaution we would recommend that users change their password of affected accounts and ensure that multi-factor authentication is enabled all accounts where available.

GoTo have been resetting passwords and re-authorising MFA settings of affected users. The users have then been migrated onto an “enhanced Identity Management Platform” to provide additional security with authentication and login-based security options.

Further information on this security incident be found here: https://www.goto.com/blog/our-response-to-a-recent-security-incident

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Informational 30/01/2023 – PoC Released for Microsoft Certification Vulnerability, Devices Still Vulnerable Months After NSA Disclosure

Black Arrow Cyber Informational 30/01/2023 – PoC Released for Microsoft Certification Vulnerability, Devices Still Vulnerable Months After NSA Disclosure

Executive Summary

The security provider Akami has identified that less than 1% of visible devices in data centres have been patched for a Microsoft CryptoAPI spoofing vulnerability (CVE-2022-34689), despite NSA disclosure and a publicly released patch by Microsoft in October 2022. In addition, Akamai have created a proof of concept for how this vulnerability can be exploited.

What’s the risk to me or my business?

Successful exploitation of this vulnerability could allow an attacker to spoof their identity and perform actions such as authentication or code signing from a targeted certificate. If you do not use applications with end-certificate caching, you are not vulnerable to this attack. At this time, the provided proof of concept was only applicable if the attacker had the ability to generate a certificate from the targeted infrastructure, and if the targeted webpage or application was accessed using version v48 of Chrome or earlier, which was released on 25 January 2016.

What can I do?

Patch your Windows endpoints and servers with the latest security patches provided by Microsoft. This vulnerability was addressed as part of the October 2022 Patch Tuesday.

Further information on the vulnerability can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689

Akami’s Report can be found here: https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 27 January 2023

Black Arrow Cyber Threat Briefing 27 January 2023:

-Supply Chain Attacks Caused More Data Compromises Than Malware

-What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks

-Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems

-Cyber Security Pros Sound Alarm Over Insider Threats

-Ransomware Attack Hit KFC and Pizza Hut Stores in the UK

-Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security

-Why CISOs Make Great Board Members

-View From Davos: The Changing Economics of Cyber Crime

-Cloud Based Networks Under Increasing Attack, Report Finds

-GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key

-State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns

-3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Supply Chain Attacks Caused More Data Compromises Than Malware

According to the Identity Theft Resource Center, data compromises steadily increased in the second half of 2022 and cyber attacks remained the primary source of data breaches.

The number of data breaches resulting from supply chain attacks exceeded malware related compromises in 2022 by 40%. According to the report, more than 10 million people were impacted by supply chain attacks targeting 1,743 entities. By comparison, 70 malware-based cyber attacks affected 4.3 million people.

https://www.helpnetsecurity.com/2023/01/26/data-compromises-2022/

  • What Makes Small and Medium-Sized Businesses Vulnerable to BEC Attacks

According to the United States’ FBI’s 2021 Internet Crime Report, business email compromise (BEC) accounted for almost a third of the country’s $6.9 billion in cyber losses that year – around $2.4 billion. In surprisingly sharp contrast, ransomware attacks accounted for only $50 million of those losses.

Small and medium-sized businesses (SMBs) are especially vulnerable to this form of attack and BEC’s contribution to annual cyber losses not only makes sense but is also likely underreported.

In stark contrast to highly disruptive ransomware attacks, BEC is subversive and is neither technically complicated nor expensive to deploy. In the case of large organisations, the financial fallout of BEC is almost negligible. That’s not the case for small and medium-sized businesses, which often lack the means to absorb similar financial losses.

BEC’s simplicity gives more credence for attackers to target smaller organisations, and because of that, it’s doubly essential for SMBs to be vigilant.

https://www.helpnetsecurity.com/2023/01/25/what-makes-small-medium-sized-businesses-vulnerable-bec-attacks-video/

  • Understanding Your Attack Surface Makes It Easier to Prioritise Technologies and Systems

It has been observed that attackers will attempt to start exploiting vulnerabilities within the first fifteen minutes of their disclosure. As the time to patch gets shorter, organisations need to be more pragmatic when it comes to remediating vulnerabilities, particularly when it comes to prioritisation.

Attack surfaces constantly evolve and change as new applications are developed, old systems are decommissioned, and new assets are registered. Also, more and more organisations are moving towards cloud-hosted infrastructure, which changes the risk and responsibility for securing those assets. Therefore, it is essential to carry out continuous or regular assessments to understand what systems are at risk, instead of just taking a point-in-time snapshot of how the attack surface looks at that moment.

The first step would be to map “traditional” asset types – those easily associated with an organisation and easy to monitor, such as domains and IP addresses. Ownership of these assets can be easily identified through available information (e.g., WHOIS data). The less traditional asset types (such as GitHub repositories) aren’t directly owned by the organisation but can also provide high-value targets or information for attackers.

It’s also important to understand which technologies are in use to make sound judgements based on the vulnerabilities relevant to the organisation. For example, out of one hundred vulnerabilities released within one month only 20% might affect the organisation’s technologies.

Once organisations have a good understanding of which assets might be at risk, context and prioritisation can be applied to the vulnerabilities affecting those assets. Threat intelligence can be utilised to determine which vulnerabilities are already being exploited in the wild.

What is then the correct answer for this conundrum? The answer is that there is no answer! Instead, organisations should consider a mindset shift and look towards preventing issues whilst adopting a defence-in-depth approach; focus on minimising impact and risk by prioritising assets that matter the most and reducing time spent on addressing those that don’t. This can be achieved by understanding your organisation’s attack surface and prioritising issues based on context and relevance.

https://www.helpnetsecurity.com/2023/01/24/understanding-your-attack-surface/

  • Cyber Security Pros Sound Alarm Over Insider Threats

Gurucul, a security information and event management (SIEM) solution provider, and Cyber security Insiders, a 600,000-plus member online community for information security professionals, found in their annual 2023 Insider Threat Report that only 3% of respondents surveyed are not concerned with insider risk.

Among all potential insiders, cyber security professionals are most concerned about IT users and admins with far-reaching access privileges (60%). This is followed by third-party contractors (such as MSPs and MSSPs) and service providers (57%), regular employees (55%), and privileged business users (53%).

The research also found that more than half of organisations in the study had been victimised by an insider threat in the past year. According to the data, 75% of the respondents believe they are moderately to extremely vulnerable to insider threats, an 8% spike from last year. That coincided with a similar percentage who said attacks have become more frequent, with 60% experiencing at least one attack and 25% getting hit by more than six attacks.

https://www.msspalert.com/cybersecurity-research/research-report-cybersecurity-pros-sound-alarm-over-insider-threats/

  • Ransomware Attack Hit KFC and Pizza Hut Stores in the UK

Nearly 300 fast food restaurants, including branches of KFC and Pizza Hut, were forced to close following a ransomware attack against parent company Yum! Brands. In a statement dated 18 January 2023, Yum! confirmed that unnamed ransomware had impacted some of its IT infrastructure, and that data had been exfiltrated by hackers from its servers. However, although an investigation into the security breach continues, the company said that it had seen no evidence that customer details had been exposed.

What has not yet been made public, and may not even be known to those investigating the breach, is how long hackers might have had access to the company's IT infrastructure, and how they might have been able to gain access to what should have been a secure system. Yum! has also not shared whether it has received a ransom demand from its attackers, and if it did how much ransom was demanded, and whether it would be prepared to negotiate with its extortionists.

https://www.bitdefender.com/blog/hotforsecurity/ransomware-attack-hit-kfc-and-pizza-hut-stores-in-the-uk/

  • Forthcoming SEC Rules Will Trigger ‘Tectonic Shift’ in How Corporate Boards Treat Cyber Security

Under rules first proposed in 2022 but expected to be finalised as soon as April 2023, publicly traded companies in the US that determine a cyber incident has become “material”, meaning it could have a significant impact on the business, must disclose details to the SEC and investors within four business days. That requirement would also apply “when a series of previously undisclosed, individually immaterial cyber security incidents has become material in the aggregate.

The SEC’s rules will also require the boards of those companies to disclose significant information on their security governance, such as how and when it exercises oversight on cyber risks. That info includes identifying who on the board (or which subcommittee) is responsible for cyber security and their relevant expertise. Required disclosures will also include how often and by which processes board members are informed and discuss cyber risk. The former cyber adviser to the SEC commented that “The problem we have with the current cyber security ecosystem is that it’s very focused on technical mitigation measures and does not contemplate these business, operational, [or] financial factors.”

Whilst this only impacts US firms, we can expect other jurisdictions to follow suit.

https://www.itbrew.com/stories/2023/01/20/forthcoming-sec-rules-will-trigger-tectonic-shift-in-how-corporate-boards-treat-cybersecurity

  • Why CISOs Make Great Board Members

Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. The past three years created a perfect storm situation with lasting consequences for how we think about cyber security, and as a result cyber security technologies and teams have shifted from being viewed as a cost centre to a business enabler.

Gartner predicts that by 2025, 40% of companies will have a dedicated cyber security committee. Who is better suited than a CISO to lead that conversation? Cyber security-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organisation’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.

Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the trade-offs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.

https://www.securityweek.com/why-cisos-make-great-board-members/

  • View From Davos: The Changing Economics of Cyber Crime

Cyber crime is a risk created by humans, driven by the economic conditions of high profit and easy opportunity. Ransomware is the most recent monetisation of these motives and opportunities, and it has evolved from simple malware to advanced exploits and double or triple extortion models.

The motive for cyber crime is clear: to steal money, but the digital nature of cyber crime makes the opportunity uniquely attractive, due to the following:

·       Cryptocurrency makes online extortion, trading illicit goods and services, and laundering fraudulent funds highly anonymous and usually beyond the reach of financial regulators or inspection

·       There isn't enough fear of getting caught for cyber crime.

·       With the explosion in spending on digital transformation, data is the new gold and it is incredibly easy to steal, due to lapses in basic hygiene like encrypting data-at-rest and in-transit or limiting access to only authorised users.

·       Paying extortion through extensive cyber insurance policies only feeds the ransomware epidemic by incentivising further crime, as noted by the FBI.

Fighting cyber crime is a team sport, and to succeed, we must adopt this framework of cyber resilience that integrates the technical, policy, behavioural, and economic elements necessary to manage the reality of ever-growing cyber crime as a predictable and manageable cyber risk.

https://www.darkreading.com/edge-articles/view-from-davos-the-changing-economics-of-cybercrime

  • Cloud Based Networks Under Increasing Attack, Report Finds

As enterprises around the world continue to move to the cloud, cyber criminals are following right behind them. There was a 48 percent year-over-year jump in 2022 in cyber attacks on cloud-based networks, and it comes at a time when 98 percent of global organisations use cloud services, according to Check Point. The increases in cyber attacks were experienced in various regions, including Asia (with a 60 percent jump), Europe (50 percent), and North America (28 percent) according to a report by Checkpoint last week.

Check Point explained that "The rise in attacks on the cloud was driven both by an overall increase in cyber attacks globally (38 percent overall in 2022, compared to 48 percent in the cloud) and also by the fact that it holds much more data and incorporates infrastructure and services from large amounts of potential victims, so when exploited the attacks could have a larger impact,". Later, Checkpoint highlighted that human error is a significant factor in the vulnerability of cloud-based networks.

The report highlighted the need for defence capabilities in the cloud to improve. According to Check Point, this means adopting zero-trust cloud network security controls, incorporating security and compliance earlier in the development lifecycle, avoiding misconfigurations, and using tools such as an intrusion detection and prevention systems and next-generation web application firewalls. As  commented by Check Point “it is still up to the network and security admins to make sure all their infrastructure is not vulnerable.

https://www.theregister.com/2023/01/20/cloud_networks_under_attack/

  • GoTo Admits: Customer Cloud Backups Stolen Together with Decryption Key

On 2022-11-30, GoTo informed customers that it had suffered “a security incident”, summarising the situation as follows:

“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”

Two months later, GoTo has come back with an update, and the news isn’t great:

“[A] threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

The company also noted that although MFA settings for some Rescue and GoToMyPC customers were stolen, their encrypted databases were not.

https://nakedsecurity.sophos.com/2023/01/25/goto-admits-customer-cloud-backups-stolen-together-with-decryption-key/

  • State-Linked Hackers in Russia and Iran are Targeting UK Groups, NCSC Warns

Russian and Iranian state-linked hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns aimed at gaining access to a person’s email, Britain’s online security agency warned on Thursday. The National Cyber Security Centre (NCSC) issued an alert about two groups from Russia and Iran, warning those in government, defence, thinktanks and the media against clicking on malicious links from people posing as conference hosts, journalists or even colleagues.

Both groups have been active for some years, but it is understood they have recently stepped up their activities in the UK as the war in Ukraine continues, as well as operating in the US and other NATO countries.

The hackers typically seek to gain confidence of a target by impersonating somebody likely to make contact with them, such as by falsely impersonating a journalist, and ultimately luring them to click on a malicious link, sometimes over the course of several emails and other online interactions.

NCSC encourages people to use strong email passwords. One technique is to use three random words, and not replicate it as a login credential on other websites. It recommends people use two-factor authentication, using a mobile phone as part of the log on process, ideally by using a special authenticator app.

The cyber agency also advises people exercise particular caution when receiving plausible sounding messages from strangers who rely on Gmail, Yahoo, Outlook or other webmail accounts, sometimes impersonating “known contacts” of the target culled from social media.

https://www.theguardian.com/technology/2023/jan/26/state-linked-hackers-in-russia-and-iran-are-targeting-uk-groups-ncsc-warns

  • 3.7 Million Customers’ Data of Hilton Hotels Put Up For Sale

A member of a hacker forum going by the name IntelBroker, has offered a database allegedly containing the personal information of 3.7 million people participating in the Hilton Hotels Honors program. According to the actor, the data in question includes personally identifying information such as name, address and Honors IDs. According to the Hilton Hotel, no guest login credentials, contacts, or financial information have been leaked.

https://informationsecuritybuzz.com/3-7-millions-customers-data-hilton-hotel-up-for-sale/

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

BEC – Business Email Compromise

Other Social Engineering; Smishing, Vishing, etc

Malware                                                                                   

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Insurance

Dark Web

Software Supply Chain

Cloud/SaaS

Attack Surface Management

Encryption

API

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 20 January 2023

Black Arrow Cyber Threat Briefing 20 January 2023:

-Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'

-Cost of Data Breaches to Global Businesses at Five-Year High

-European Data Protection Authorities Issue Record €2.92 Billion In GDPR Fines, an Increase of 168%

-PayPal Accounts Breached in Large-Scale Credential Stuffing Attack

-Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack

-Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program

-EU Cyber Resilience Regulation Could Translate into Millions in Fines

-Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes

-New Report Reveals CISOs Rising Influence

-ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks

-Mailchimp Discloses a New Security Breach, the Second One in 6 Months

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Experts at Davos 2023 Call for a Global Response to the Gathering 'Cyber Storm'

As economic and geopolitical instability spills into the new year, experts predict that 2023 will be a consequential year for cyber security. The developments, they say, will include an expanded threat landscape and increasingly sophisticated cyber attacks.

"There's a gathering cyber storm," Sadie Creese, a Professor of Cyber Security at the University of Oxford, said during an interview at the World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. "This storm is brewing, and it's really hard to anticipate just how bad that will be."

Already, cyber attacks such as phishing, ransomware and distributed denial-of-service (DDoS) attacks are on the rise. Cloudflare, a major US cyber security firm that provides protection services for over 30% of Fortune 500 companies, found that DDoS attacks—which entail overwhelming a server with a flood of traffic to disrupt a network or webpage—increased last year by 79% year-over-year.

"There's been an enormous amount of insecurity around the world," Matthew Prince, the CEO of Cloudflare, stated during the Annual Meeting. "I think 2023 is going to be a busy year in terms of cyber attacks."

https://www.weforum.org/agenda/2023/01/cybersecurity-storm-2023-experts-davos23/

  • Cost of Data Breaches to Global Businesses at Five-Year High

Research from business insurer Hiscox shows that the cost of dealing with cyber events for businesses has more than tripled since 2018. The study, which collated data from the organisation’s previous five annual Cyber Readiness reports, has revealed that:

  • Since 2018 the median IT budgets for cyber security more than tripled.

  • Between 2020 and 2022 cyber-attacks increased by over a quarter.

  • Businesses are increasing their cyber security budgets year-on-year.

In the Hiscox 2022 Cyber Readiness report, the financial toll of cyber incidents, including data breaches, was estimated to be $16,950 (£15,265) on average. As the cost of cyber crime grew, so did organisations’ cyber security budgets – average spending on cyber security tripled from 2018 to 2022, rocketing from $1,470,196 (£1,323,973) to $5,235,162 (£4,714,482).

Hiscox has also revealed that half of all companies surveyed suffered at least one cyber attack in 2022, up 11% from 2020. Financial Services, as well as Technology, Media and Telecom (TMT) sectors even reported a minimum of one attack for three consecutive years. Financial Services firms, however, seemed to be hit the hardest, with 66% reporting being impacted by cyber attacks in 2021-2022.

Cyber risk has risen to the same strategic level as traditional financial and operational risks, thanks to a growing realisation by businesses that the impact can be just as severe.

https://www.itsecurityguru.org/2023/01/18/cost-of-data-breaches-to-global-businesses-at-five-year-high/

  • European Data Protection Authorities Issue Record €2.92 Billion in GDPR Fines, an Increase of 168%

European data regulators issued a record €2.92 billion in fines last year, a 168% increase from 2021. That’s according to the latest GDPR and Data Breach survey from international law firm DLA Piper, which covers all 27 Member States of the European Union, plus the UK, Norway, Iceland, and Liechtenstein. This year’s biggest fine of €405 million was imposed by the Irish Data Protection Commissioner (DPC) against Meta Platforms Ireland Limited relating to Instagram for alleged failures to protect children’s personal data. The Irish DPC also fined Meta €265 million for failing to comply with the GDPR obligation for Data Protection by Design and Default. Both fines are currently under appeal.

Despite the overall increase in fines since January 28, 2022, the fine of €746 million that Luxembourg authorities levied against Amazon last year remains the biggest to be issued by an EU-based data regulator to date (though the retail giant is still believed to be appealing).

The report also revealed a notable increase in focus by supervisory authorities on the use of artificial intelligence (AI), while the volume of data breaches reported to regulators decreased slightly against the previous year’s total.

https://www.csoonline.com/article/3685789/european-data-protection-authorities-issue-record-2-92-billion-in-gdpr-fines.html#tk.rss_news

  • PayPal Accounts Breached in Large-Scale Credential Stuffing Attack

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorised third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.

According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.

https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

  • Royal Mail Boss to Face MPs’ Questions Over Russian Ransomware Attack

Royal Mail’s chief executive faced questions from MPs last week over the Russia-linked ransomware attack that caused international deliveries to grind to a halt.

Simon Thompson, chief executive of Royal Mail, was asked about the recent cyber attack when he appeared before the Commons Business Select Committee to discuss Royal Mail’s response to the cyber attack at the evidence session on Tuesday Jan 17.

A Royal Mail spokesman said: “Royal Mail has been subject to a cyber incident that is affecting our international export service. We are focused on restoring this service as soon as we are able.”

Royal Mail was forced to suspend all outbound international post after machines used for printing customs dockets were disabled by the Russia-linked Lockbit cyber crime gang. Lockbit’s attackers used ransomware, malicious software that scrambles vital computer files before the gang demands payment to unlock them again. The software also took over printers at Royal Mail’s international sorting offices and caused ransom notes to “spout” from them, according to reports.

Cyber security industry sources cautioned that while Lockbit is known to be Russian in origin, it is not known whether a stolen copy of the gang’s signature ransomware had been deployed by rival hackers.

https://www.telegraph.co.uk/business/2023/01/13/royal-mail-boss-face-mps-questions-russian-ransomware-attack/

  • Third-Party Risk Management: Why 2023 Could be the Perfect Time to Overhaul your TPRM Program

Ensuring risk caused by third parties does not occur to your organisation is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring these external entities are a strength and not a weakness isn’t always a straightforward process.

In the coming years we’ll see organisations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security.

As demand for third-party risk management (TPRM) grows, there are key reasons why we believe 2023 could be pivotal for the future of your organisation’s TPRM program, cyber risk being principal amongst them.

Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks, a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier.

It’s not only the frequency of third-party attacks that has increased, but also the methods that cyber criminals are using are becoming increasingly sophisticated. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.

As the sophistication and frequency of supply chain attacks increases, the impact they have on businesses reputations and valuations is also becoming apparent. There is a need for organisations to conduct thorough due diligence of the third parties they choose to work with, otherwise the consequences could be disastrous.

Remember always that cyber security should be a non-negotiable feature of all business transactions.

https://informationsecuritybuzz.com/third-party-risk-management-why-2023-could-be-the-perfect-time-to-overhaul-your-tprm-program/

  • EU Cyber Resilience Regulation Could Translate into Millions in Fines

The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection.

According to the European Union, there is currently a ransomware attack every eleven seconds. In the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier headquartered in Germany were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.

“The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,” says Jan Wendenburg, CEO, ONEKEY.

The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,” Wendenburg continues.

Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cyber security agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.

https://www.helpnetsecurity.com/2023/01/19/eu-cyber-resilience-regulation-fines/

  • Russian Hackers Try to Bypass ChatGPT's Restrictions for Malicious Purposes

Russian cyber-criminals have been observed on dark web forums trying to bypass OpenAI’s API restrictions to gain access to the ChatGPT chatbot for nefarious purposes.

Various individuals have been observed, for instance, discussing how to use stolen payment cards to pay for upgraded users on OpenAI (thus circumventing the limitations of free accounts). Others have created blog posts on how to bypass the geo controls of OpenAI, and others still have created tutorials explaining how to use semi-legal online SMS services to register to ChatGPT.

“Generally, there are a lot of tutorials in Russian semi-legal online SMS services on how to use it to register to ChatGPT, and we have examples that it is already being used,” wrote Check Point Research (CPR). “It is not extremely difficult to bypass OpenAI’s restricting measures for specific countries to access ChatGPT,” said Check Point. “Right now, we are seeing Russian hackers already discussing and checking how to get past the geofencing to use ChatGPT for their malicious purposes.”

They added that they believe these hackers are most likely trying to implement and test ChatGPT in their day-to-day criminal operations. “Cyber-criminals are growing more and more interested in ChatGPT because the AI technology behind it can make a hacker more cost-efficient,” they explained.

Case in point, just last week, Check Point Research published a separate advisory highlighting how threat actors had already created malicious tools using ChatGPT. These included infostealers, multi-layer encryption tools and dark web marketplace scripts.

More generally, the cyber security firm is not the only one believing ChatGPT could democratise cyber crime, with various experts warning that the AI bot could be used by potential cyber-criminals to teach them how to create attacks and even write ransomware.

https://www.infosecurity-magazine.com/news/russian-hackers-to-bypass-chatgpt/

  • New Report Reveals CISOs Rising Influence

Cyber security firm Coalfire this week unveiled its second annual State of CISO Influence report, which explores the expanding influence of Chief Information Security Officers (CISOs) and other security leaders.

The report revealed that the CISO role is maturing quickly, and the position is experiencing more equity in the boardroom. In the last year alone, there was a 10-point uptick in CISOs doing monthly reporting to the board. These positive outcomes likely stem from the increasingly metrics-driven reporting CISOs provide, where data is more effectively leveraged to connect security outcomes to business objectives.

An especially promising development in this year's report is how security teams are being looped into corporate projects. Of the security leaders surveyed, 78% say they are consulted early in project development when business objectives are first identified, and two-thirds are now making presentations to the highest levels of enterprise authority. 56% of CISOs present security metrics to their CEOs, up from 43% in 2021.

Cloud migration was universally identified as one of those top business objectives. The move to the cloud saddles CISOs with many challenges. The top priorities listed by CISOs include dealing with an expanding attack surface, staffing, and new compliance requirements — all within constrained budgets. In fact, 43% of security leaders said their budgets remained static or were reduced following business migration to the cloud.

Given these challenges, leading CISOs are transforming their approaches. To address multiple cloud compliance requirements, security leaders are focusing on the most onerous set of rules and creating separate environments for different requirements. Risk assessments were identified as the key tool used to secure funding for these and other cyber initiatives and to set top priorities.

"Costs and risks are up, while at the same time, cyber budgets are trending flat or down," said Colefire. "Cyber security has historically been lower in priority for organisations, but we are witnessing a big shift in enterprise cyber expectations. CISOs are rising to meet those expectations, speaking to the business, and as a result, solidifying their role in the C-suite."

https://www.darkreading.com/threat-intelligence/new-coalfire-report-reveals-cisos-rising-influence

  • ChatGPT and its Perilous Use as a "Force Multiplier" for Cyber Attacks

As a form of OpenAI technology, ChatGPT has the ability to mimic natural language and human interaction with remarkable efficiency. However, from a cyber security perspective, this also means it can be used in a variety of ways to lower the bar for threat actors.

One key method is the ability for ChatGPT to draft cunning phishing emails en masse. By feeding ChatGPT with minimal information, it can create content and entire emails that will lure unsuspecting victims to provide their passwords. With the right API setup, thousands of unique, tailored, and sophisticated phishing emails can be sent almost simultaneously.

Another interesting capability of ChatGPT is the ability to write malicious code. While OpenAI has put some controls in place to prevent ChatGPT from creating malware, it is possible to convince ChatGPT to create ransomware and other forms of malware as code that can be copied and pasted into an integrated development environment (IDE) and used to compile actual malware. ChatGPT can also be used to identify vulnerabilities in code segments and reverse engineer applications.

ChatGPT will expedite a trend that is already wreaking havoc across sectors – lowering the bar for less sophisticated threat actors, enabling them to conduct attacks while evading security controls and bypassing advanced detection mechanisms. And currently, there is not much that organisations can do about it. ChatGPT represents a technological marvel that will usher in a new era, not just for the cyber security space.

https://www.calcalistech.com/ctechnews/article/sj0lfp11oi

  • Mailchimp Discloses a New Security Breach, the Second One in 6 Months

The popular email marketing and newsletter platform Mailchimp was hacked twice in the past six months. The news of a new security breach was confirmed by the company; the incident exposed the data of 133 customers.

Threat actors targeted the company’s employees and contractors to gain access to an internal support and account admin tool.

“On January 11, the Mailchimp Security team identified an unauthorised actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorised actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.” reads the notice published by the company. “Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts.”

The malicious activity was discovered on January 11, 2023; in response to the intrusion the company temporarily suspended access for impacted accounts. The company also notified the primary contacts for all affected accounts less than 24 hours after the initial discovery.

https://securityaffairs.com/140997/data-breach/mailchimp-security-breach.html

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

2FA/MFA

Malware

Mobile

Botnets

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Dark Web

Supply Chain and Third Parties

Cloud/SaaS

Hybrid/Remote Working

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – North Korea

Nation State Actors – Iran

Nation State Actors – Misc

Vulnerability Management

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Join us at 2pm on Thursday 26th of January for 'It Started with a Phish: a Bite-Sized Introduction to Incident Response'

Join us at 2pm on Thursday 26th of January for 'It Started with a Phish: a Bite-Sized Introduction to Incident Response'

Join us at 2pm on Thursday 26th of January for 'It Started with a Phish: a Bite-Sized Introduction to Incident Response' as part of the Islands Data Governance Forum Conference in-person at the Digital Greenhouse in Guernsey.

In this event, Bruce, James and Luke will lead a high-level tabletop taster exercise in incident response, guiding attendees on what to do in the event of a cyber security and data loss incident.

To find out more and to get tickets: It started with a phish: a bite-sized introduction to incident response | Digital Greenhouse

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 20/01/2023 – Zoho ManageEngine Exploit Released Affecting Multiple Product Lines

Black Arrow Cyber Advisory 20/01/2023 – Zoho ManageEngine Exploit Released Affecting Multiple Product Lines

Executive Summary

CVE-2022-47966 is a remote code execution vulnerability which impacts Zoho’s ManageEngine On-Premise products, due to the use of an outdated third-party dependency, Apache Santuario. The exploit for this vulnerability has now been publicly released. Software updates addressing the vulnerabilities were previously released by Zoho across October/November last year.

What’s the risk to me or my business?

Successful exploitation of this vulnerability would grant an attacker the ability to remotely execute code. Users of ManageEngine On-Demand/cloud products are not affected by this vulnerability. In addition, the exploit is applicable, only when Single Sign-on (SSO) is or was enabled during the initial ManageEngine setup.

What can I do?

For organisations using ManageEngine On-Premise products where Single Sign-on (SSO) is or was enabled during initial setup, it is strongly recommended to install the patched version which addresses this vulnerability.

Further information on the security advisory from Zoho ManageEngine can be found here, including impacted version numbers, and the version numbers where the exploit was fixed: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Read More
Black Arrow Admin Black Arrow Admin

What We Expect to See in 2023

What We Expect to See in 2023

2022 proved to be a challenging year for organisations trying to protect themselves against cyber attacks that originate from across the world, and within only the first two weeks of 2023 more high profile attacks have been disclosed.

One indicator of the scale of the problem is to look at how cyber insurance providers have been objectively assessing the risk of a cyber attack on their clients, and how to price that risk. This gives us strong signals about the challenges that cyber security will bring in 2023.

2022 proved to be a challenging year for organisations trying to protect themselves against cyber attacks that originate from across the world, and within only the first two weeks of 2023 more high profile attacks have been disclosed.

One indicator of the scale of the problem is to look at how cyber insurance providers have been objectively assessing the risk of a cyber attack on their clients, and how to price that risk. This gives us strong signals about the challenges that cyber security will bring in 2023.

The signs from the Cyber Insurance market

There have been some foreboding seismic changes in the cyber insurance market. The volume of attacks globally has resulted in insurance premiums that are now out of range for many organisations, and in December last year Zurich insurance said that cyber attacks will become “uninsurable”. Lloyds of London have mandated that all their policies must include an act of war exclusion, to ensure there is no liability when policy holders are caught in the cyber-crossfire by nation states such as Russia; it would not be a surprise if further exclusions were brought in later.

Cyber attackers come in many forms including nation states such as Russia, China and North Korea, as well as independent criminal gangs that operate in those countries and elsewhere. The line between these parties is very blurred, for example when the Russian military collaborates with local criminal gangs. It remains to be seen whether an insurance provider will make a distinction between the actions of a nation state and the country’s criminal gangs as an act of war, especially because attribution is not an exact science and may be outside the capability of an insurance underwriter. It is possible that the insured party will have to wait for some time before the claim is investigated, and they may need to challenge the assessment in court.

All the signs are that if insurance is indeed made available, then it will only be offered to an organisation that shows it has done everything it reasonably can to make itself an attractively low risk to an insurance provider. Consider the dispute between Travellers Insurance and their policyholder in the US in July last year, where the policy holder experienced a ransomware attack but Travellers successfully had the insurance policy annulled because the policyholder did not have the cyber protections in place that they claimed.

Organisations need to be constantly aware of the current and evolving risks of a cyber incident, and review whether their controls are robust enough to keep that risk down. Insurance providers have already started to do their own assessment of their policy holders’ controls, akin to a risk assessment before granting a person a life assurance policy, and they plan to go a lot deeper than you might think. Cloud providers including Google, Microsoft and Amazon are working with insurance companies to review the security configuration settings of their customers as part of the insurance company’s due diligence, to determine whether to offer insurance and at what price. The implications are clear: insurance companies expect you to have robust cyber security before they will consider you as a client. Where previously the application for an insurance policy was based on self-attestation by an organisation, insurance providers are now starting to ask for reports and metrics, however this could result in the applicant sharing highly sensitive information on their cyber security weaknesses which could be exploited if in an attacker’s hands. 

Ransomware will remain popular …

A recent report from the insurance industry’s representative body, the Geneva Association, highlighted that 75% of all cyber-insurance claims in 2020 (the latest available analysis) were for ransomware. In 2022 we saw a change in the tactics of ransom attackers, and we expect more to come as attackers copy the success of their peers in trying out new approaches.

Last year, a ransomware gang hacked into the website of their victim to post the ransom note for the world to see, in order to increase the pressure to have the ransom paid. Other attackers have used a new way of encrypting their victim’s files by only encrypting every 16th bit (called Intermitted Encryption) to avoid making too much ‘noise’ and setting off the victim’s detection systems.

We expect attackers to increase their ‘innovation’ in ransomware, especially as the ransomware software has become so much easier to purchase online through the ransomware-as-a service (RaaS) market that the attacker community has established, alongside their call centres and venture capital services to enable the RaaS market to flourish. As a result, organisations need to keep their ear to the ground by reading cyber threat intelligence, such as our weekly blog, to understand the new tactics and check how secure they are against them.

… but new types of attacks are increasing

However, ransomware is not the only type of attack and it looks set to decrease (slightly) in popularity with the recent crash in crypto currencies, which is a currency of choice for cyber attackers as it is like a suitcase of unmarked banknotes that cannot be traced. Coming up in popularity is business email compromise (BEC), and the lesser known email account compromise (EAC), where the attacker gains access to a user’s email account and, without the knowledge of the owner, uses it to conduct further attacks such as sending out emails requesting payments to fraudulent accounts. BEC/EAC are not new, but they seem to be considered easier and more profitable for attackers in late 2022 and into 2023.

It is worth noting that attackers will often lurk for months or years after an email account has been compromised. The attacker will watch and wait for the right moment to strike, for example when the victim is about to transfer funds to a third party and the attacker intercepts and alters emails to divert the funds to the attacker’s bank account.

When there is money to be made, there will be innovation

Every day across the world, hundreds of thousands of clever but dishonest people wake up in the morning, and their definition of a good day’s work is that they have broken through your defences to get access to your information or money.

Recent ‘innovations’ from the attackers perspective include call-back phishing, which has soared in popularity as attackers are refining their techniques. This starts with a classic phishing email that tells the recipient that their information or money is in danger. However, this email encourages the recipient to call a number for help; the person they call is the attacker who will talk them through downloading software (which is, sadly, malicious software or ‘malware’) and transferring money (unknowingly into the attacker’s account) in order to sort out the problem.

The ’robust’ controls of this morning might not be so strong by this afternoon

Last autumn, a contractor at Uber was contacted by someone claiming to be from the company’s IT team, who asked the contractor to accept the multi-factor authentication (MFA) prompts they had been receiving on their device in order that the IT team could work on their account. The contractor complied. The person who contacted them was of course an attacker and now had direct access to Uber’s systems, including the ability to post messages on the company’s Slack channels used for internal messaging.

This is a strong reminder that controls, such as MFA, that are considered robust can still be overcome by a determined attacker, especially if they can convince an employee to help them. To be clear, MFA is a very credible control and should certainly be maintained however there are no silver bullets and no single control offers 100% protection to withstand a determined attacker. The only way to protect yourself is to understand the evolving tactics of attackers, and to maintain a strategy of multiple layers of controls in order that if one of them fails, then the other controls can help to withstand or mitigate the damage; this is referred to as defence in depth.

Subscribe to our weekly round up of threat intelligence

2023 has already started as a yet more challenging year for protecting you and your clients’ information against a cyber attack. The UK’s Royal Mail has fallen victim to ransomware attributed to Russian attackers that has immobilised its international operations, and the Guardian newspaper has shared details of a recent attack on their systems.

This is why your cyber security strategy needs to be regularly reassessed based on what your ear to the ground is telling you. Subscribe to our weekly threat intelligence report on blackarrowcyber.com/subscribe to keep on top of the latest developments and see what our threat intelligence tells you to consider in your cyber security strategy. And contact us if you want to discuss what this all means for you; we know and love cyber security, and would be happy to hear from you.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 13 January 2023

Black Arrow Cyber Threat Briefing 13 January 2023:

-Quarter of UK SMBs Hit by Ransomware in 2022

-Global Cyber Attack Volume Surges 38% in 2022

-1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data

-AI-Generated Phishing Attacks Are Becoming More Convincing

-Customer and Employee Data the Top Prize for Hackers

-Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services

-The Guardian Confirms Personal Information Compromised in Ransomware Attack

-Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans

-The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize

-Corrupted File to Blame for Computer Glitch which Grounded Every US Flight

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Quarter of UK SMBs Hit by Ransomware in 2022

Over one in four (26%) British SMBs have been targeted by ransomware over the past year, with half (47%) of those compromised paying their extorters, according to new data from anti-virus provider Avast. The security vendor polled 1000 IT decision makers from UK SMBs back in October, to better understand the risk landscape over the previous 12 months.

More than two-thirds (68%) of respondents said they are more concerned about being attacked since the start of the war in Ukraine, fuelling concerns that have led to half (50%) investing in cyber-insurance. They’re wise to do so, considering that 41% of those hit by ransomware lost data, while 34% lost access to devices, according to Avast.

Given that SMBs comprise over 99% of private sector businesses in the country, it’s reassuring that cyber is now being viewed as a major business risk. Nearly half (48%) ranked it as one of the biggest threats they currently face, versus 66% who cited financial risk stemming from surging operational cost. More respondents cited cyber as a top threat than did physical security (35%) and supply chain disruption (33%).

Avast argued that SMBs are among the groups most vulnerable to cyber-threats as they often have very limited budget and resources, and many don’t have somebody on staff managing security holistically. As a result, not only are SMB’s lacking in their defence, but they’re also slower and less able to react to incidents.

https://www.infosecurity-magazine.com/news/quarter-of-uk-smbs-hit-ransomware/

  • Global Cyber Attack Volume Surges 38% in 2022

The number of cyber attacks recorded last year was nearly two-fifths (38%) greater than the total volume observed in 2021, according to Check Point.

The security vendor claimed the increase was largely due to a surge in attacks on healthcare organisations, which saw the largest year-on-year (YoY) increase (74%), and the activities of smaller, more agile hacking groups.

Overall, attacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organisation. The average weekly figures for the year were highest for education sector organisations (2314), government and military (1661) and healthcare (1463).

Threat actors appear to have capitalised on gaps in security created by the shift to remote working. The ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement. Hackers are also now increasingly widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organisations’ employees continue to work remotely.

It is predicted that AI tools like ChatGPT would help to fuel a continued surge in attacks in 2023 by making it quicker and easier for bad actors to generate malicious code and emails.

Recorded cyber-attacks on US organisations grew 57% YoY in 2022, while the figure was even higher in the UK (77%). This chimes with data from UK ISP Beaming, which found that 2022 was the busiest year on record for attacks. It recorded 687,489 attempts to breach UK businesses in 2022 – the equivalent of one attack every 46 seconds.

https://www.infosecurity-magazine.com/news/global-cyberattack-volume-surges/

  • 1 in 3 Organisations Do Not Provide Any Cyber Security Training to Remote Workers Despite the Majority of Employees Having Access to Critical Data

New research from cyber security provider Hornetsecurity has found that 33% of companies are not providing any cyber security awareness training to users who work remotely.

The study also revealed nearly three-quarters (74%) of remote staff have access to critical data, which is creating more risk for companies in the new hybrid working world.

Despite the current lack of training and employees feeling ill-equipped, almost half (44%) of respondents said their organisation plans to increase the percentage of employees that work remotely. The popularity of hybrid work, and the associated risks, means that companies must prioritise training and education to make remote working safe.

Traditional methods of controlling and securing company data aren't as effective when employees are working in remote locations and greater responsibility falls on the individual. Companies must acknowledge the unique risks associated with remote work and activate relevant security management systems, as well as empower employees to deal with a certain level of risk.

The independent survey, which quizzed 925 IT professionals from a range of business types and sizes globally, highlighted the security management challenges and employee cyber security risk when working remotely. The research revealed two core problems causing risk: employees having access to critical data, and not enough training being provided on how to manage cyber security or how to reduce the risk of a cyber-attack or breach.

https://www.darkreading.com/vulnerabilities-threats/1-in-3-organizations-do-not-provide-any-cybersecurity-training-to-remote-workers-despite-a-majority-of-employees-having-access-to-critical-data

  • AI-Generated Phishing Attacks Are Becoming More Convincing

It's time for you and your colleagues to become more sceptical about what you read.

That's a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harass, and spread fake news.

Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. Amongst the use cases explored by the research were the use of GPT-3 models to create:

  • Phishing content – emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link

  • Social opposition – social media messages designed to troll and harass individuals or to cause brand damage

  • Social validation – social media messages designed to advertise or sell, or to legitimise a scam

  • Fake news – research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set

All of these could, of course, be useful to cyber criminals hell-bent on scamming the unwary or spreading unrest.

https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-are-becoming-more-convincing

  • Customer and Employee Data the Top Prize for Hackers

The theft of customer and employee data accounts for almost half (45%) of all stolen data between July 2021 and June 2022, according to a new report from cyber security solution provider Imperva.

The data is part of a 12-month analysis by Imperva Threat Research on the trends and threats related to data security in its report “More Lessons Learned from Analysing 100 Data Breaches”.

Their analysis found that theft of credit card information and password details dropped by 64% compared to 2021. The decline in stolen credit card and password data pointing to the uptake of basic security tactics like multi-factor authentication (MFA). However, in the long term, PII data is the most valuable data to cyber-criminals. With enough stolen PII, they can engage in full-on identity theft which is hugely profitable and very difficult to prevent. Credit cards and passwords can be changed the second there is a breach, but when PII is stolen, it can be years before it is weaponised by hackers.

The research also revealed the root causes of data breaches, with social engineering (17%) and unsecured databases (15%) two of the biggest culprits. Misconfigured applications were only responsible for 2% of data breaches, but Imperva said that businesses should expect this figure to rise in the near future, particularly with cloud-managed infrastructure where configuring for security requires significant expertise.

It’s really concerning that a third (32%) of data breaches are down to unsecured databases and social engineering attacks, since they’re both straightforward to mitigate. A publicly open database dramatically increases the risk of a breach and, all too often, they are left like this not out of a failure of security practices but rather the total absence of any security posture at all.

https://www.infosecurity-magazine.com/news/customer-employee-data-hackers/

  • Royal Mail hit by Ransomware Attack, Causes ‘Severe Disruption’ to Services

Royal Mail experienced “severe service disruption” to its international export services following a ransomware attack, the company has announced. A statement said it was temporarily unable to despatch export items including letters and parcels to overseas destinations.

Royal Mail said: “We have asked customers temporarily to stop submitting any export items into the network while we work hard to resolve the issue” and advising that “Some customers may experience delay or disruption to items already shipped for export.”

The attack was later attributed to LockBit, a prolific ransomware gang with close ties to Russia. Both the NCSC and the NCA were involved in responding to the incident.

https://www.independent.co.uk/business/royal-mail-cyber-attack-exports-b2260308.html

  • The Guardian Confirms Personal Information Compromised in Ransomware Attack

British news organisation The Guardian has confirmed that personal information was compromised in a ransomware attack in December 2022.

The company fell victim to the attack just days before Christmas, when it instructed staff to work from home, announcing network disruptions that mostly impacted the print newspaper.

Right from the start, the Guardian said it suspected ransomware to have been involved in the incident, and this week the company confirmed that this was indeed the case. In an email to staff on Wednesday, The Guardian Media Group’s chief executive and the Guardian’s editor-in-chief said that the sophisticated cyber attack was likely the result of phishing.

They also announced that the personal information of UK staff members was compromised in the attack, but said that reader data and the information of US and Australia staff was not impacted. “We have seen no evidence that any data has been exposed online thus far and we continue to monitor this very closely,” the Guardian representatives said. While the attack forced the Guardian staff to work from home, online publishing has been unaffected, and production of daily newspapers has continued as well.

“We believe this was a criminal ransomware attack, and not the specific targeting of the Guardian as a media organisation,” the Guardian said.

The company continues to work on recovery and estimates that critical systems would be restored in the next two weeks. Staff, however, will continue to work from home until at least early February. “These attacks have become more frequent and sophisticated in the past three years, against organisations of all sizes, and kinds, in all countries,” the Guardian said.

https://www.securityweek.com/guardian-confirms-personal-information-compromised-ransomware-attack

  • Ransomware Gang Releases Info Stolen from 14 UK Schools, Including Passport Scans

Another month, another release of personal information stolen from a school system. This time, it's a group of 14 schools in the United Kingdom.

Once again, the perpetrator appears to be Vice Society, which is well known for targeting educational systems in the US. As the Cybersecurity and Infrastructure Security Agency (CISA) pointed out in a bulletin from Sept. 6, "K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers."

The UK hack may have turned up even more confidential information than the Los Angeles school system breach last year. As the BBC reported on Jan. 6, "One folder marked 'passports' contains passport scans for pupils and parents on school trips going back to 2011, whereas another marked 'contract' contains contractual offers made to staff alongside teaching documents on muscle contractions."

Some prominent school cyber attacks in the US include public school districts in Chicago, Baltimore, and Los Angeles. A new study from digital learning platform Clever claims that one in four schools experienced a cyber-incident over the past year, and according to a new report from security software vendor Emsisoft, at least 45 school districts and 44 higher learning institutions suffered ransomware attacks in 2022.

Schools are an attractive target as they are typically data-rich and resource-poor. Without proper resources in terms of dedicated staffing and the necessary tools and training to protect against cyber-attacks, schools can be a soft target. Many of the 14 schools hit by this latest leak are colleges and universities, but primary and secondary schools were also hit, according to the BBC's list.

https://www.darkreading.com/attacks-breaches/vice-society-releases-info-stolen-uk-schools-passport-scans

  • The Dark Web’s Criminal Minds See Internet of Things as Next Big Hacking Prize

Cyber security experts say 2022 may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.

Criminal groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when they realise that it works to do damage or to get people to pay. Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.

For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked.

What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. There have already been large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.

In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cyber security from the beginning.

https://www.cnbc.com/2023/01/09/the-dark-webs-criminal-minds-see-iot-as-the-next-big-hacking-prize.html

  • Corrupted File to Blame for Computer Glitch which Grounded Every US Flight

A corrupted file has been blamed for a glitch on the Federal Aviation Administration's computer system which saw every flight grounded across the US.

All outbound flights were grounded until around 9am Eastern Time (2pm GMT) on Wednesday as the FAA worked to restore its Notice to Air Missions (NOTAM) system, which alerts pilots of potential hazards along a flight route.

On Wednesday 4,948 flights within, into or out of the US had been delayed, according to flight tracker FlightAware.com, while 868 had been cancelled. Most delays were concentrated along the East Coast. Normal air traffic operations resumed gradually across the US following the outage to the NOTAM system that provides safety information to flight crews.

A corrupted file affected both the primary and the backup systems, a senior government official told NBC News on Wednesday night, adding that officials continue to investigate. Whilst Government officials said there was no evidence of a cyber attack, it shows the real world impacts that an outage or corrupted file can cause.

https://news.sky.com/story/all-flights-across-us-grounded-due-to-faa-computer-system-glitch-us-media-12784252

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

Malware

Mobile

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Fraud, Scams & Financial Crime

Insurance

Dark Web

Software Supply Chain

Cloud/SaaS

Attack Surface Management

Identity and Access Management

Encryption

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Training, Education and Awareness

Regulations, Fines and Legislation

Governance, Risk and Compliance

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Nation State Actors

Nation State Actors – Russia

Nation State Actors – China

Nation State Actors – Iran

Nation State Actors – Misc

Vulnerability Management

Applications Five Years or Older Likely to have Security Flaws - Infosecurity Magazine (infosecurity-magazine.com)

Patch Where it Hurts: Effective Vulnerability Management in 2023 (thehackernews.com)

70% of apps contain at least one security flaw after 5 years in production - Help Net Security

Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone (darkreading.com)

Does a hybrid model for vulnerability management make sense? • Graham Cluley

Vulnerabilities

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Advisory 11/01/2023 – Microsoft, Adobe and Zoom release security updates

Black Arrow Cyber Advisory 11/01/2023 – Microsoft, Adobe and Zoom release security updates, including some under active exploitation

Microsoft, Adobe and Zoom have all this week released security updates, including some known to be being actively exploited by malicious actors.

Microsoft

Executive summary

Microsoft’s January Patch Tuesday provides updates to address 98 security issues across its product range. The updates included fixes for 11 critical vulnerabilities, including a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) which has been recorded as being actively exploited by the US Cybersecurity and Infrastructure Agency (CISA).

What’s the risk to me or my business?

The actively exploited vulnerability could allow an attacker to escalate privileges and gain higher levels of access to affected systems, which could compromise the confidentiality, integrity and availability of data stored on the system.

What can I do?

Security updates are available for all supported versions of Windows. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerability which affected Microsoft Operating Systems:

CVE-2023-21674: An elevation of privilege vulnerability with a CVSS rating of 8.8, which allows the user to gain System privileges.

Microsoft guidance for CVE-2023-21674 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21674

Further details on other specific updates within this Patch Tuesday can be found here: https://www.ghacks.net/2023/01/10/microsoft-windows-security-updates-january-2023-overview/

Further details of CISA’s “Known Exploited Vulnerabilities Catalog” can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-21674

Adobe

Executive summary

Security updates have been released by Adobe to address 29 vulnerabilities relating to Adobe Dimension, Adobe InCopy, Adobe InDesign, Adobe Acrobat and Adobe Reader. 11 of the vulnerabilities were rated as critical. None of the critical vulnerabilities related to Adobe Dimension.

What’s the risk to me or my business?

If exploited, the critical vulnerabilities could result in an attacker executing code of their choice, which could impact the confidentiality, integrity and availability of the system.

What can I do?

Updates are available for the impacted versions of Adobe software. For critical vulnerabilities, updates should be applied as soon as possible.

Further technical information can be found here:

Adobe Dimension: https://helpx.adobe.com/security/products/dimension/apsb23-10.html

Adobe InCopy: https://helpx.adobe.com/security/products/incopy/apsb23-08.html

Adobe InDesign: https://helpx.adobe.com/security/products/indesign/apsb23-07.html

Adobe Acrobat and Reader: https://helpx.adobe.com/security/products/acrobat/apsb23-01.html

Zoom

Executive Summary

Zoom has provided security updates that address 5 vulnerabilities within the Zoom video conferencing software. 3 of the vulnerabilities were recorded as critical in severity.

What’s the risk to me or my business?

If exploited, the vulnerabilities could allow an attacker to gain system or root privileges on a machine, which could compromise the confidentiality, integrity and availability of the system. For this to occur, the attacker would need to be a local user.

What can I do?

Updates are available for the impacted versions of Zoom. For critical vulnerabilities, updates should be applied as soon as possible.

Further technical information can be found here: https://explore.zoom.us/en/trust/security/security-bulletin/

Need help understanding your gaps, or just want some advice? Get in touch with us.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Threat Briefing 06 January 2023

Black Arrow Cyber Threat Briefing 06 January 2023:

-Cyber War in Ukraine, Ransomware Fears Drive Surge in Demand for Threat Intelligence Tools

-Cyber Premiums Holding Firms to Ransom

-Ransomware Ecosystem Becoming More Diverse For 2023

-Attackers Evolve Strategies to Outmanoeuvre Security Teams

-Building a Security-First Culture: The Key to Cyber Success

-Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue

-First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)

-Data of 235 Million Twitter Users Leaked Online

-16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, Infrastructure

-Ransomware Gang Apologizes, Gives SickKids Hospital Free Decryptor

Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Top Cyber Stories of the Last Week

  • Cyber War in Ukraine, Ransomware Fears Drive 2022 Surge in Demand for Threat Intelligence Tools

Amid the heightened fear of ransomware in 2022, threat intelligence emerged as a core requirement of doing business in a world gone mad.

A sizable amount of interest in the historically tech-centric discipline was fuelled in part by fear of cyber attacks tied to the war between Russia and Ukraine. In one example, the Ukrainian government warned the world that the Russian military was planning for multi-pronged attacks targeting the energy sector. Other nation-state cyber attack operations also contributed to the demand, including one June 2022 incident were Iran’s Cobalt Mirage exploited PowerShell vulnerabilities to launch ransomware attacks.

And of course, headlines of data breaches tied to vulnerabilities that organisations did not even know existed within their networks caught the attention not just of security teams, but the C-Suite and corporate board. A misconfigured Microsoft server, for example, wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.

Indeed, according to 183 security pros surveyed by CyberRisk Alliance Business Intelligence in June 2022, threat intelligence has become critical in arming their security operations centres (SOCs) and incident response teams with operational data to help them make timely, informed decisions to prevent system downtime, thwart the theft of confidential data, and protect intellectual property.

Threat intelligence has emerged as a useful tool for educating executives. Many also credited threat intelligence for helping them protect their company and customer data — and potentially saving their organisation's reputation.

https://www.scmagazine.com/resource/threat-intelligence/2022-year-in-review-threat-intelligence-tools

  • Cyber Premiums Holding Firms to Ransom

Soaring premiums for cyber security insurance are leaving businesses struggling to pay other bills, a key industry player has warned.

Mactavish, which buys insurance policies on behalf of companies, said that more than half of big businesses that had bought cyber security insurance had been forced to make cuts elsewhere to pay for it.

In a survey of 200 companies with a turnover above £10 million, Mactavish found that businesses were reducing office costs and staff bonuses and were cutting other types of insurance to meet the higher payments.

Last month Marsh, an insurance broker, revealed that costs for cyber insurance had increased by an average of 66 per cent in the third quarter compared with last year.

Meanwhile, the risk to businesses from hackers continues to rise. A government report on digital threats, published this month, showed the proportion of businesses experiencing cyber security incidents at least monthly had increased from 53 per cent to 60 per cent in the past year. Uber, Cisco and InterContinental Hotels Group were among high-profile targets this year.

https://www.thetimes.co.uk/article/cyber-safety-premiums-hold-firms-to-ransom-tnrsz3vs2

  • Ransomware Ecosystem Becoming More Diverse for 2023

The ransomware ecosystem has changed significantly in 2022, with attackers shifting from large groups that dominated the landscape toward smaller ransomware-as-a-service (RaaS) operations in search of more flexibility and drawing less attention from law enforcement. This democratisation of ransomware is bad news for organisations because it also brought in a diversification of tactics, techniques, and procedures (TTPs), more indicators of compromise (IOCs) to track, and potentially more hurdles to jump through when trying to negotiate or pay ransoms.

Since 2019 the ransomware landscape has been dominated by big and professionalised ransomware operations that constantly made the news headlines and even looked for media attention to gain legitimacy with potential victims. We've seen ransomware groups with spokespeople who offered interviews to journalists or issued "press releases" on Twitter and their data leak websites in response to big breaches.

The DarkSide attack against Colonial Pipeline that led to a major fuel supply disruption along the US East Coast in 2021 highlighted the risk that ransomware attacks can have against critical infrastructure and led to increased efforts to combat this threat at the highest levels of government. This heightened attention from law enforcement made the owners of underground cyber crime forums reconsider their relationship with ransomware groups, with some forums banning the advertising of such threats. DarkSide ceased operations soon thereafter and was followed later in the year by REvil, also known as Sodinokibi, whose creators were indicted and one was even arrested. REvil was one of the most successful ransomware groups since 2019.

Russia's invasion of Ukraine in February 2022 quickly put a strain on the relationship between many ransomware groups who had members and affiliates in both Russia and Ukraine, or other former USSR countries. Some groups, such as Conti, rushed to take sides in the war, threatening to attack Western infrastructure in support of Russia. This was a departure from the usual business-like apolitical approach in which ransomware gangs had run their operations and drew criticism from other competing groups.

This was also followed by a leak of internal communications that exposed many of Conti's operational secrets and caused uneasiness with its affiliates. Following a major attack against the Costa Rican government the US State Department put up a reward of $10 million for information related to the identity or location of Conti's leaders, which likely contributed to the group's decision to shut down operations in May.

Conti's disappearance led to a drop in ransomware activity for a couple of months, but it didn't last long as the void was quickly filled by other groups, some of them newly set up and suspected to be the creation of former members of Conti, REvil and other groups that ceased operations over the past two years.

https://www.csoonline.com/article/3684248/ransomware-ecosystem-becoming-more-diverse-for-2023.html#tk.rss_news

  • Attackers Evolve Strategies to Outmanoeuvre Security Teams

Attackers are expected to broaden their targeting strategy beyond regulated verticals such as financial services and healthcare. Large corporations (41%) will be the top targeted sector for cyber attacks in 2023, favoured over financial institutions (36%), government (14%), healthcare (9%), and education (8%), according to cyber security solution provider Titaniam.

The fast pace of change has introduced new vulnerabilities into corporate networks, making them an increasingly attractive target for cyber attackers. To compete in the digital marketplace, large companies are adopting more cloud services, aggregating data, pushing code into production faster, and connecting applications and systems via APIs.

As a result, misconfigured services, unprotected databases, little-tested applications, and unknown and unsecured APIs abound, all of which can be exploited by attackers.

The top four threats in 2022 were malware (30%), ransomware and extortion (27%), insider threats (26%), and phishing (17%).

The study found that enterprises expected malware (40%) to be their biggest challenge in 2023, followed by insider threats (26%), ransomware and related extortion (21%), and phishing (16%).

Malware, however, has more enterprises worried for 2023 than it did for 2022. It is important to note that these threats can overlap, where insiders can have a hand in ransomware attacks, phishing can be a source of malware, etc.

Attackers are evolving their strategies to surprise and outmanoeuvre security teams, which have hardened ransomware defences and improved phishing detection. They’re using new malware, such as loaders, infostealers, and wipers to accelerate attacks, steal sensitive data and create mayhem.

They’re also buying and stealing employee credentials to walk in through the front door of corporate networks.

https://www.helpnetsecurity.com/2023/01/04/attackers-evolve-strategies-outmaneuver-security-teams/

  • Building a Security-First Culture: The Key to Cyber Success

Everyone has heard a car alarm go off in the middle of the night, but how often does that notification actually lead to action? Most people will hear the alarm, glance in its direction and then hope the owner will quickly remedy the situation.

Cars alarms often fail because they go off too often, leading to apathy and annoyance instead of being a cause for emergency. For many, cyber security has also become this way. While we see an increase in the noise surrounding the need for organisations to improve the security skillset and knowledge base of employees, there continues to be little proactive action on this front. Most organisations only provide employees with elementary-grade security training, often during their initial onboarding process or as part of a standard training requirement.

At the same time, many organisations also make the grave mistake of leaving all of their security responsibilities and obligations in the hands of IT and security teams. Time and time again, this approach has proven to be highly ineffective, especially as cyber criminals refine their social engineering tactics and target user accounts to execute their attacks.

Alarmingly, recent research found that 30% of employees do not think that they play a role in maintaining their company’s cyber security posture. The same report also revealed that only 39% of employees say they are likely to report a security incident.

As traditional boundaries of access disintegrate and more employees obtain permissions to sensitive company data and systems to carry out their tasks, business leaders must change the mindset of their employees when it comes to the role they play in keeping the organisation safe from cyber crime. The key is developing an integrated cyber security strategy that incorporates all aspects—including all stakeholders—of the organisation. This should be a strategy that breaks down departmental barriers and creates a culture of security responsibility where every team member plays a part.

https://www.forbes.com/sites/forbestechcouncil/2023/01/03/building-a-security-first-culture-the-key-to-cyber-success/

  • Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of Known Exploited Vulnerabilities Catalogue

Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalogue to help federal agencies and critical infrastructure organisations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalogue across 58 updates from January to end of November 2022, according to cyber security solution provider Grey Noise in its first-ever "GreyNoise Mass Exploits Report."

Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalogue's existence.

Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalogue in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalogue were older vulnerabilities dating back to before 2022. Many of these vulnerabilities have been around for two decades.

Several of the vulnerabilities in the KEV catalogue are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from cyber security solution provider Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalogue lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.

Even though the catalogue was originally intended for critical infrastructure and public-sector organisations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalogue's curated list of CVEs under active attack to create their priority lists.

https://www.darkreading.com/edge-threat-monitor/adobe-apple-cisco-microsoft-flaws-make-up-half-of-kev-catalog

  • First LastPass, Now Slack and CircleCI. The Hacks Go On (and will likely worsen)

In the past week, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording—“security issue” and “security incident,” respectively—you'd be forgiven for thinking these events were minor.

The compromises—in Slack’s case, the theft of employee token credentials and for CircleCI, the possible exposure of all customer secrets it stores—come two weeks after password manager LastPass disclosed its own security failure: the theft of customers’ password vaults containing sensitive data in both encrypted and clear text form. It’s not clear if all three breaches are related, but that’s certainly a possibility.

The most concerning of the two new breaches is the one hitting CircleCI. The company reported a “security incident” that prompted it to advise customers to rotate “all secrets” they store on the service. The alert also informed customers that it had invalidated their Project API tokens, an event requiring them to go through the hassle of replacing them.

CircleCI says it’s used by more than 1 million developers in support of 30,000 organisations and runs nearly 1 million daily jobs. The potential exposure of all those secrets—which could be login credentials, access tokens, and who knows what else—could prove disastrous for the security of the entire Internet.

It’s possible that some or all of these breaches are related. The Internet relies on a massive ecosystem of content delivery networks, authentication services, software development tool makers, and other companies. Threat actors frequently hack one company and use the data or access they obtain to breach that company's customers or partners. That was the case with the August breach of security provider Twilio. The same threat actor targeted 136 other companies. Something similar played out in the last days of 2020 when hackers compromised Solar Winds, gained control of its software build system, and used it to infect roughly 40 Solar Winds customers.

For now, people should brace themselves for additional disclosures from companies they rely on. Checking internal system logs for suspicious entries, turning on multifactor authentication, and patching network systems are always good ideas, but given the current events, those precautions should be expedited. It’s also worth checking logs for any contact with the IP address 54.145.167.181, which one security practitioner said was connected to the CircleCI breach.

https://arstechnica.com/information-technology/2023/01/first-lastpass-now-slack-and-circleci-the-hacks-go-on-and-will-likely-worsen/

  • Data of 235 Million Twitter Users Leaked Online

A data leak containing email addresses for 235 million Twitter users has been published on a popular hacker forum. Many experts have immediately analysed it and confirmed the authenticity of many of the entries in the huge leaked archive.

In January 2022, a report claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options. The vulnerability was exploited by multiple threat actors to scrape Twitter user profiles containing both private (phone numbers and email addresses) and public data, and was present within the social media platforms application programming interface (API) from June 2021 until January 2022.

At the end of July 2022, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting the forementioned, now-fixed vulnerability in the popular social media platform. The scraped data was then put up for sale on various online cyber crime marketplaces. In August, Twitter confirmed that the data breach was caused by a now-patched zero-day flaw.

In December another Twitter data leak made the headlines, a threat actor obtained data of 400,000,000 Twitter users and attempted to sell it. The seller claimed the database is private, and he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more. The seller, who is a member of a popular data breach forum, claimed the data was scraped via a vulnerability. The database includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of special usernames.

https://securityaffairs.com/140352/data-breach/twitter-data-leak-235m-users.html

  • 16 Car Makers, including BMW, Ferrari, Ford, Honda, Kia, Land Rover, Mercedes and Toyota, and Their Vehicles Hacked via Telematics, APIs, and Infrastructure

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.

Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.

Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.

According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.

Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.

They could also lock users out of remote vehicle management and could change car ownership.

https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure

  • Ransomware Gang Apologises, and Gives SickKids Hospital Free Decrypter

The LockBit ransomware gang has released a free decrypter for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organisation. SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.

On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.

On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. Two days after SickKids' latest announcement, the LockBit ransomware gang apologised for the attack on the hospital and released a decrypter for free.

“We formally apologise for the attack on sikkids.ca and give back the decrypter for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate programme," stated the ransomware gang.

https://www.bleepingcomputer.com/news/security/ransomware-gang-apologizes-gives-sickkids-hospital-free-decryptor/

Threats

Ransomware, Extortion and Destructive Attacks

Phishing & Email Based Attacks

Other Social Engineering; Smishing, Vishing, etc

Malware

Denial of Service/DoS/DDOS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Fraud, Scams & Financial Crime

Impersonation Attacks

AML/CFT/Sanctions

Insurance

Dark Web

Supply Chain and Third Parties

Software Supply Chain

Cloud/SaaS

Encryption

API

Open Source

Social Media

Parental Controls and Child Safety

Regulations, Fines and Legislation

Governance, Risk and Compliance

Secure Disposal

Backup and Recovery

Data Protection

Law Enforcement Action and Take Downs

Privacy, Surveillance and Mass Monitoring

Artificial Intelligence

Misinformation, Disinformation and Propaganda

Spyware, Cyber Espionage & Cyber Warfare, including Russian Invasion of Ukraine

Sector Specific

Industry specific threat intelligence reports are available.

Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.

·       Automotive

·       Construction

·       Critical National Infrastructure (CNI)

·       Defence & Space

·       Education & Academia

·       Energy & Utilities

·       Estate Agencies

·       Financial Services

·       FinTech

·       Food & Agriculture

·       Gaming & Gambling

·       Government & Public Sector (including Law Enforcement)

·       Health/Medical/Pharma

·       Hotels & Hospitality

·       Insurance

·       Legal

·       Manufacturing

·       Maritime

·       Oil, Gas & Mining

·       OT, ICS, IIoT, SCADA & Cyber-Physical Systems

·       Retail & eCommerce

·       Small and Medium Sized Businesses (SMBs)

·       Startups

·       Telecoms

·       Third Sector & Charities

·       Transport & Aviation

·       Web3

As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Read More
Black Arrow Admin Black Arrow Admin

Black Arrow Cyber Informational 05/01/2023 – Twitter Data Leak

Black Arrow Cyber Informational 05/01/2023 – Twitter Data Leak

Executive Summary

A data leak containing the email addresses for over 200 million Twitter users has been published on a popular hacking forum for free. The leak appears to be the same as the one reported in December 2022, with a number of experts confirming the authenticity of entries in the leak.

What’s the risk to me or my business?

The leak contains details of Twitter users and their email addresses, which could be used by threat actors to conduct phishing attacks against accounts.

What can I do?

Although no immediate response is required, Black Arrow recommends that any individual or organisation which has used twitter remains vigilant and on the lookout for potential phishing attacks

Further information on the data leak be found here: https://www.bleepingcomputer.com/news/security/200-million-twitter-users-email-addresses-allegedly-leaked-online/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatintelligence #cybersecurity

Read More