Welcome to the Cyber Watch series for today, October 20, 2023. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. You can read the full stories by clicking each headline.
The recently conducted Hoxhunt Challenge has unveiled a concerning cybersecurity trend: 22% of phishing attacks observed in the initial weeks of October 2023 employed QR codes to deliver malicious payloads. This study, encompassing 38 organizations across nine industries in 125 countries, emphasizes the pivotal role of employee engagement in mitigating human-related cybersecurity risks.
The study categorized employee responses into three groups: success, miss, and click/scan. Shockingly, only 36% of recipients successfully identified and reported the simulated attacks. This alarming finding reveals a substantial vulnerability in organizations’ defenses against phishing threats. Particularly disconcerting is the retail sector, which exhibited the highest miss rate, with just 2 in 10 employees adequately handling phishing scenarios.
According to a recent InfoSecurity Magazine report, “As per the Hoxhunt Challenge, job function also affected employee susceptibility, with communications staff being 1.6 times more likely to engage with a QR code attack.” In contrast, legal and business services outperformed others in identifying and reporting suspicious QR codes. You can read our blog post on QR Code Phishing Attacks to learn more about this growing trend dubbed ‘Quishing’.
The UK government is directing £200,000 towards the X-Catapult Consortium to stimulate innovation in cyber-physical infrastructure. This funding, a product of the Cyber-Physical Infrastructure Ecosystem Building competition initiated by the Department for Science, Innovation, and Technology (DSIT), is aimed at fostering a vibrant tech community that bridges the gap between industry, academia, and the public sector.
iOTTech News reported that “this collaborative effort is set to revolutionise various sectors by enhancing productivity, improving public health services, and enabling effective environmental monitoring and management.” The central objective of this initiative is to create a robust network focusing on various tech domains, including robotics, augmented and virtual reality, and digital twins.
At its core is the concept of cyber-physical infrastructure, which involves interconnecting technologies that interact with both the physical world and virtual systems. The investment will be allocated towards establishing a national cyber-physical infrastructure ecosystem, promoting collaboration and knowledge exchange among industry players, academic institutions, and public sector entities.
A recent malware campaign dubbed EtherHiding, uncovered by Guardio Labs, has adopted a sophisticated approach by utilizing Binance’s Smart Chain (BSC) contracts to conceal its malicious activities. This campaign is a notable evolution in a long-standing malware attack that employs compromised WordPress websites to deceive visitors into downloading fake browser updates, ultimately leading to the distribution of data-stealing malware like Amadey, Lumma, or RedLine.
As described by a Hacker News report, “The goal is to fetch a second-stage script that, in turn, retrieves a third-stage payload from a command-and-control (C2) server to serve the deceptive browser update notices.”
Security researchers at Guardio Labs detected a significant shift in the tactics employed by these threat actors. Initially, they hosted their malicious code on exploited Cloudflare Worker hosts, a method that was eventually dismantled. However, they rapidly adapted, leveraging the decentralized, anonymous, and publicly accessible nature of blockchain technology, specifically the Binance Smart Chain.
According to a recent Cyware report, the notorious BlackCat group has unveiled a potent new weapon in its cyber arsenal, introducing a utility called Munchkin to bolster its ability to evade security systems and conduct ransomware attacks. This development follows closely on the heels of Microsoft’s discovery of an updated BlackCat ransomware version that employed various tools for lateral movement and remote code execution.
Munchkin is distributed in the form of an ISO file, loaded into VirtualBox for execution. Within this ISO file lies a custom Alpine OS installation, enabling the malware to change the root password of virtual machines and initiate the execution of a malware binary known as “controller.” Written in Rust, the controller malware shares distinct characteristics with the BlackCat malware family.
In a concerted effort to address the persistent and evolving threat of phishing attacks, several US government agencies, including CISA, NSA, FBI, and MS-ISAC, have released a comprehensive guide. Phishing attacks continue to be a preferred tactic for cybercriminals, exploiting social engineering strategies to deceive individuals and steal sensitive information.
Security Week advises: “Software manufacturers, CISA, NSA, FBI, and MS-ISA note, should incorporate secure-by-design and secure-by-default principles in their development processes, to mitigate the success of phishing attacks reaching their users.”
The guide predominantly focuses on credential theft phishing, where attackers impersonate trusted sources like supervisors or IT personnel to trick individuals into revealing their usernames and passwords. What’s more, the document highlights a concerning trend: attackers are increasingly using mobile devices and VoIP technologies to refine their phishing techniques, sending text messages via chat platforms and spoofing caller IDs.
Amid a lack of federal AI regulation, New York City has taken a significant stride by launching the nation’s first AI Action Plan. This comprehensive initiative, spearheaded by Mayor Eric Adams, encompasses nearly 40 policy initiatives aimed at protecting residents from potential AI-related harm, including biases and discrimination.
According to a recent Wired News report, “New York’s AI regulation could soon expand still further. City council member Jennifer Gutiérrez, chair of the body’s technology committee, today introduced legislation that would create an Office of Algorithmic Data Integrity to oversee AI in New York.”
Among these initiatives are the establishment of AI standards for city agencies and innovative mechanisms for assessing the risks associated with AI used by various city departments. The city’s commitment to AI governance may soon extend even further. Jennifer Gutiérrez, Chair of the City Council’s technology committee, has introduced legislation that seeks to create an Office of Algorithmic Data Integrity, a pivotal entity tasked with overseeing AI within the city.
A recent Cyber News report reveals that WhatsApp is set to roll out a feature allowing users to manage two accounts on the same device. This update, while increasing user convenience by eliminating the need for separate phones for work and personal use, has also prompted concerns among experts regarding security.
To activate a second account, users must possess a distinct phone number and SIM card or have a phone compatible with multi-SIM or eSIM technology. Users can set up their dual accounts by navigating to WhatsApp settings, clicking on the arrow next to their name, and selecting ‘Add account.’
While this functionality provides practicality, it poses potential security risks. Users are advised to exercise caution and implement strong security practices on both accounts, particularly when it comes to separating work and personal messages, especially if sensitive information is involved. Employing unique, robust passwords and enabling two-factor authentication is recommended to prevent unauthorized access.
In the ongoing battle against human-operated ransomware attacks, a recent report from Microsoft underscores the significance of swiftly containing compromised user accounts. This strategic approach is vital to disrupt the lateral movement capabilities of ransomware attackers and protect targeted systems and data.
Lateral movement, a common tactic in ransomware campaigns, typically relies on infiltrating user accounts and escalating their permissions, often requiring access to high-level credentials. According to a Cybersecurity News report, “An industrial engineering org faced a human-operated Akira ransomware attack in June 2023 that is linked to Storm-1567 by security analysts at Microsoft.”
In a show of the real-world relevance of these concerns, Microsoft’s cybersecurity researchers recently identified a large-scale Akira ransomware operation actively targeting unsecured computers. While specific details about this operation remain undisclosed, it serves as a stark reminder of the persistent and evolving threat posed by human-operated ransomware.
Lloyd’s of London, a leading insurance corporation, has unveiled a chilling scenario portraying a hypothetical yet plausible cyber-attack, resulting in an astonishing $3.5 trillion in global economic losses. This alarming prediction stems from a cyber assault on a major financial services payment system, triggering widespread disruptions across international businesses.
Conducted in collaboration with the Cambridge Centre for Risk Studies, the research examines nine systemic risk scenarios and calculates potential economic impacts across 107 nations. The study ranks the damage in three severity levels, ranging from $2.2 trillion for the least severe scenario to a staggering $16 trillion for the most extreme, over a five-year period.
The average loss, when considering all three levels, amounts to a jaw-dropping $3.5 trillion. This study spotlights the nations most susceptible to financial havoc: the United States, facing a $1.1 trillion loss, China with $470 billion, and Japan with $200 billion.
Cybersecurity concerns have spiked as the Black Basta ransomware group, reportedly linked to the infamous FIN7 criminal organization, claims to have successfully breached Ampersand, a prominent television advertising vendor owned by industry giants Comcast Corporation, Charter Communications, and Cox Communications.
According to a Cyber Wire report, Ampersand has taken immediate action in response to the ransomware incident, stating that it temporarily disrupted regular operations but emphasized that most business operations have now been restored. The company is collaborating with third-party advisors and law enforcement to address the situation.
The extent of the data breach is still uncertain, but Ampersand holds a pivotal role, providing advertisers with viewership data from around 85 million households.
That’s all for today. Stay tuned for our next episode. See you next week!