DHHS Angry Translator: Breaking Down the Latest HIPAA Security Rule Proposal

January 7, 2025

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.

Top 10 Exploring Information Security Podcasts

December 31, 2024

As we wrap up an incredible year, we're thrilled to reflect on the top podcasts of 2024 that captured the attention of listeners across the cybersecurity community. These episodes brought forward thought-provoking discussions, practical insights, and exciting guests, making this a standout year for Exploring Information Security. Below are the top 10 episodes that ChatGPT thought were the best of 2024. As I analyzed the analytics I couldn’t decide which stats to focus in on. Here’s what the podcasts look like based on plays from Apple Podcast Analytics.

Screenshot of the analytics from Apple Podcasts analytics

I thought about going by average consumption but I noticed that we have lower percentage than in the past. That’s due to the longer episodes I’m putting out. When I’m putting out 20-30 min episodes I get closer to a 70-80% consumption rate. Do unique listeners and engagement say more? At this point I decided to just let ChatGPT do the analysis of all the analytics and provide me with the Top 10 list. It also, wrote the first draft of this blog post. I’m okay with the Top 10 list. I believe it represents the podcast well and some of the interest I’ve seen in other places regarding individual episodes.

The numbers are just from Apple Podcast. There are listeners on other platforms such as Spotify, Amazon, and other podcast platforms that grab the feed. I also expanded into YouTube in the middle of the year and hope to get that tuned better. I may try to consolidate the stats all into one platform at some point but I’m not there yet. Apple Podcast is the most popular platform so I think it provides the best sample size.

Without further ado let’s get into the Top 10 list for 2024.

2024 Top 10 Exploring Information Security Podcast

1. Exploring Information Security 2024 Relaunch

Release Date: January 2, 2024
Guest: Solo Episode

Key Highlights:
Our relaunch episode kicked off the year by outlining an exciting new direction for Exploring Information Security. I’m shocked that this came out on top but there seemed to be some excitement at the return of the podcast. Which I’m very appreciative of and makes me want to kick myself for not bringing the podcast back sooner.
Listen Here: Exploring Information Security 2024 Relaunch

2. What Cybersecurity Tools Every Organization Should Have

Release Date: February 27, 2024
Guest: Rob Fuller

Key Highlights:
Rub Fuller shared insights into the essential tools that every organization should have to secure their digital infrastructure. The episode covered endpoint protection, threat intelligence platforms, and emerging technologies that simplify security operations. This was the result of a discussion we had during another podcast recording. I thought it was a great discussion to turn into it’s own topic.
Listen Here: What Cybersecurity Tools Every Organization Should Have

3. How to Hack a Satellite

Release Date: January 23, 2024
Guest: Tim Fowler

Key Highlights:
Tim Fowler took listeners on a deep dive into the vulnerabilities and challenges of securing space technology. From real-world case studies of satellite hacks to strategies for defense, this episode offered a unique and fascinating perspective on the intersection of cybersecurity and aerospace. This will continue to grow as a new field for cybersecurity very similar to how cloud security, identity access management, and AI have become their own fields. And as usual we’re already behind on securtiy…
Listen Here: How to Hack a Satellite

4. What Are the Hiring Trends in Cybersecurity for 2024?

Release Date: January 16, 2024
Guest: Erin Barry

Key Highlights:
In this insightful episode, Erin Barry analyzed the latest hiring trends in cybersecurity heading into 2024. The conversation touched on the growing demand for professionals with cloud and AI expertise, the importance of soft skills, and tips for breaking into the field. A must-listen for job seekers and industry leaders. This is a podcast I’d like to make a staple for the new year because it did seem to be a popular topic.
Listen Here: What Are the Hiring Trends in Cybersecurity for 2024?

5. How to Navigate a Career in Cybersecurity

Release Date: August 13, 2024
Guest: Ralph Collum

Key Highlights:
Ralph Collum shared his journey from entry-level roles to executive leadership in cybersecurity. The discussion covered mentorship, certifications, and strategies for navigating career plateaus. I always enjoy talking to Ralph. He’s very passionate about developing careers in Cybersecurity. It makes sense that this one would follow the hiring trends for 2024. I expect that with the current hiring market job seeking and career podcast episodes will remain popular.
Listen Here: How to Navigate a Career in Cybersecurity

6. How AI Is Impacting Cybersecurity

Release Date: July 30, 2024
Guest: Steve Orrin

Key Highlights:
Steve Orrin explored the dual role of artificial intelligence in cybersecurity, highlighting its use in threat detection and the ethical concerns it raises. The episode featured real-world examples of AI-driven security solutions and debated the future of automation in the industry. I really enjoyed this conversation with Steve because he’s not only an executive but someone who also attends DEFCON on a regular basis. He traverses both worlds well and has a very intelligence take on key topics in Cybersecurity.
Listen Here: How AI Is Impacting Cybersecurity

7. How Responding to Phishing Has Changed in the Last 5 Years

Release Date: January 30, 2024
Guest: Kyle Andrus

Key Highlights:
Kyle Andrus and I discussed how phishing has changed since I last had him on the podcast. I always enjoy have Kyle on because we always have a good conversation. In fact he and I have had a couple recording sessions at this point on other topics because we always end up talking about something else. I’ve got another recording sessions scheduled with him for early 2025 to talk about ransomware gangs.
Listen Here: How Responding to Phishing Has Changed in the Last 5 Years

8. How to Automate Information Security with Python

Release Date: July 23, 2024
Guest: Mark Baggett

Key Highlights:
Mark Baggett broke down the ways Python is revolutionizing cybersecurity automation. From simplifying vulnerability scanning to streamlining log analysis, this episode was packed with actionable insights for security professionals looking to enhance their workflows. Mark is the Python guru for Cybersecurity. He’s written an entire SANS class on it and he’s been talking about Python ever since I’ve been in the industry.
Listen Here: How to Automate Information Security with Python

9. What Is Mimikatz?

Release Date: February 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller delivered an in-depth look at Mimikatz, a powerful tool often used in penetration testing and malicious attacks. He explained its functionality, provided examples of its use, and discussed the countermeasures security teams can implement to defend against it. I’ve dubbed Rob the Hacker Historian because of his wealth of knowledge in hacking. He made the Top 10 list three times this year and was also in the RERELEASE of the episode on the MS08-067 vulnerability.
Listen Here: What Is Mimikatz?

10. How Worrying Is SIM Swapping in 2024?

Release Date: August 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller returned to discuss the NOT SO alarming rise of SIM swapping attacks in 2024. This was based on a LinkedIn post he made on SIM Swapping that got quite a bit of commentary. I thought it was a great discussion and would make for an interesting episode. Surprise! It was a great conversation and people seemed to engage with the podcast episode. These are the kind of episodes I want to have that challenge some of the norms within Cybersecurity.
Listen Here: How Worrying Is SIM Swapping in 2024?

Honorable Mentions

Two of the people I always wanted to have on the podcast but I was to scared to ask prior to shutting down the podcast was Troy Hunt and Patrick Gray. Both people have helped me navigate and shape my career in cybersecurity and I was happy that both agreed to come on. Both were absolutely amazing people to have a conversation with.

What is Have I Been Pwned?

The Origins of Risky Business with Patrick Gray

Finally, Dave Chronister has been a huge supporter of the show and a wonderful friend. He also runs a phenomenal conference called ShowMeCon (early-bird tickets available now!)! He’s always a joy to have on the show but this past year he sponsored several episodes and I had a lot of great conversations with presenters from the conference. I have probably never laughed more than I did talking to Kevin Johnson about whatever was on his mind. Also, I really enjoyed the panel we did at ShowMeCon. Unfortunately, I forgot to hit the record button and thus entered the mythical status as a podcast that only those present got to enjoy.

ShowMeCon: Kevin Johnson and whatever he wants to talk about

Final Thoughts

As always, I’m grateful to the listeners of the show. I don’t hear from a lot of them but based on the numbers and engagement they’re out there. I’m also super grateful to all the guests that have come on the show to share their insights and knowledge. I am looking forward to another great year of conversations with amazing guests!

What were your favorite episodes in 2024?

Introducing the CISA Angry Translator Series

December 23, 2024

Today, we’re launching something new: the CISA Angry Translator Series. This idea came from a blog post by Brian Dye over at Corelight. CISA has been releasing more and more advisories and directives. There are certain themes from these releases that just aren’t hitting home. Enter the Angry Translator whom I’ve dubbed Frank. He’s here to say what CISA really wants to say but can’t.

This idea is a parody off the very funny Key and Peel skit where Obama get’s an Angry Translator called Luther. It was so popular that Keegan-Michael Key got up with President Obama for the 2015 White House Correspondents’ Dinner.

Below is what you can expect from the series. I’ve used ChatGPT to create the initial draft and made edits where necessary. Make sure to check out Brian’s post and Corelight. I’ve got an upcoming podcast with Brian talking about Corelight and I really like what they’re doing.

CISA's Angry Translator: Cloud Security Directive

CISA Directive: https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services

CISA Says:
"Federal agencies must implement secure practices for cloud services to safeguard federal information and information systems."

Frank:
"Hey, government folks! Your cloud setups are a hacker's playground right now. Lock them down before you hand over our data on a silver platter!"

CISA Says:
"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls."

Frank:
"Translation: Your sloppy setups are like leaving your front door wide open with a 'Welcome Hackers' sign. Fix it before we all pay the price!"

CISA Says:
"Agencies are required to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines."

Frank:
"Step 1: Know what cloud stuff you have. Step 2: Use the tools we've given you to check them. Step 3: Follow the dang security guidelines! It's not rocket science, people!"

CISA Says:
"Implement all mandatory SCuBA policies effective as of this Directive’s issuance no later than June 20, 2025."

Frank:
"You've got until June 20, 2025, to get your act together. That's more than enough time to stop being a cybersecurity dumpster fire!"

CISA Says:
"Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape."

Frank:
"The cyber threats are evolving, and your security should too. Keep up, or get left behind—and hacked!"

CISA Says:
"This Directive will further reduce the attack surface of the federal government networks."

Frank:
"We're trying to make it harder for the bad guys to mess with us. Help us help you, help us help you, help us help you!"

Final Note from Frank:
"Look, securing your cloud services isn't optional—it's your job. Stop dragging your feet, follow the directive, and let's not end up on the front page for a massive data breach. Get it together, now!"

Breakdown of Events: Salt Typhoon Hacking Group Targets U.S. Telecommunications

December 17, 2024

Introduction: The Growing Threat of Salt Typhoon

The Chinese cyber espionage group known as Salt Typhoon has successfully breached several major U.S. telecommunications companies. This breach has raised alarms across government agencies, resulting in calls for the sector to bolster its cybersecurity measures. It’s also become big enough news that I have my family talking to me about it. As I prepare for a holiday get together with the family I decided to put together this breakdown of the events surrounding this discovery and the subsequent response from U.S. authorities and the federal government. Hopefully, this will help others get up to speed and join the family conversation around Salt Typhoon.

The Salt Typhoon Cyberattack: What We Know So Far

Salt Typhoon has infiltrated at least eight prominent U.S. telecom companies, including AT&T, Verizon, and T-Mobile. The group has targeted not just corporate entities but also high-profile government and political figures, potentially compromising metadata and, in some cases, the content of sensitive communications. The scope of this breach is vast, and experts are concerned about the broader implications for national security.

What Did Salt Typhoon Specifically Access?

The hackers accessed critical infrastructure within these companies, focusing on:

Metadata: They collected data on who was communicating with whom, when, and where.
Communication Content: In some cases, they accessed the actual content of communications, including emails and messages.
Internal Systems: Salt Typhoon exploited vulnerabilities to infiltrate internal company networks, potentially compromising systems used to manage communication between telecommunications providers and government agencies.

The scope of this breach is vast, and experts are concerned about the broader implications for national security.

Source: Salt Typhoon Hackers Infiltrate U.S. Telecoms - AP News

What are the ramifications of the access?

National Security Threats

Since telecommunications systems are integral to the functioning of government communications and defense operations, unauthorized access by a foreign state-sponsored group could compromise national security. The breach could lead to:

Espionage: Sensitive government communications, including classified information, could be intercepted, analyzed, and used for strategic advantage by foreign actors.
- Informant Identification: The threat actors could identify who the US government has identified as a Chinese or other nation state spy. This information is invaluable as it allows incorrect information or complete removal of the spy from the U.S.
Undermining Military Operations: If Salt Typhoon gained access to military communication channels, it could disrupt or manipulate defense strategies, communications, and troop movements, potentially weakening national defense readiness.
Supply Chain Vulnerabilities: The telecom infrastructure is tied to critical sectors like defense, finance, and healthcare. By compromising telecom networks, the attackers could infiltrate other critical industries, creating cascading vulnerabilities.

Corporate Espionage

Telecommunications companies manage massive amounts of sensitive corporate data, including contracts, communication, and internal systems used by businesses across industries. Salt Typhoon's access to telecom infrastructure could enable:

Exfiltration of Trade Secrets: By obtaining private communications and proprietary data, the hackers could gain valuable insight into corporate strategies, product development, and future business decisions.
Targeting High-Profile Executives and Clients: The hacking group could gather intelligence on key executives and high-profile clients, leading to targeted phishing campaigns, blackmail, or leveraging this information for financial gain or competitive advantage.

Personal Privacy Concerns

Telecommunications companies manage vast amounts of personal data, including call records, text messages, location data, and internet usage patterns. The implications for personal privacy are significant:

Identity Theft: With access to sensitive personal information, Salt Typhoon could facilitate identity theft by harvesting personally identifiable information (PII) or leveraging it for future cybercrimes.
Surveillance: The hackers could track individuals of interest, monitoring their communications or movements, potentially leading to political repression, blackmail, or surveillance of dissidents.
Erosion of Trust: If customers' private data were exposed, it could result in a loss of trust in telecom providers, eroding the public's confidence in their ability to protect sensitive personal information.

Disruption to Communication Networks

Given that telecommunications are critical to day-to-day operations in both the private and public sectors, the breach could lead to:

Service Interruptions: Salt Typhoon could potentially manipulate telecom networks to disrupt services or cause widespread outages, impacting businesses, emergency services, and government operations.
Manipulation of Communications: The group could inject false information into the communication system, manipulate messages, or redirect communications to unauthorized entities, undermining the integrity of telecom networks.

Escalation of Cybersecurity Threats

This breach highlights vulnerabilities within the telecommunications infrastructure, which could inspire further cyberattacks. Other threat actors might exploit similar weaknesses, leading to:

Copycat Attacks: Other state-sponsored groups or cybercriminals may attempt to replicate or build upon Salt Typhoon's methods, targeting the same or other telecom providers with different attack vectors.
Increased Cybercrime: Hackers might use access to telecom networks to launch further cyberattacks, such as distributed denial-of-service (DDoS) attacks, ransomware campaigns, or data exfiltration operations.

Diplomatic and Geopolitical Fallout

If it is conclusively proven that Salt Typhoon is backed by the Chinese government, this breach could have far-reaching diplomatic consequences:

Strained Relations: The U.S. government could take retaliatory actions, including sanctions or other diplomatic measures, further exacerbating tensions between the U.S. and China.
International Repercussions: Other countries, particularly U.S. allies, may also reconsider their engagement with Chinese telecom equipment providers, leading to a shift in global trade and technology alliances.

Government Response: A Wake-up Call for Telecoms

In response to this alarming breach, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued joint guidance urging telecom companies to enhance their security measures. Their recommendations include adopting stronger data encryption, centralizing security systems, and establishing continuous threat monitoring to prevent future attacks.

Source: FBI and DHS Issue Cybersecurity Alert on Telecom Sector - CISA

The FCC’s Role: Proposing New Rules to Strengthen Telecom Security

To address the growing cybersecurity risks, the Federal Communications Commission (FCC) has proposed new rules requiring telecom companies to submit annual certifications attesting to their compliance with updated security protocols. The FCC’s proposals aim to ensure telecom firms take proactive steps to defend against cyber threats. Penalties for non-compliance could follow, emphasizing the importance of safeguarding communication channels.

Sources: FCC Proposes New Cybersecurity Rules for Telecoms - DarkReading; FCC to Demand Telcos Improve Security - Seriously Risky Business

Federal Government Calls for Immediate Action

U.S. Senators have expressed grave concern over the scale of the Salt Typhoon attack. Senator Ben Ray Lujan described the breach as "possibly the largest telecommunications hack in American history," calling for swift government action to improve security within the telecom sector.

Source: Senators Warn the Pentagon: Get a Handle on China's Telecom Hacking - Wired

Encrypted Communication Platforms: A Safer Alternative for Users

As an additional safeguard, individuals are encouraged to use encrypted messaging platforms such as WhatsApp or Signal. These platforms offer a higher level of security compared to traditional SMS, providing a more secure means of communication in the wake of these breaches.

Source: FBI Warns iPhone and Android Users: Stop Sending Texts - Forbes

The Response from China: Denial of Involvement

Despite mounting evidence of Salt Typhoon’s activities, the Chinese government has denied any involvement in the cyberattacks. They label the allegations as disinformation, rejecting any claims of their participation in the hacking group’s operations.

Source: White House says at least 8 US telecom firms, dozens of nations impacted by China hacking campaign - AP News

Conclusion: The Urgency for Change

The Salt Typhoon cyberattack has exposed critical vulnerabilities in U.S. telecommunications infrastructure. With federal agencies and lawmakers calling for immediate action, it is essential that telecom providers take comprehensive measures to protect sensitive communications and prevent future breaches. As the government and telecom companies work toward stronger security practices, it’s clear that the stakes have never been higher.

What Individuals Can Do

While the breach highlights systemic issues within telecom security, individuals can also take steps to protect their personal information and mitigate the impact of such cyberattacks. Using encrypted communication platforms like Signal or WhatsApp for sensitive conversations can provide an added layer of protection against potential surveillance or interception. Additionally, individuals should move away from SMS or text based authentication into accounts. This isn’t always possible but more and more services are offering app based authentication such as Google Authenticator, DUO, or a similar mobile application. By taking these precautions, individuals can reduce their personal exposure to cyber threats and enhance their overall online security.

Sources:

Created with help from ChatGPT

Avoiding Legal Landmines in Incident Response: A Practical Guide for Security Teams

December 10, 2024

The information provided in this blog post does not, and is not intended to, constitute legal advice; rather, the ensuing conversation is for general informational purposes only.

In today’s cybersecurity landscape, responding swiftly and effectively to security incidents is critical. However, navigating the legal implications during an incident is equally vital to protect an organization from further liabilities. This guide covers essential strategies for avoiding the most common legal pitfalls in incident response (IR), based on insights from my recent podcast episode with cybersecurity attorney Thomas Ritter Exploring Legal Landmines in Incident Response.

Use Careful Terminology: “Incident” vs. “Breach”

When a security event occurs, the language you use to describe it can have significant legal implications. Terms like “breach” have specific legal definitions that can trigger mandatory notification requirements or other regulatory obligations. As a best practice, use neutral terms like “incident” until the situation is fully assessed by legal counsel.

Tip: Train your teams on preferred terminology and involve legal early in the process to make sure everyone understands when and how to escalate terms like “breach.”

Establish Attorney-Client Privilege Early

Engaging external counsel immediately after a security incident helps protect sensitive communications and investigative findings under attorney-client privilege. This protection is crucial should your organization face litigation, as it limits the exposure of certain communications during the discovery process.

Tip: Collaborate with your legal team to establish protocols for involving external counsel, even for minor incidents, to ensure privilege is in place if needed.

Refine Your Communication Strategy

Transparency is key during incident response, but be cautious with internal and external communications, especially in the early stages. Avoid speculative statements and keep communications brief until forensic findings provide a clearer picture.

Tip: Work with your legal and PR teams to develop standardized communications templates for different scenarios, ensuring clarity and consistency without compromising on accuracy.

Define Roles and Responsibilities in Your IR Plan

Many incident response plans (IRPs) lack a clear delineation of responsibilities, particularly regarding who determines when an incident becomes a breach. Ideally, legal counsel—preferably external—should make this determination to preserve objectivity and privilege.

Tip: Review your IRP to ensure that roles and escalation points are well defined, with legal counsel involved at key decision points.

Handle Ransomware Negotiations Carefully

Ransomware incidents often involve complex decisions about whether to engage with or pay threat actors. Professional negotiators can play a valuable role here, as they are well-versed in handling threat actor communications and negotiating terms without compromising your organization’s legal standing.

Tip: Always hire professionals for ransomware negotiations. Amateur negotiators risk mishandling sensitive communications, which can exacerbate both financial and reputational damage.

Prepare for Possible Class Action Litigation

In the event of a data breach, it’s increasingly common for affected parties to file class action lawsuits. Many legal teams recommend proactive measures to limit liability, such as documented protocols that show your team acted swiftly and responsibly during the incident.

Tip: Ensure your IR documentation is thorough and compliant with industry standards, as this can provide valuable evidence should litigation arise.

Use Tabletop Exercises to Strengthen Incident Preparedness

Incident response tabletop exercises, especially those involving executive teams, help prepare your organization to navigate both operational and legal complexities in a crisis. In addition to familiarizing staff with the IRP, tabletop exercises offer an opportunity to practice coordination with legal counsel, PR, and executive stakeholders.

Tip: Schedule annual or biannual tabletop exercises that simulate high-stakes incidents, like ransomware attacks, to ensure all teams are familiar with legal protocols.

Conclusion: A Proactive Legal Strategy in Incident Response

Responding to a security incident without considering legal implications can expose your organization to additional risks. By carefully navigating language, establishing attorney-client privilege, and preparing staff with tabletop exercises, your organization can avoid many of the legal pitfalls associated with incident response. Whether preparing for regulatory inquiries or class action lawsuits, these best practices can help your organization respond to incidents effectively and with minimized legal exposure.

December 2024 - Healthcare Executive Leadership Cybersecurity Newsletter

December 9, 2024

These are the stories I shared internally with my leadership. Feel free to take and use for your own leadership. Created with help from ChatGPT.

New Professional Liability Insurance for CISOs

In response to the increasing legal scrutiny faced by Chief Information Security Officers (CISOs), Crum & Forster has introduced a professional liability insurance policy tailored specifically for these executives. Traditionally, directors and officers (D&O) liability policies have not encompassed CISOs, leaving them vulnerable to personal financial risks in the event of cybersecurity incidents.

Key Features of the Policy:

Comprehensive Coverage: Protects against claims of negligence or inadequate work arising from cybersecurity services.

Flexible Acquisition: Available for purchase by organizations on behalf of their CISOs or directly by the CISOs themselves.

Extended Protection: Covers consulting activities for the organization and its subsidiaries, as well as external engagements, including pro bono IT security work.

Further Reading: CyberScoop Article

Bipartisan Effort to Enhance Healthcare Cybersecurity

On November 22, 2024, Senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) introduced the Health Care Cybersecurity and Resiliency Act of 2024. This bipartisan legislation aims to bolster cybersecurity measures within the healthcare sector, addressing the increasing threats to patient data and healthcare operations.

Help Center

Key Provisions:

Grant Funding: Allocates resources to healthcare entities for enhancing cyberattack prevention and response capabilities.

Training Initiatives: Provides cybersecurity best practices training to healthcare institutions.

Support for Rural Providers: Offers tailored guidance to rural health clinics on breach prevention and resilience strategies.

Interagency Coordination: Improves collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for effective cyberattack responses.

Regulatory Modernization: Updates Health Insurance Portability and Accountability Act (HIPAA) regulations to incorporate current cybersecurity best practices.

Incident Response Planning: Mandates the development and implementation of a cybersecurity incident response plan by the HHS Secretary.

Implications for Healthcare Organizations: This legislation underscores the critical need for robust cybersecurity frameworks within healthcare institutions. Executive leaders should proactively assess their organization's cybersecurity posture, ensuring alignment with emerging standards and readiness to leverage potential federal support. Embracing these initiatives will not only protect sensitive patient information but also enhance operational resilience against cyber threats.

Further Reading: Senate HELP Committee Press Release

December 2024 - Security Awareness Newsletter

December 6, 2024

This is a security awareness focused newsletter that I share internally. Feel free to grab and use for your own internal security awareness program.

Copyright Infringement Phishing Scams Targeting Facebook Business Users

Cybercriminals are targeting Facebook business and advertising account users, especially in regions like Taiwan, with phishing emails that falsely claim copyright infringement. These emails urge recipients to download a file (disguised as a PDF), which actually installs information-stealing malware on the victim’s device. This tactic aims to harvest sensitive information from users who trust the email’s legal-sounding message.

Key Points:

Target Audience: Facebook business and advertising account users.

Phishing Tactic: Emails posing as copyright infringement notices.

Malware Delivery: Malicious files masquerading as PDFs that contain infostealers.

Further Reading: Cisco Talos Report on Copyright Infringement Phishing Lure

Beware of 'Phish 'n' Ships': Fake Online Stores Stealing Your Money and Data

Cybercriminals are increasingly creating fraudulent online shops that mimic legitimate retailers to deceive consumers into providing payment information and personal data. These fake websites often offer enticing deals on popular products, luring unsuspecting shoppers into making purchases. Once payment details are entered, the scammers steal the information, leading to financial loss and potential identity theft.

How to Protect Yourself:

Verify Website Authenticity: Before making a purchase, ensure the website is legitimate by checking the URL for misspellings or unusual domain extensions.

Look for Secure Connections: Ensure the website uses HTTPS, indicating a secure connection.

Research the Seller: Look for reviews and ratings from other customers to confirm the retailer's credibility.

Be Cautious of Unrealistic Deals: If an offer seems too good to be true, it likely is.

Further Reading: Human Security

Beware of DocuSign-Inspired Invoice Scams

Cybercriminals are leveraging DocuSign’s Envelopes API to distribute highly realistic fake invoices impersonating trusted brands like Norton and PayPal. These malicious emails come from legitimate DocuSign domains, bypassing security filters and appearing authentic. Attackers aim to have recipients e-sign the document, which can authorize unauthorized payments.

What You Can Do:

Always verify invoice details directly with the company rather than clicking links within emails.

Look out for unexpected requests, even from trusted services.

Educate your team about this tactic and report suspicious invoices immediately.

Further Reading: Bleeping Computer

Mobile Ad Data Enables Widespread Surveillance

Recent investigations reveal that commercial services are exploiting mobile advertising data to track individuals' daily movements without their consent. By collecting data from widely-used mobile apps and websites, these services can monitor personal locations, posing significant privacy risks.

Protect Your Privacy:

Limit App Permissions: Only grant apps the permissions they genuinely need.

Review Privacy Settings: Regularly check and adjust your device's privacy settings to control data sharing.

Stay Informed: Be aware of how your data is collected and used by the apps and services you utilize.

Further Reading: Krebs on Security

Phishing Scams Targeting Booking.com Users

Recent reports highlight a surge in phishing attacks exploiting Booking.com accounts. Cybercriminals are compromising hotel partner accounts to access customer booking details, subsequently sending fraudulent messages that appear legitimate. These messages often request additional information or payments, aiming to deceive users into providing sensitive data or transferring funds.

Protect Yourself:

Verify Communications: Always confirm the authenticity of messages by contacting the hotel or Booking.com directly through official channels.

Avoid Unsolicited Links: Do not click on links or download attachments from unexpected emails or messages.

Enable Two-Factor Authentication (2FA): Activate 2FA on your Booking.com account to add an extra layer of security.

Further Reading: Krebs on Security

North Korean IT Workers Infiltrating Western Companies

Recent investigations have uncovered a concerning trend: North Korean IT professionals are securing remote positions in Western companies, including those in the United States, by using stolen identities and sophisticated social engineering tactics. This strategy enables them to bypass international sanctions and funnel earnings back to North Korea, potentially funding illicit activities.

Key Insights:

Identity Theft: These individuals often use stolen or fabricated identities to pose as qualified candidates from various countries.

Advanced Techniques: They employ generative AI tools to craft convincing resumes and perform well in interviews, making detection challenging.

Financial Implications: Earnings from these positions are redirected to support North Korea's sanctioned programs, including its weapons development initiatives.

Further Reading: Zscaler Security Research

Surge in Eventbrite-Based Phishing Attacks

Recent analyses by Perception Point have identified a significant increase in phishing campaigns exploiting Eventbrite's scheduling platform. Between July and October 2024, these attacks escalated by 900%, with cybercriminals sending deceptive emails from 'noreply[@]events[.]eventbrite[.]com' to distribute malicious content.

Key Insights:

Legitimate Appearance: Utilizing Eventbrite's legitimate email domain allows attackers to bypass standard security filters, making the phishing emails appear authentic to recipients.

Malicious Payloads: The emails often contain links or attachments designed to harvest credentials or deploy malware upon interaction.

Targeted Entities: While the attacks are widespread, they predominantly focus on organizations that frequently use event management platforms, increasing the likelihood of successful exploitation.

Further Reading: KnowBe4 Blog

Phishing Campaign Impersonates OpenAI to Steal Financial Information

Cybercriminals are currently conducting a phishing campaign that impersonates OpenAI to deceive users into providing their financial details. The fraudulent emails inform recipients that their ChatGPT subscription payment has been declined, prompting them to click a link to update their payment method.

Key Insights:

Deceptive Tactics: The emails are designed to appear legitimate, leveraging OpenAI's branding to gain user trust.

Malicious Links: Clicking the provided link directs users to a fake payment page intended to capture sensitive financial information.

Widespread Targeting: This campaign is part of a broader trend where attackers exploit the popularity of AI tools to launch phishing attacks.

Further Reading: KnowBe4 Blog

Corrupted Word Documents in Novel Phishing Campaign

A newly identified phishing campaign exploits Microsoft's Word file recovery feature by using intentionally corrupted Word documents as email attachments. These documents evade detection by security solutions due to their damaged state, but Word can still recover and open them.

Key Insights:

The Lure: Emails impersonate payroll and HR departments, with themes like employee bonuses and benefits. The attachments appear as corrupted files but can be repaired by Word.

Malicious QR Codes: Upon recovery, the documents prompt users to scan a QR code branded with company logos. Scanning leads to phishing sites designed to steal Microsoft login credentials.

Detection Challenges: Most attachments used in this campaign avoid detection on platforms like VirusTotal, as they contain no active malicious code, just deceptive QR codes.

Attack Effectiveness: By exploiting overlooked document recovery mechanisms, this method bypasses traditional email security filters, increasing the likelihood of reaching victims.

Further Reading: BleepingComputer Article

Cybercriminals Exploit Search Engine Results to Promote Phishing Pages

Cybercriminals are increasingly employing search engine poisoning to elevate malicious phishing sites in search results, deceiving users into divulging sensitive information. Researchers at Malwarebytes discovered that a search for "KeyBank login" on Bing displayed a counterfeit KeyBank login page above the official site.

Key Insights:

Manipulated Search Results: Attackers optimize malicious sites to appear prominently in search results, making them seem legitimate and increasing the likelihood of user interaction.

Phishing Tactics: These fraudulent pages mimic authentic login portals, aiming to harvest users' credentials and personal data.

Broader Implications: This tactic, known as SEO poisoning, extends beyond banking sites, potentially affecting various sectors and services.

Further Reading: KnowBe4 Blog

Attackers Exploit Corrupted Files to Evade Detection

Cybersecurity researchers have identified a novel phishing campaign that utilizes intentionally corrupted Microsoft Office documents and ZIP archives to bypass email security measures. These corrupted files evade antivirus scans and email filters, yet can be opened by users through built-in recovery features in applications like Microsoft Word and WinRAR.

Key Insights:

Evasion Techniques: The corrupted state of these attachments prevents security tools from properly scanning them, allowing malicious emails to reach users' inboxes undetected.

User Interaction: When users attempt to open these corrupted files, applications prompt them to recover the content, leading to the display of malicious elements such as QR codes.

Malicious Outcomes: Scanning the embedded QR codes can redirect users to phishing websites designed to steal credentials or deploy malware.

This tactic highlights the continuous evolution of phishing strategies aimed at circumventing security defenses and exploiting user trust in application recovery features.

Further Reading: The Hacker News

December 2024 - Threat Intelligence Newsletter

December 5, 2024

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

Google’s New SAIF Risk Assessment Tool for AI Security

Google has introduced the Secure AI Framework (SAIF) Risk Assessment tool to help organizations proactively identify and mitigate security risks in their AI systems. This interactive tool assesses key areas such as training data integrity, access controls, and defenses against adversarial inputs. Upon completion, organizations receive a tailored report outlining specific vulnerabilities and recommended mitigation strategies, reinforcing the need for robust security measures as AI systems become more prevalent.

Further Reading: Google Blog on SAIF Risk Assessment

Session Cookie Theft Bypasses MFA Protections

The FBI has issued a warning about cybercriminals exploiting stolen session cookies to hijack email accounts, effectively bypassing Multi-Factor Authentication (MFA) safeguards. These "Remember-Me" cookies, typically valid for 30 days, store session IDs that authenticate users without repeated logins. If intercepted, attackers can impersonate users, gaining unauthorized access to email accounts and sensitive information.

Mitigation Strategies:

Monitor Account Activity: Stay vigilant for unfamiliar login attempts or unauthorized changes.

Implement Robust Security Measures: Utilize endpoint protection solutions to detect and prevent malware that could steal session cookies.

Further Reading: Malwarebytes

Sophos Reports Sophisticated China-Based Threats Targeting Network Perimeters

Sophos recently uncovered a five-year cyber espionage campaign by China-based groups, including APT31 and APT41, that targeted network edge devices like firewalls. These attackers used zero-day vulnerabilities and custom malware to infiltrate and persist within critical infrastructure across the Indo-Pacific region, including energy suppliers, government agencies, and telecommunications. Advanced tactics include stealth operations, sabotaging firewall telemetry, and deploying an early version of a UEFI bootkit on firewall devices.

Key Insights:

Critical Infrastructure Targeting: Attackers focused on high-value assets, compromising essential services.

Advanced Persistence Tactics: Use of rootkits and stealth malware for long-term access.

Importance of Edge Device Security: Firewalls and perimeter defenses remain primary entry points for these threats.

Further Reading: Sophos News

Preparing for Emerging AI Risks

The latest Unit 42 Threat Frontier report highlights the evolving risks associated with generative AI (GenAI) in cybersecurity. As threat actors increasingly explore AI tools to enhance attack methods, traditional defenses like Zero Trust architectures remain essential, but additional AI-focused defenses are becoming critical. The report also emphasizes the growing issue of "Shadow AI," or the unauthorized use of AI tools within organizations, which poses unique security challenges.

Key Insights:

Shadow AI Risk: Unauthorized use of AI tools within organizations increases security vulnerabilities.

AI-Specific Defenses: Integrating AI-focused security measures early in development is essential for robust protection.

Continued Importance of Traditional Defenses: Zero Trust and other established architectures are still effective but need AI-specific adaptations.

Further Reading: Unit 42 - Palo Alto Networks

Extortion Actor's EDR Bypass Attempt Unveiled

Unit 42 recently investigated an extortion incident where threat actors attempted to bypass Endpoint Detection and Response (EDR) systems using a tool named "disabler.exe." This tool, derived from the publicly available EDRSandBlast, aimed to unhook EDR hooks in both user-mode libraries and kernel-mode, facilitating unauthorized access. The attackers utilized rogue systems with outdated Cortex XDR agents to test their methods, inadvertently exposing their toolkit and operations. This exposure allowed Unit 42 to trace the tool's sale on cybercrime forums and identify one of the threat actors involved.

Unit 42

Key Insights:

Advanced Evasion Techniques: Attackers are employing sophisticated tools to disable security mechanisms, highlighting the need for robust and up-to-date EDR solutions.

Operational Exposure: Testing malicious tools in uncontrolled environments can inadvertently reveal threat actor methodologies and identities.

Community Vigilance: Monitoring cybercrime forums and sharing intelligence are crucial for preempting and mitigating such threats.

Further Reading: Unit 42 - Palo Alto Networks

Surge in Fake Emergency Data Requests

The FBI has issued a warning to U.S. organizations about a rise in fraudulent emergency data requests (EDRs) by cybercriminals. These malicious actors compromise government email accounts to impersonate law enforcement, exploiting the urgency of EDRs to obtain sensitive user information from service providers without legal oversight.

Key Insights:

Tactics: Cybercriminals gain access to official email accounts, enabling them to submit convincing EDRs to companies, thereby bypassing standard legal procedures.

Motivations: The harvested data is often used for further criminal activities, including identity theft, financial fraud, and targeted cyberattacks.

Indicators of Compromise: Unusual or unexpected data requests, especially those marked as urgent, should be scrutinized for authenticity.

Recommendations:

Verification Protocols: Implement strict verification processes for all data requests, including direct confirmation with the requesting agency through known contact points.

Employee Training: Educate staff on the prevalence of fake EDRs and establish clear procedures for handling such requests.

Monitoring and Reporting: Continuously monitor for suspicious data requests and report any fraudulent attempts to the appropriate authorities.

Staying vigilant against these deceptive tactics is crucial to safeguarding sensitive information and maintaining trust with users.

Further Reading: SecurityWeek

The Credential Abuse Cycle

Recent analyses have highlighted the escalating threat of credential abuse, where cybercriminals exploit stolen usernames and passwords to infiltrate networks and access sensitive data. This cycle comprises three key stages: theft, trade, and exploitation.

Key Insights:

Credential Theft: Attackers acquire credentials through data breaches, malware (notably infostealers), and social engineering.

Underground Trading: Stolen credentials are sold on cybercriminal forums, specialized marketplaces, and messaging platforms like Telegram.

Exploitation: With these credentials, threat actors conduct account takeovers, credential stuffing, and valid account abuse, leading to data breaches and financial losses.

Further Reading: ReliaQuest Blog

Rise in SVG-Based Phishing Attacks

Cybercriminals are increasingly utilizing Scalable Vector Graphics (SVG) files in phishing emails to bypass security filters and deliver malicious content. Unlike traditional image formats, SVG files can contain embedded scripts, allowing attackers to execute malicious code when the file is opened.

Key Insights:

Evasion Techniques: SVG files are often overlooked by email security systems, enabling malicious payloads to reach recipients undetected.

Embedded Malware: Attackers embed JavaScript within SVG files to initiate redirects to phishing sites or to download malware onto the victim's device.

Increased Prevalence: There is a notable uptick in phishing campaigns leveraging SVG attachments, highlighting the need for heightened vigilance.

Further Reading: Bleeping Computer

2024 CWE Top 25 Most Dangerous Software Weaknesses Released

The Common Weakness Enumeration (CWE) has published its 2024 list of the Top 25 Most Dangerous Software Weaknesses. This annual compilation identifies the most prevalent and critical vulnerabilities that can lead to severe security breaches, including system takeovers, data theft, and application disruptions.

Key Highlights:

Top Vulnerabilities: The list features critical weaknesses such as Cross-Site Scripting (CWE-79), Out-of-Bounds Write (CWE-787), and SQL Injection (CWE-89).

Data Insights: The 2024 list is based on an analysis of 31,770 CVE Records, providing a comprehensive overview of current software security challenges.

Resource for Mitigation: The CWE Top 25 serves as a valuable resource for developers and security professionals to prioritize mitigation efforts and enhance software security practices.

Further Reading: CWE Top 25 Most Dangerous Software Weaknesses

Analysis of CISA's 2023 Top Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has released its 2023 report on the most routinely exploited vulnerabilities, providing critical insights into the threat landscape. An in-depth analysis by VulnCheck offers additional perspectives on these vulnerabilities, emphasizing their exploitation patterns and associated threat actors.

Key Insights:

Exploit Availability: Out of the 15 vulnerabilities highlighted, 14 have eight or more publicly available proof-of-concept (POC) exploits, indicating a high risk of exploitation.

Weaponized Exploits: Thirteen vulnerabilities have weaponized exploits, with five being weaponized before any public evidence of exploitation emerged.

Threat Actor Activity: Sixty named threat actors are linked to 13 of these vulnerabilities. Notably, North Korea's Silent Chollima group targeted nine of the listed vulnerabilities.

Detection Coverage: VulnCheck provides Initial Access artifacts for 12 of the 15 vulnerabilities, aiding defenders in identifying and mitigating potential threats.

Further Reading: VulnCheck Blog

Surge in Eventbrite-Based Phishing Attacks

Key Insights:

Legitimate Appearance: Utilizing Eventbrite's legitimate email domain allows attackers to bypass standard security filters, making the phishing emails appear authentic to recipients.

Malicious Payloads: The emails often contain links or attachments designed to harvest credentials or deploy malware upon interaction.

Targeted Entities: While the attacks are widespread, they predominantly focus on organizations that frequently use event management platforms, increasing the likelihood of successful exploitation.

Further Reading: KnowBe4 Blog

Large-Scale Phishing Campaign Deploys Rhadamanthys Stealer v0.7

Check Point Research has identified a significant phishing operation utilizing the latest version of the Rhadamanthys Stealer, known as Rhadamanthys.07. This campaign, dubbed "CopyRh(ight)adamantys," impersonates legitimate companies to distribute malware under the guise of copyright infringement notices.

Checkpoint Blog

Key Insights:

Phishing Tactics: Attackers send emails from Gmail accounts, alleging copyright violations on the recipient's social media pages, prompting them to download a file that initiates the malware infection.

Global Reach: The campaign targets individuals and organizations across multiple continents, with approximately 70% of impersonated companies belonging to the entertainment, media, technology, and software sectors.

Malware Capabilities: Rhadamanthys.07 includes features such as AI-powered optical character recognition (OCR) modules, enhancing its ability to extract data from infected machines.

Further Reading: Check Point Blog

Corrupted Word Documents in Novel Phishing Campaign

Key Insights:

The Lure: Emails impersonate payroll and HR departments, with themes like employee bonuses and benefits. The attachments appear as corrupted files but can be repaired by Word.

Malicious QR Codes: Upon recovery, the documents prompt users to scan a QR code branded with company logos. Scanning leads to phishing sites designed to steal Microsoft login credentials.

Detection Challenges: Most attachments used in this campaign avoid detection on platforms like VirusTotal, as they contain no active malicious code, just deceptive QR codes.

Attack Effectiveness: By exploiting overlooked document recovery mechanisms, this method bypasses traditional email security filters, increasing the likelihood of reaching victims.

Further Reading: BleepingComputer Article

Surge in Infostealer Malware Exploiting Innovative Attack Vectors

In October 2024, Check Point Research identified a significant increase in infostealer malware activity, with cybercriminals employing advanced tactics to infiltrate systems and exfiltrate sensitive data.

Key Insights:

Prevalent Malware Families: The top threats included FakeUpdates, impacting 6% of organizations worldwide, followed by Androxgh0st at 5%, and AgentTesla at 4%.

Innovative Attack Vectors: Threat actors are leveraging sophisticated methods, such as malicious advertisements in search results—a tactic known as "malvertising"—to distribute infostealers. This approach enhances the legitimacy of malicious links, increasing the likelihood of user engagement.

Global Impact: The widespread distribution of these malware families underscores the necessity for organizations to adopt proactive and adaptive security measures to counter evolving cyber threats.

Further Reading: Check Point Blog

Attackers Exploit Corrupted Files to Evade Detection

Key Insights:

Evasion Techniques: The corrupted state of these attachments prevents security tools from properly scanning them, allowing malicious emails to reach users' inboxes undetected.

User Interaction: When users attempt to open these corrupted files, applications prompt them to recover the content, leading to the display of malicious elements such as QR codes.

Malicious Outcomes: Scanning the embedded QR codes can redirect users to phishing websites designed to steal credentials or deploy malware.

This tactic highlights the continuous evolution of phishing strategies aimed at circumventing security defenses and exploiting user trust in application recovery features.

Further Reading: The Hacker News

Key Takeaways from NIST SP 800-50r1 – Building a Cybersecurity and Privacy Learning Program

December 2, 2024

In September 2024, the National Institute of Standards and Technology (NIST) released the updated Special Publication (SP) 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This is an update to the 2003 NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program. I hadn’t realized that there was a NIST publication on building a security awareness program. It’s good to see an update after 21 years! Here's a look at the key insights and recommendations from the updated publication. This was written with the help of ChatGPT.

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

Name Change! The document introduces the Cybersecurity and Privacy Learning Program (CPLP) as an overarching framework that includes awareness campaigns, role-based training, and workforce education initiatives. Aimed at fostering a culture of security and privacy, the CPLP is a strategic effort to manage risks and comply with federal regulations, such as FISMA. With privacy becoming a much bigger topic in the last 10 years, rolling it into an cybersecurity awareness program makes sense. This could cross multiple teams depending on how an organization is setup.

CPLP emphasizes awareness and education, incorporating role-specific training alongside general awareness activities, and focuses on encouraging behavior change to reduce risks and foster a culture of security. Continuous improvement is integral, with metrics and evaluations used to adapt programs to evolving needs.

The CPLP Life Cycle

NIST defines a four-phase life cycle for managing CPLPs: Plan and Strategy; Analysis and Design; Development and Implementation; and Assessment and Improvement. These phases involve developing a strategic vision that aligns learning objectives with organizational goals, identifying learning needs and creating tailored program designs, building or procuring learning materials and deploying the program, and measuring effectiveness while refining strategies based on outcomes. This iterative approach ensures that the CPLP remains dynamic and aligned with organizational needs.

Leadership and Organizational Roles

The success of a CPLP hinges on active involvement across all levels of the organization. Senior leadership plays a crucial role in providing strategic direction and resources, while CPLP managers oversee program design, delivery, and metrics. System users, on the other hand, are responsible for adhering to policies and participating in required training. Leadership participation, such as senior leaders engaging in training themselves, reinforces the importance of the program. Leadership buy-in is the first step to getting any sort of program off the ground. Heavily regulated industries are easier to get buy-in for than others.

Metrics and Measurements

Effective CPLPs rely on a mix of quantitative and qualitative metrics to evaluate success. Quantitative metrics include training completion rates, reductions in incidents, and compliance statistics, while qualitative metrics involve employee feedback, focus group discussions, and behavioral observations. NIST emphasizes using these metrics not just for compliance but to drive meaningful behavior change and demonstrate return on investment.

This section was helpful for thinking about what sort of metrics to have. One of the examples brought up is click rate which is a highly volatile statistic. A better statistic is report rate which is a positive behavior an organization wants to encourage within their population. The document doesn’t define what an organization should have for metrics but instead provides guidance.

Integrating Privacy into Cybersecurity Training

One of the standout updates in SP 800-50r1 is the seamless integration of privacy training into cybersecurity programs. It highlights the interconnected nature of these disciplines and the need for training to address both cybersecurity incidents and privacy risks, such as data re-identification or misuse. Teaching employees about privacy risks enables them to recognize potential problems and implement procedures that minimize such risks.

This is big within healthcare. Reports like the Verizon Data Breach Investigation Report show that the healthcare industry has higher internal threat actors due to mistakes and errors with handling information. This can lead to huge privacy implications for the organization.

Tailored Training for Diverse Audiences

CPLPs should be segmented to address specific needs. General users benefit from training on fundamental security practices, such as phishing awareness, while privileged access holders require advanced training on managing sensitive systems. Those in specialized roles undergo deeper training specific to their risks and responsibilities. Tailoring training ensures that it remains relevant and impactful for all user groups.

Easy to suggest much harder to do. A good starting point is what’s mentioned in the publication: all users; privileged access account holders; new employees; and staff with cybersecurity and privacy responsibilities. Tailored training should be broken down further into departments such as service desk and finance but this is a good starting point.

Focusing on Improvement Without Punishment

One of the critical takeaways from NIST SP 800-50r1 is the emphasis on using cybersecurity exercises, such as phishing tests, as opportunities for learning and improvement rather than punishment. The publication highlights the importance of informing employees that these exercises are conducted randomly and that the results will guide future learning activities. Such exercises should not be punitive, nor should employees be singled out for their responses. By framing these activities as learning opportunities, organizations can gather valuable data on vulnerabilities while fostering a supportive environment that encourages employee growth and engagement with cybersecurity practices.

A Culture of Learning

At its core, SP 800-50r1 promotes a culture of continuous learning and adaptation. From onboarding new employees to advanced training for cybersecurity professionals, the document underscores the importance of embedding cybersecurity and privacy awareness into organizational DNA. By viewing cybersecurity and privacy learning as an evolving process, organizations can be prepared for emerging risks and technologies.

Conclusion

NIST SP 800-50r1 offers a robust roadmap for organizations looking to strengthen their cybersecurity and privacy posture. For organizations aiming to enhance their cybersecurity and privacy programs, reading SP 800-50r1 is a great starting point. A focus on building culture and rewarding people will help change behavior and reduce the human element in incidents.

Explore the full NIST SP 800-50r1 publication here.

The 12 Scams of The Holiday Seasons: How to Stay Safe This Holiday Season

November 26, 2024

I wrote this for a security awareness program with help from ChatGPT. Feel free to grab and share within your own organizations.

The Better Business Bureau (BBB) has long been a trusted resource for protecting consumers and promoting trustworthy business practices. Their mission to provide valuable insights and tools to stay vigilant against fraud is especially critical during the holidays. This year, the BBB has compiled a list of the "12 Scams of Christmas" to help ensure your festive season remains joyful and scam-free.

Here’s a quick overview of these scams and how to protect yourself:

Fake Social Media Ads: Beware of deals that are too good to be true—they may lead to counterfeit or undelivered goods.
Gift Exchange Scams: Pyramid schemes disguised as “fun” gift exchanges often harvest personal information.
Holiday Apps: Some seemingly festive apps collect data or install malware on your device.
Fake Toll Texts: Scammers target holiday travelers with bogus unpaid toll notifications.
“Free” Gift Cards: Phishing emails offering gift cards often aim to steal sensitive data.
Seasonal Job Scams: Fake job listings trick job seekers into providing personal or financial details.
Impostor Scams: Fraudsters pose as customer service reps or mimic legitimate websites.
Fake Charities: Scammers take advantage of the season’s generosity with fraudulent donation appeals.
Phishing Shipping Notifications: Fake alerts about undelivered packages are phishing attempts.
Advent Calendar Scams: Low-quality or nonexistent calendars sold by untrustworthy vendors.
Shady Pop-Up Shops: Temporary retailers that vanish with your money or sell counterfeit goods.
Too-Good-To-Be-True Travel Deals: Unrealistically low offers designed to scam travelers.

How to Stay Safe:

Be skeptical of deals that sound too good to be true.
Verify sellers, charities, and offers through trusted sources.
Avoid clicking on unsolicited links or emails.

The BBB offers a wealth of information to help you navigate the holiday season safely. For the full list of scams and detailed safety tips, visit their 12 Scams of Christmas page.

This holiday season let’s protect our wallets and our personal information while spreading cheer and generosity. A little awareness can go a long way in keeping the holidays merry and bright!

Whiskey with a Cause: An Inside Look at ILF’s Barrel Pick Adventure

November 14, 2024

The auction for some fabulous whisky is live at Unicorn Auctions until November 21, 2024. Proceeds go to the Innocent Lives Foundation.

You can view the live recording at the ExploreSec YouTube Channel. The audio version of the podcast will hit the podcast feed soon.

At Exploring Information Security, we’re passionate about all things cybersecurity, community, and—every now and then—a great bourbon adventure. In April 2024, I had the chance to join a unique charity experience: a barrel pick trip with the Innocent Lives Foundation (ILF). It was a memorable journey that not only deepened my appreciation for bourbon but also highlighted how a shared passion can turn into a powerful force for good.

The Origins of the ILF Barrel Pick Club

The ILF Barrel Pick Club started with a simple idea: what if they could combine a love for whiskey with a mission to protect children? A few conversations later, this idea grew into a fully-fledged project, allowing whiskey enthusiasts to purchase exclusive barrels with all proceeds supporting ILF’s mission of identifying predators and protecting children. The club's purpose is to create a community where each sip makes a difference. However, getting to that first barrel wasn’t straightforward; with whiskey’s growing popularity, acquiring a quality barrel often requires invites, lotteries, and long waitlists.

An Exclusive Tour of Legendary Distilleries

Our journey led us to Louisville, Kentucky, where we visited some of the country’s most iconic distilleries, including Four Roses and the lesser-known gem Starlight Distillery. These aren’t just whiskey manufacturers—they are stewards of tradition, science, and innovation, each offering distinct qualities that make them unique.

At Four Roses, we were taken behind the scenes and introduced to their precise process, from single-story rickhouses to unique yeast strains. We learned that each barrel tells a story; the location, temperature, and aging process impart distinct flavors and profiles. Four Roses, renowned for its transparent labeling, even indicates barrel location details down to the warehouse tier and barrel direction.

Across the river, we discovered Starlight Distillery, a family-owned operation with a 200-year history in farming and a more recent venture into bourbon-making. Known for experimenting with unique finishes like Mizunara oak (a notoriously tricky Japanese wood), Starlight introduced us to a whole new world of flavors and finishes. It’s a place as much for bourbon as for families, complete with a fun park and farm tours.

Crafting the Perfect Barrel Pick

Picking a barrel is a blend of art and science—and more challenging than one might expect. With guidance from our hosts, we tasted everything from rich caramel to floral and smoky notes. A well-rounded tasting experience involves layers of flavor and aroma that evolve with each sip. This nuanced approach is essential when selecting barrels for auction because our picks aren’t just about finding what tastes good—they have to resonate with the community of experienced drinkers while supporting ILF’s mission.

At each stop, we were welcomed with enthusiasm, kindness, and yes, lots of whiskey. Starlight even donated a bottle of their premium Mizunara cask-aged bourbon to support the ILF auction. The generosity of these distilleries reflects their alignment with ILF’s purpose. It was humbling to see how eager they were to support a mission that matters deeply to us.

Bidding on a Purpose: The ILF Whiskey Auction

The highlight of this journey is the ILF auction, hosted by Unicorn Auctions. Unicorn Auctions has gone above and beyond to support us by waiving all fees, ensuring that every dollar raised goes to ILF’s mission. The auction features exclusive bottles selected during our barrel pick trip, and each bottle represents a unique expression of craftsmanship and generosity.

These bottles aren’t just collectibles; they’re tokens of the ILF mission. Whether you’re an experienced bourbon enthusiast or a newcomer, bidding in the auction allows you to support ILF in a unique way. Proceeds from the auction directly fund ILF’s work in identifying and helping bring child predators to justice, one bottle at a time.

Memorable Moments and Tasting Notes

The trip was full of memorable (and hilarious) moments—like trying to keep our stomachs steady on bumpy Kentucky roads after too many tastings or debating flavor notes (shoutout to Chris for the “pine sol” descriptor!). The tasting process highlighted just how subjective and personal whiskey can be. The complexities of flavor brought out some spirited debates and even a few new friendships.

One of the favorites of the group was the Starlight Double Oak—a rich, complex bourbon with dark spice and caramel notes that had us all captivated. If you’re lucky enough to get your hands on a bottle, it’s worth savoring every sip. For those looking for a unique twist, the Starlight honey finish adds a hint of natural sweetness that’s both unusual and surprisingly smooth.

Raising a Glass to a Cause

At the end of the day, these bottles represent something bigger. Each auction, each barrel, and each sip brings us closer to funding ILF’s crucial work. As we continue to grow the Barrel Pick Club, we’re reminded of the power of community, generosity, and shared passion. This journey has shown us that even something as simple as whiskey can make a profound difference.

If you’re interested in supporting ILF or exploring our latest auction, visit Unicorn Auctions and place a bid. Let’s raise a glass to great bourbon, and an even greater cause.

Created with the help of ChatGPT; edited by Timothy De Block. This post original posted on exploresec.com.

Join Us on a Barrel-Picking Adventure with the Innocent Lives Foundation!

November 12, 2024

This week, Exploring Information Security is excited to bring you a unique live recording that steps outside the digital world and into the heart of Kentucky and Indiana distilleries. We’re partnering with the Innocent Lives Foundation (ILF) for a special episode, where we dive into the art and experience of barrel picking. Our adventure took us to two iconic locations—Four Roses and Starlight Distillery—where we set out to find exceptional barrels and create a meaningful connection between the worlds of whiskey and cyber awareness.

Why a Barrel-Picking Adventure?

While cybersecurity and barrel picking might seem worlds apart, this journey is about more than just tasting whiskey. It’s about discovering the unique stories, craftsmanship, and community that make each barrel something special. For this live recording, we’re blending our curiosity for great whiskey with our commitment to the Innocent Lives Foundation’s important mission: protecting children from online exploitation.

Our Trip to Four Roses and Starlight Distillery

Our barrel-picking journey began at Four Roses, known for its distinctive, rich flavor profiles, and continued to Starlight Distillery, where each barrel tells its own story. At each stop, we dove into the meticulous process of selecting barrels, learning how master distillers and their teams create diverse flavors and memorable experiences.

Each barrel pick wasn’t just about taste—it was a sensory experience that engaged sight, smell, and sound. We discovered how small variations in wood, weather, and aging environments can shape a barrel's character and flavor. Selecting a barrel that stood out from the rest required both intuition and collaboration—a bit like finding the right approach to solving cybersecurity challenges.

Behind the Scenes: The Art of Barrel Picking

So, how does one go about picking a barrel? It starts with identifying what makes each barrel unique. From the moment we began the tasting process, we immersed ourselves in a symphony of aromas, textures, and flavors that define each barrel’s character. Some barrels surprised us with unexpected hints of fruit or spice, while others stood out for their smooth, rich finish. These discoveries weren’t just thrilling—they were a reminder of the craftsmanship and care that goes into every bottle.

Memorable Moments and Incredible People

One of the highlights of this journey was meeting the people behind the barrels. We heard stories from master distillers, learned about family traditions that have been passed down for generations, and saw firsthand the dedication it takes to produce high-quality spirits. These connections deepened our appreciation for the process and made each tasting session more meaningful.

Connecting the Dots: How This Adventure Supports ILF’s Mission

While we tasted and shared stories, we kept the Innocent Lives Foundation’s mission at the heart of this journey. ILF is dedicated to protecting children from online predators by working behind the scenes to identify and support law enforcement in bringing these offenders to justice. Each barrel we picked represents a small way to support ILF’s efforts, as proceeds from the sales will go directly to support their work.

For us, this experience was about more than the whiskey—it was about using this adventure to make a difference.

If you’d like to grab your own bottle head over to Unicorn Auctions!

Join Us Live!

Ready to dive into the world of barrel picking with us? Whether you’re a whiskey enthusiast, a cybersecurity pro, or a supporter of ILF’s mission, this episode promises to be packed with flavor, storytelling, and purpose.

🗓️ Tune in live around 6:30 PM ET on the ExploreSec YouTube channel: ExploreSec YouTube Channel. Join us for an unforgettable experience and discover the story behind each barrel we selected!

November 2024 Executive Leadership Cybersecurity Newsletter

November 12, 2024

This is a monthly newsletter I put together for our executive team with a lean towards healthcare. Created with help from ChatGPT.

Ransomware Threats Surge Globally in 2023

Summary: The 2023 Global Ransomware Incident Map highlights a 73% rise in ransomware attacks, targeting sectors like healthcare and finance. Cybercriminals are increasingly using "big game hunting" tactics, exploiting vulnerabilities such as the MOVEit flaw. This trend underscores the urgent need for businesses to bolster cybersecurity defenses and improve incident response strategies.

Further reading: Institute for Security and Technology.

AI Risks in the Workplace

A recent study by CybSafe revealed that 38% of workers are sharing sensitive information with AI tools, often without their employer's knowledge. This raises significant security concerns, especially since over half of employees have not received training on safe AI use. With the growing reliance on AI, it's crucial for executives to implement clear guidelines and provide training on secure AI practices to mitigate the risk of data breaches and protect intellectual property.

Further reading: CybSafe - AI Security Risks.

North Korean IT Worker Incident Highlights Hiring Risks

A recent cyberattack on a company underscores the dangers of unknowingly hiring North Korean operatives. The organization accidentally hired a North Korean IT worker who accessed sensitive data and demanded a ransom. This highlights the need for stringent vetting in remote hiring practices, especially as North Korea increasingly infiltrates global companies.

Recommended Protections:

Implement strict identity verification for remote workers.

Conduct thorough background checks with global databases.

Regularly monitor employee network activity for unusual behavior.

Further reading: GBHackers - North Korean IT Worker Incident.

Healthcare Supply Chain Attacks on the Rise

A recent Proofpoint report reveals that 68% of healthcare workers have faced a supply chain cyberattack, with 82% of these incidents affecting patient care.

Key Insights:

68% of healthcare workers report supply chain cyberattacks.

82% of incidents resulted in disruptions to patient care.

Attacks cause delays in procedures and increase patient risks.

Ransomware and business email compromise are growing threats.

Further reading: Security Magazine - Supply Chain Attacks.

Change Healthcare Breach – Key Insights and Implications

In February 2024, Change Healthcare experienced a substantial ransomware attack, compromising the personal, financial, and medical information of approximately 100 million Americans. This incident highlights critical vulnerabilities within the healthcare sector and raises concerns about protecting patient data.

Key Insights:

Breach Scope: Sensitive data, including Social Security numbers, medical records, and billing information, was exposed, impacting millions of patients.

Financial Impact: UnitedHealth Group, Change Healthcare’s parent company, incurred breach-related costs totaling $2.457 billion, including $1.521 billion in direct response expenses.

Ransom Payment: Change Healthcare paid a $22 million ransom to the BlackCat ransomware group in an attempt to prevent further data exposure.

Further Reading: Change Healthcare Breach Hits 100M Americans – Krebs on Security

November 2024 Threat Intelligence Newsletter

November 11, 2024

This is a monthly newsletter I put together for our internal security team with a lean towards phishing and healthcare. Created with help from ChatGPT.

Fake Job Applications Deliver Dangerous Malware

Summary: A spear-phishing campaign is targeting HR professionals with fake job applications containing the More_eggs malware. Operated by the Golden Chickens group as part of a Malware-as-a-Service (MaaS) platform, More_eggs is a sophisticated backdoor used by multiple threat actors to infiltrate corporate networks.

Key Insights (Technical):

Delivery Method: The malware is delivered via malicious Windows Shortcut files (.LNK files) disguised as resumes. When opened, these files execute scripts without raising suspicion.

Execution Technique: The attack leverages living-off-the-land binaries (LOLBins) like wscript.exe to run malicious JavaScript code, bypassing traditional security measures.

Capabilities:

Backdoor Access: Establishes a stealthy backdoor for persistent access.

Payload Deployment: Can download and execute additional malware modules, including ransomware or credential stealers.

Reconnaissance: Gathers system information and can move laterally within the network.

Command and Control (C2): Communicates with C2 servers over HTTP/S protocols, using encrypted channels to evade detection.

Avoidance of Detection: Uses legitimate Windows processes to mask malicious activities, making it harder for security solutions to detect the intrusion.

For further details, read the full article on The Hacker News.

New Ransomware Strain Targeting Healthcare

The U.S. Department of Health and Human Services (HHS) issued a warning about a new ransomware strain, Trinity, which is actively targeting the healthcare sector. Trinity uses techniques like encrypting data and demanding ransoms within 24 hours. It has connections to other ransomware families such as Venus and 2023Lock.

Technical Key Insights:

Exploits Remote Desktop Protocol (RDP) and open ports

Uses privilege escalation to gain higher access

Encrypts critical systems rapidly after infiltration

Further reading: The Record - Trinity Ransomware Alert.

Emerging Cybersecurity Threats Highlighted in HP Wolf Security Report

The September 2024 HP Wolf Security Threat Insights Report identifies key trends in cyberattacks, including a surge in document-based malware, with 61% of threats delivered via email attachments. Attackers are increasingly using malicious archives and PDFs to bypass detection, leveraging techniques like HTML smuggling and exploiting vulnerabilities in outdated software. Threat actors are also using Generative AI to write sophisticated malware, such as AsyncRAT.

Key Insights:

39% of threats delivered in archives

Rise in AI-generated malware

Increased exploitation of known vulnerabilities

Further reading: HP Wolf Security Threat Insights Report.

North Korean IT Worker Incident Highlights Hiring Risks

Recommended Protections:

Implement strict identity verification for remote workers.

Conduct thorough background checks with global databases.

Regularly monitor employee network activity for unusual behavior.

Further reading: GBHackers - North Korean IT Worker Incident.

User-Centric Security Design Inspired by Disney

A recent article from KnowBe4 discusses how organizations can improve security by observing how employees naturally work, similar to Disney’s strategy of observing guests before building paths. The concept of "desire paths" shows that security controls should be designed around actual workflows, reducing friction and improving compliance. By aligning security with user behavior, organizations can mitigate risky workarounds and foster a more secure environment.

Further reading: KnowBe4 - Security Highways.

Healthcare Supply Chain Attacks on the Rise

A recent Proofpoint report reveals that 68% of healthcare workers have faced a supply chain cyberattack, with 82% of these incidents affecting patient care.

Key Insights:

68% of healthcare workers report supply chain cyberattacks.

82% of incidents resulted in disruptions to patient care.

Attacks cause delays in procedures and increase patient risks.

Ransomware and business email compromise are growing threats.

Further reading: Security Magazine - Supply Chain Attacks.

Microsoft’s Deceptive Honeypot Strategy Targets Phishers

Microsoft has launched a clever security strategy by creating fake Azure tenants to lure phishing attackers into honeypots. These realistic tenant environments mimic legitimate setups, tricking attackers into interacting with them. This allows Microsoft to gather valuable intelligence on phishing methods and infrastructure, which can be used to strengthen defenses and share with the wider security community. By engaging with these fake environments, phishers waste time while Microsoft gains crucial insights.

Further reading: BleepingComputer - Microsoft Honeypots.

Mobile-First Cyber Attacks on the Rise

Cyber attackers are increasingly adopting a "mobile-first" strategy, as highlighted by a new report from Zimperium. With 83% of phishing sites now targeting mobile devices and a 13% rise in mobile malware, employees’ personal devices pose a growing risk to organizations. As more employees use their smartphones for work-related tasks, organizations need to bolster mobile security and educate employees on safe practices through security awareness training.

Further reading: KnowBe4 - Mobile-First Attack Strategy.

Cybercriminals Exploiting Steam for Malware Distribution

A recent investigation highlights how cybercriminals are using Steam profiles to exploit a technique called Dead Drop Resolver (DDR) to hide Command and Control (C2) addresses within user profiles. Attackers have leveraged well-known infostealers like Vidar, Lumma, and MetaStealer to extract sensitive data from infected systems by using platforms like Steam and Telegram to evade detection.

Technical Key Insights:

Attackers embed C2 addresses in Steam profiles.

Infostealers target credentials and system data.

Use of obfuscated code and stolen certificates.

Further reading: RT Solar Blog. <---- .ru site

Rise in Phishing Attacks with AI and Impersonation Tactics

A new report from KnowBe4 reveals a 28% rise in phishing attacks during Q2 2024, with 89% of attacks involving brand impersonation. Cybercriminals are increasingly using AI-powered phishing toolkits, making it easier for less-skilled attackers to execute sophisticated campaigns. Commodity phishing attacks, primarily using hyperlinks, have surged, overwhelming organizations' defenses. With impersonation tactics being a dominant trend, organizations must enhance defenses against these evolving threats.

Key Insights:

28% increase in phishing attacks in Q2 2024.

89% of phishing emails involve impersonation.

Commodity phishing attacks up 2,700% compared to normal baselines.

Further reading: KnowBe4 Report.

Phishing-as-a-Service Platform "Sniper Dz" Exposed

A recent investigation reveals the rise of the phishing-as-a-service (PhaaS) platform "Sniper Dz," which is responsible for over 140,000 phishing websites. The platform offers phishing templates targeting major brands and hides malicious content behind proxy servers to evade detection. Additionally, attackers can exfiltrate credentials to centralized servers controlled by Sniper Dz. This growing platform enables less-skilled attackers to launch sophisticated phishing attacks with ease.

Further reading: Unit 42 - Sniper Dz PhaaS.

Dark Angels Ransomware Group Exposed

A recent investigation uncovers the stealth tactics of the Dark Angels ransomware group, which targets high-value systems with Babuk and RagnarLocker-based ransomware. Their techniques include double extortion, data exfiltration, and selective ransomware deployment to minimize detection.

Technical Key Insights:

Uses Babuk ransomware on Windows and RagnarLocker variants on Linux/ESXi servers.

Employs double extortion tactics, stealing data before encryption.

Leverages encrypted communication channels to evade detection.

Further reading: Zscaler - Dark Angels Ransomware Group.

North Korean IT Worker Fraud

SecureWorks reports that North Korean IT workers are fraudulently obtaining remote jobs to access sensitive systems and generate revenue for the regime. These individuals disguise their identities, use VPNs to hide their location, and exploit company resources once hired.

Key Insights:

Perform thorough background checks on freelance and remote candidates.

Monitor network access for unusual activity, especially from VPNs.

Educate hiring managers on this growing threat.

Further Reading: Fraudulent North Korean IT Worker Schemes

Health Care and Social Assistance Sector at Risk

Cyber threats in the Health Care and Social Assistance sector are intensifying, with phishing and social engineering attacks being the most prevalent. Organizations need to prioritize automation and Digital Risk Protection strategies to defend against these sophisticated threats.

Key Insights:

51.55% of incidents are phishing attacks using spearphishing links.

24.76% of attacks exploit public-facing applications.

Automation reduces incident containment time to 1 minute, compared to 2 hours 34 minutes for manual responses.

Further Reading: ReliaQuest Health Care Threat Landscape

AI-Driven Malware and Persistent Ransomware Threats

Check Point's Global Threat Index for September 2024 highlights the rising use of AI in malware creation, with AsyncRAT becoming one of the top threats. AI-powered scripts are being used to deliver malware like AsyncRAT through techniques such as HTML smuggling, showcasing how threat actors with limited technical skills can now leverage AI to create sophisticated attacks. This evolution underscores the need for organizations to adopt proactive security strategies.

In addition, RansomHub, a rebranded Ransomware-as-a-Service group, continues to dominate the ransomware scene, accounting for 17% of reported attacks. Other prominent malware families include FakeUpdates, targeting organizations worldwide, and Androxgh0st, which exploits vulnerabilities across platforms.

Key Insights:

51.55% of the most prevalent malware was related to phishing campaigns, with AI-driven techniques emerging.

RansomHub remains the top ransomware group with a significant global impact.

Joker leads mobile malware, targeting Android users via SMS theft and premium service fraud.

Further Reading: Check Point Threat Intelligence Report

Trinity Ransomware Hits Healthcare Sector

The Trinity ransomware group is targeting healthcare organizations with double-extortion tactics, gaining access through phishing emails and software vulnerabilities. This ransomware not only encrypts data but also steals it, pressuring victims to pay or risk exposure of sensitive information. Two healthcare providers have already been attacked, with 330GB of data compromised from a U.S.-based provider.

Key Insights:

Double extortion tactics increase the urgency for victims to pay.

Initial access often occurs through phishing or vulnerabilities.

Healthcare is a prime target due to critical operations needing quick recovery.

Further Reading: Trinity Ransomware Targets Healthcare

Threat Intelligence Update: Black Basta’s Social Engineering Tactics via Microsoft Teams

The Black Basta ransomware group has employed a sophisticated social engineering campaign targeting organizations through Microsoft Teams. By signing user emails up for multiple spam sources, Black Basta overwhelms the target with unwanted messages. Threat actors then contact the user, impersonating IT support and offering assistance with the email flood. During this call, the attacker convinces the user to install remote access software like Quick Assist or AnyDesk, providing them unauthorized access to the network. Once inside, the attackers can harvest credentials and potentially deploy ransomware.

Key Insights:

Attackers use a flood of spam emails to distract and stress targets.

Impersonation of IT support builds credibility and increases the chance of remote access.

This tactic highlights the need for training employees to verify unexpected IT requests and avoid downloading unapproved software.

Further Reading: ReliaQuest Blog on Black Basta's Techniques

Q3 2024 Ransomware Trends

The ReliaQuest Q3 2024 ransomware report highlights significant shifts in the ransomware landscape, with new groups gaining prominence and using sophisticated tactics to escalate their attacks. RansomHub has overtaken LockBit as the most active group, experiencing an 800% rise in postings from Q1 to Q3. Their growth is attributed to aggressive recruiting and lucrative profit-sharing, which has drawn affiliates from other disrupted groups. This group, along with Play ransomware, continues to exploit vulnerabilities in VPNs and public-facing applications, demonstrating the persistent risk posed by unpatched systems.

Key Insights:

RansomHub’s Rapid Rise: RansomHub posted 195 times in Q3, an 800% increase from Q1, leveraging a 90/10 profit-sharing model to attract affiliates.

Expansion into ESXi Environments: Play ransomware’s new Linux variant targets VMware ESXi servers, broadening its impact across platforms.

High-Risk Sectors: Professional services, healthcare, and manufacturing sectors are top targets due to potential operational disruptions.

Vulnerability Exploits: Attackers frequently gain access through unpatched VPNs and other internet-facing applications, emphasizing the need for timely patch management.

Further Reading: ReliaQuest Q3 Ransomware Report

Update: Q3 2024 Brand Phishing Trends

Check Point Research’s Q3 2024 report reveals that Microsoft continues as the most impersonated brand in phishing attacks, accounting for 61% of brand phishing attempts. Apple (12%) and Google (7%) follow, with new additions Alibaba and Adobe rounding out the top 10. These attacks commonly target the technology, social media, and banking sectors, as cybercriminals exploit brand familiarity to deceive users and capture credentials or payment information. Notably, new phishing sites targeting WhatsApp and Alibaba highlight the evolving strategies of threat actors seeking to exploit user trust.

Key Insights:

Microsoft Dominance: Microsoft phishing attempts made up 61% of brand impersonation attacks, with Apple and Google also highly targeted.

Sector Focus: Technology and social networks were the most impersonated sectors, followed by banking.

Evolving Phishing Tactics: Phishing websites like whatsapp-io.com and alibabashopvip.com show attackers adapting to impersonate new brands.

Further Reading: Check Point’s Q3 2024 Brand Phishing Report.

Global Surge in Cyber Attacks in Q3 2024

Check Point’s Q3 2024 report highlights a significant 75% increase in global cyber attacks compared to last year, with each organization facing an average of 1,876 weekly attacks. Sectors most impacted include Education/Research (3,828 weekly attacks), Government/Military (2,553), and Healthcare (2,434), reflecting the increased focus on these industries. Africa saw the highest regional attack rate, averaging 3,370 weekly, up 90% from 2023, while North America experienced the most ransomware attacks, making up 57% of incidents worldwide. Manufacturing was the top ransomware target, followed by Healthcare and Retail/Wholesale.

Key Insights:

Attack Growth by Sector: The Hardware Vendor industry had the largest increase in attacks, surging by 191%.

Regional Hotspots: Africa, Latin America, and Europe saw the steepest rises, with Europe experiencing an 86% year-over-year spike.

Ransomware Targets: The Manufacturing sector accounted for 30% of ransomware incidents, underscoring cybercriminals' focus on high-disruption industries.

Further Reading: Check Point Q3 2024 Report.

North Korean Cybercriminal Infiltrates UK Company

A UK-based organization recently suffered a breach after inadvertently hiring a North Korean cybercriminal posing as a remote IT worker. Once hired, the attacker used insider access to extract sensitive information and eventually demanded a ransom for its non-disclosure. This case highlights the importance of strict hiring processes for remote roles and enhanced security practices.

Key Insights:

Vetting Remote Employees: Conduct rigorous background checks to confirm credentials.

Data Security: Monitor access and behavior for early threat detection.

Remote Work Risks: Be mindful of cyber threats exploiting virtual roles.

Further Reading: KnowBe4 Article; KnowBe4 10 Hiring Updates

Partnership Between Scattered Spider and RansomHub

ReliaQuest reports a new collaboration between the Scattered Spider and RansomHub groups, merging advanced social engineering skills with network-compromising expertise to target enterprises globally. The partnership leverages RansomHub's effective 90/10 profit-sharing model, attracting experienced threat actors from disrupted groups. This collaboration allows attackers to target critical virtual infrastructures, such as ESXi servers, which host key applications, enabling high-impact ransomware attacks that pressure victims to pay swiftly.

Key Insights:

Targeting of ESXi Servers: These servers, often running multiple virtual machines, are attractive for ransomware attacks as they disrupt operations across organizations.

Social Engineering Tactics: Scattered Spider's expertise in impersonating IT staff aids in gaining unauthorized access to organizational networks.

Rising Threat of RansomHub: RansomHub has rapidly gained dominance, surpassing groups like LockBit, indicating a strategic shift in ransomware collaborations and effectiveness.

For more details, explore the full article at ReliaQuest.

Social Engineering Exploits Valid Accounts

Recent incidents highlight how threat actors are compromising legitimate accounts through social engineering tactics. By manipulating individuals into divulging sensitive information or performing specific actions, attackers gain unauthorized access to systems and data. This method often involves impersonating trusted entities or creating convincing scenarios to deceive targets.

Key Insights:

Impersonation Tactics: Attackers frequently pose as IT support or company executives to extract credentials.

Phishing Campaigns: Sophisticated emails and messages are crafted to appear authentic, luring recipients into providing access details.

Insider Threats: Compromised accounts can be used to launch further attacks within an organization, making detection challenging.

Further Reading: KnowBe4 Article on Social Engineering Exploits.

North Korean Group Adopts Play Ransomware

Unit 42 has identified that the North Korean state-sponsored threat group, Jumpy Pisces (also known as Andariel), has begun collaborating with the Play ransomware group, Fiddling Scorpius. This marks a significant shift in Jumpy Pisces' tactics, moving from traditional cyber espionage to active participation in ransomware operations. The group gained initial access to networks via compromised user accounts, deploying tools like Sliver and their custom malware, DTrack, to facilitate lateral movement and persistence. This collaboration underscores the evolving ransomware landscape, where nation-state actors are increasingly engaging in financially motivated cybercrime.

Key Insights:

Tactical Shift: Jumpy Pisces is now utilizing existing ransomware infrastructures, indicating a move towards financial cybercrime.

Advanced Tools: The group employs sophisticated tools such as Sliver and DTrack for network infiltration and persistence.

Global Targeting: Their activities are expected to target a wide range of victims worldwide, necessitating heightened vigilance.

Further Reading: Unit 42 Article on Jumpy Pisces and Play Ransomware.

Key Cyber Threat Actors in 2024

ReliaQuest's recent analysis identifies five prominent cyber threat actors significantly impacting the cybersecurity landscape in 2024:

RansomHub: Emerging as a dominant ransomware group, RansomHub has surpassed previous leaders like LockBit and ALPHV, posing substantial risks to organizations globally.

IntelBroker: As the acting administrator of BreachForums, IntelBroker oversees activities on one of the largest English-language cybercriminal forums, facilitating various malicious operations.

APT41: A Chinese state-affiliated group, APT41 continues to engage in espionage activities, targeting sectors such as healthcare, telecommunications, and finance.

APT29: Known for its sophisticated espionage campaigns, this Russian state-affiliated group remains active in infiltrating governmental and private sector networks.

KillSec: Originally aligned with the "Anonymous" hacktivist collective, KillSec has recently shifted towards financially motivated ransomware activities, increasing its threat profile.

Further Reading: ReliaQuest Article on Critical Threat Actors.

Halloween’s Digital Threats of 2024

Halloween brings tales of horror, but in 2024, some of the scariest threats come from the digital realm. Cybercriminals are increasingly using advanced tools to target individuals and organizations with new forms of AI-driven malware, IoT exploits, and social engineering tricks that play on our trust.

Key Insights:

AI-Powered Attacks: These cyber “ghosts” can adapt to evade detection, making attacks like spear-phishing and deepfakes more convincing.

IoT Vulnerabilities: Over 20,000 vulnerable IoT devices, including cameras and routers, have become entry points for attackers, posing risks to privacy and security.

Social Media Exploitation: Personal data scraped from social platforms is being weaponized for phishing and blackmail, creating "digital dossiers" for targeted attacks.

Fake Calls and Malware: Scammers posing as bank representatives are using fake calls to steal sensitive information, a trick that’s led to an increase in identity theft and financial loss.

Dating Apps and Location Data: Privacy risks on dating apps, including inadvertent location sharing, are turning digital encounters into real-life safety concerns.

Further Reading: Check Point’s guide on Halloween Cyber Threats.

November 2024 Cybersecurity Awareness Newsletter

November 8, 2024

This is a newsletter I share internally as part of our internal security awareness program. Feel free to take and use in your organization. Created with help from ChatGPT

Fake Job Applications Deliver Dangerous Malware

Summary: A spear-phishing campaign has been targeting HR professionals with malicious job applications. Attackers use fake resumes containing More_eggs malware, a backdoor designed to steal credentials. This malware, part of a Malware-as-a-Service (MaaS) platform operated by the Golden Chickens group, can be used by multiple threat actors. The attack chain involves malicious Windows shortcut (LNK) files that initiate the infection upon execution, allowing attackers to perform reconnaissance and drop additional payloads.

Key Insight: Be cautious when handling job applications, especially those involving downloadable files from unknown sources.

For further details, read the full article on The Hacker News.

Data Privacy Risks in Connected Cars

Modern connected vehicles collect vast amounts of data, including driving habits, location, and even biometric information like voice commands. A recent analysis by CHOICE reveals that many popular car brands share this data with third-party companies, raising privacy concerns. Brands like Kia, Hyundai, and Tesla collect and share voice and video data, while others gather driving behaviors. This highlights the importance of understanding your car’s data collection practices and opting out where possible.

Further reading: CHOICE - Connected Cars Tracking Your Data.

North Korean Hackers Targeting Job Seekers

A new campaign by North Korean hackers is targeting job seekers, particularly in the tech industry, according to a recent report. Hackers impersonate recruiters on platforms like LinkedIn, luring individuals into downloading malware disguised as video conferencing tools. The malware is designed to steal cryptocurrency and sensitive corporate data, posing risks to both individuals and organizations. Job seekers should remain cautious when interacting with unsolicited offers and recruiters.

Further reading: KnowBe4 - North Korean Hackers.

Election Season and Cybersecurity Concerns

As the 2024 election season progresses, a recent Malwarebytes survey reveals that 74% of respondents consider it a risky time for personal information. Fears of scams, privacy breaches, and cyber interference are high, with 52% of people expressing concern about falling prey to scams through political ads. Many are taking precautions, such as using two-factor authentication and password managers, to secure their data.

Key Insights:

74% view election season as risky for personal data.

52% fear scams via political ads.

Increased adoption of security practices like two-factor authentication.

Further reading: Malwarebytes - Election Season Raises Fears.

North Korean IT Worker Incident Highlights Hiring Risks

Recommended Protections:

Implement strict identity verification for remote workers.

Conduct thorough background checks with global databases.

Regularly monitor employee network activity for unusual behavior.

Further reading: GBHackers - North Korean IT Worker Incident.

Mobile-First Cyber Attacks on the Rise

Further reading: KnowBe4 - Mobile-First Attack Strategy.

Microsoft Spoofing Threats on the Rise

A recent report from Harmony Email & Collaboration highlights over 5,000 fake Microsoft emails targeting organizations within a single month. These emails, often impersonating legitimate administrators, use sophisticated obfuscation techniques, making it difficult for users to detect. The risks include account takeovers, ransomware, and data theft.

Further reading: Check Point Blog.

New VPN Credential Attack Uses Sophisticated Social Engineering

A recent attack uncovered by security researchers targets organizations using VPNs through a combination of social engineering, fake login sites, and phone calls. Attackers impersonate a helpdesk, direct users to a spoofed VPN login page, and steal credentials. They also prompt users for multi-factor authentication (MFA) codes to gain access to corporate networks. This attack highlights the importance of user vigilance and strong security training.

Attack Chain:

Impersonation of helpdesk.

Directs victim to fake VPN login page.

Steals credentials and MFA codes.

Further reading: KnowBe4 - New VPN Credential Attack.

Operation Kaerb Takedown

Operation Kaerb successfully dismantled iServer, a Phishing-as-a-Service platform responsible for facilitating mobile credential theft targeting nearly half a million victims. iServer enabled low-skilled criminals to unlock stolen phones by phishing for user credentials. This takedown is a reminder of the evolving tactics cybercriminals use and underscores the importance of staying vigilant against mobile-focused phishing attacks.

Further Reading: Operation Kaerb on KnowBe4

Sextortion Scams on the Rise

Our team has recently been targeted by sextortion scams, where attackers use publicly available information to create threatening messages designed to elicit fear and urgency. These scams often appear more credible by including personal details. If you receive such a message, avoid engagement or payment—report it to our security team immediately by using the suspicious email button in Outlook.

Further Reading: KnowBe4 Article on Sextortion Scams.

Update: Q3 2024 Brand Phishing Trends

Key Insights:

Microsoft Dominance: Microsoft phishing attempts made up 61% of brand impersonation attacks, with Apple and Google also highly targeted.

Sector Focus: Technology and social networks were the most impersonated sectors, followed by banking.

Evolving Phishing Tactics: Phishing websites like whatsapp-io.com and alibabashopvip.com show attackers adapting to impersonate new brands.

Further Reading: Check Point’s Q3 2024 Brand Phishing Report.

North Korean Cybercriminal Infiltrates UK Company

Key Insights:

Vetting Remote Employees: Conduct rigorous background checks to confirm credentials.

Data Security: Monitor access and behavior for early threat detection.

Remote Work Risks: Be mindful of cyber threats exploiting virtual roles.

Further Reading: KnowBe4 Article; KnowBe4 10 Hiring Updates

North Korean Threat Actors Pose as Recruiters to Target Job Seekers

Palo Alto Networks' Unit 42 recently uncovered a campaign in which North Korean threat actors pose as recruiters to lure tech job seekers into downloading malware disguised as legitimate communication tools. Known as the "Contagious Interview" campaign, this operation involves malware variants like BeaverTail and InvisibleFerret, which are capable of stealing credentials, exfiltrating sensitive files, and targeting cryptocurrency wallets. Victims are approached on professional platforms like LinkedIn, and then directed to install fake interview applications that serve as a conduit for malware.

Key Insights:

Sophisticated Impersonation Tactics: Attackers convincingly impersonate recruiters and use realistic job offers to build trust with targets.

Multifunctional Malware: The malware used can harvest browser passwords, access cryptocurrency wallets, and install backdoors, enhancing its threat potential.

Organizational Risk: Beyond individual targets, successful infections on company devices can lead to broader data breaches within organizations.

As remote work and digital hiring continue to rise, it’s critical to validate the legitimacy of recruiters and avoid downloading unverified software for job interviews.

Further Reading: Unit 42 Report on North Korean Recruitment Tactics

Pig Butchering Scams Target Job Seekers

Proofpoint has identified a new twist in cryptocurrency fraud, known as "Pig Butchering," targeting job seekers. Scammers posing as recruiters lure victims into fake job roles, eventually guiding them to invest in fraudulent cryptocurrency platforms. Victims see initial "profits" to build trust, but ultimately lose their entire investment. These scams often begin on social media, moving to platforms like WhatsApp or Telegram for further manipulation.

Further Reading: Proofpoint Article.

Foreign Disinformation on U.S. Hurricanes

Recent intelligence shows that operatives from Russia, China, and Cuba have spread false information about U.S. hurricanes to deepen political divides. AI-generated images and misleading posts claimed federal relief was denied or funds were diverted to foreign conflicts, aiming to erode trust in U.S. disaster response. Be cautious of divisive narratives or unverified disaster images on social media, as they may be part of coordinated disinformation efforts.

Further Reading: NBC News Article.

Social Engineering Exploits Valid Accounts

Key Insights:

Impersonation Tactics: Attackers frequently pose as IT support or company executives to extract credentials.

Phishing Campaigns: Sophisticated emails and messages are crafted to appear authentic, luring recipients into providing access details.

Insider Threats: Compromised accounts can be used to launch further attacks within an organization, making detection challenging.

Further Reading: KnowBe4 Article on Social Engineering Exploits.

Major Data Breach at Change Healthcare Affects 100 Million Americans

In February 2024, Change Healthcare, a leading U.S. healthcare technology company, experienced a significant ransomware attack that compromised the personal, financial, and medical information of approximately 100 million individuals. The breach disrupted healthcare services nationwide, highlighting vulnerabilities in the sector's cybersecurity defenses.

Key Insights:

Scope of Breach: The attack exposed sensitive data, including medical records, billing information, and personal identifiers such as Social Security numbers and driver's license details.

Financial Impact: UnitedHealth Group, Change Healthcare's parent company, reported direct breach response costs of $1.521 billion and total cyberattack impacts of $2.457 billion.

Ransom Payment: The company paid a $22 million ransom to the BlackCat ransomware group in an attempt to secure the stolen data.

Further Reading: Change Healthcare Breach Hits 100M Americans – Krebs on Security

Student Loan Phishing Scams Targeting Millions

Cybercriminals are exploiting confusion around student loan forgiveness with a surge in phishing emails targeting millions of Americans. These emails use advanced techniques to look legitimate and bypass email filters, making them harder to detect.

What You Can Do to Stay Safe:

Watch for Red Flags: Be cautious with emails related to student loans, especially those asking for immediate action or personal information. Verify any claims by contacting your loan service provider directly.

Check the Source: Always look closely at the sender’s email address. Official communication will come from verified addresses, not random or suspicious-looking senders.

Enable Multi-Factor Authentication (MFA): Use MFA on your financial accounts for extra security, making it harder for attackers to gain access if they obtain your credentials.

Be Prepared: Know how to report a suspicious email in your email system, and don’t hesitate to delete anything that seems off.

Further Reading: Check Point Blog.

Security Awareness Newsletter - October 2024

October 18, 2024

This is a newsletter I share internally as part of our internal security awareness program. Feel free to take and use in your organization. Created with help from ChatGPT

Spamouflage: State-Linked Influence Operations Target U.S. Elections

Summary: A Chinese state-linked influence operation, Spamouflage, is ramping up efforts to sway U.S. political discourse ahead of the 2024 election. By posing as U.S. voters and using AI-generated content, they spread divisive narratives on social media about sensitive issues like gun control and racial inequality. These tactics highlight the importance of vigilance against foreign influence campaigns and fake online personas.

Key Insight: Verify online sources and stay aware of potential influence operations.

Further Reading: Graphika Report

Lazarus Hackers Target Job Seekers with Malware-Laden Job Offers

Summary: The Lazarus Group is actively targeting job seekers, particularly those in blockchain-related fields, by disguising malware within fake job offers. The group utilizes platforms like LinkedIn, Upwork, and Telegram to distribute malicious software, including the "BeaverTail" malware, which steals credentials and cryptocurrency wallet data. Job seekers should be cautious of unsolicited job offers and avoid downloading unfamiliar files.

Key Insight: Always verify job offers and avoid downloading files from unknown sources.

Further Reading: GBHackers Article

Foreign Influence Operations Target U.S. 2024 Election

Summary: U.S. intelligence officials warn of increased influence operations from Russia, China, and Iran aimed at U.S. voters ahead of the 2024 election. These operations, while not yet disrupting voting infrastructure, spread disinformation through media, PR firms, and American influencers. A recent U.S. indictment highlights Russia's attempts to covertly funnel pro-Russian narratives into right-wing media, signaling the need for heightened vigilance as the election approaches.

Key Insight: Stay alert to disinformation and foreign influence in political content.

Further Reading: CyberScoop Article

Lowe's Employees Targeted by Google Ads Phishing Campaign

Summary: Lowe's employees were recently targeted by a phishing attack using fraudulent Google ads mimicking the MyLowesLife portal. Attackers designed fake login pages to steal employee credentials. This highlights the dangers of using search engines to access work-related sites. Employees should be reminded to avoid clicking on sponsored links and instead bookmark legitimate sites to protect against phishing attacks.

Tip: Always access work portals through bookmarks or trusted URLs, not through search engines.

Further Reading: Malwarebytes Blog

Email Breaches at Welcome Health & United Way of Connecticut

Summary: Welcome Health and United Way of Connecticut reported email account breaches compromising sensitive data. At Welcome Health, patient information and contractor Social Security numbers were exposed, while a phishing attack on United Way's employee email compromised data of up to 8,039 patients. Both organizations have responded with enhanced security measures and offered credit monitoring to affected individuals.

Further Reading: HIPAA Journal

False Claims of Hacked Voter Data Intended to Undermine U.S. Elections

Summary: The FBI and CISA have issued a joint public service announcement warning about false claims of hacked voter information. Foreign actors may spread disinformation to erode public confidence in U.S. elections, especially by exaggerating claims of compromised voter data. The agencies urge citizens to critically evaluate such claims and remind that much voter information is public.

Key Insight: Stay vigilant against disinformation campaigns designed to sow distrust in election processes.

Further Reading: CISA Announcement

Beware of Parking Payment Scams Involving Fake QR Codes

Summary: Drivers in the UK are being targeted by scammers who place fake QR codes on parking machines. These codes lead to fraudulent websites designed to steal payment information. The RAC warns drivers to avoid using unfamiliar QR codes and instead rely on cash, card, or official apps for parking payments. This "quishing" scam has been reported across multiple UK regions, with an increasing number of incidents.

Key Insight: Be cautious when scanning QR codes, especially in public places like parking machines.

Further Reading: RAC News

Florida Healthcare Data Leak Exposes Thousands of Doctors and Hospitals

Summary: A data breach at MNA Healthcare exposed sensitive information of over 14,000 healthcare workers and 10,000 hospitals, including encrypted Social Security Numbers, addresses, and job details. The breach, caused by a misconfigured database, increases risks of identity theft and fraud. Healthcare professionals and institutions are advised to enhance cybersecurity measures, monitor financial accounts, and consider identity theft protection.

Further Reading: Cybersecurity News

New Sextortion Scam Uses Photos of Victims' Homes

Summary: A recent wave of sextortion scams has taken a more personalized approach, including photos of victims' homes in threatening emails. Scammers claim to have recorded compromising footage through malware and demand Bitcoin payments to avoid releasing the videos. The photos are often pulled from online mapping services to increase intimidation. To stay safe, avoid responding to such emails, keep webcams covered when not in use, and report incidents to law enforcement.

Further Reading: Krebs on Security

Google Password Manager Now Syncs Passkeys Across Devices

Summary: Google Password Manager now automatically syncs passkeys across Windows, macOS, Linux, Android, and ChromeOS devices. Passkeys, which use biometrics like fingerprints and facial recognition, offer a more secure alternative to passwords. With this update, passkeys are encrypted and accessible on all devices, enhancing security and convenience for users. Google has also introduced a new PIN feature to ensure end-to-end encryption for synchronized data.

Further Reading: BleepingComputer Article

FTC Report Exposes Surveillance by Social Media and Streaming Giants

Summary: The FTC has released a report revealing that major social media and video streaming platforms engage in extensive data collection and surveillance of users, including children and teens. The report highlights inadequate privacy protections and raises concerns about the use of data for targeted advertising. The FTC recommends stronger privacy laws, data minimization, and enhanced safeguards for younger users.

Key Insight: Ensure your social media use is mindful of privacy risks, and review settings to limit data sharing.

Further Reading: FTC Report

Operation Overload: A Disinformation Threat Targeting U.S. Elections

Summary: Operation Overload, a Russia-linked disinformation campaign, is ramping up efforts targeting U.S. voters ahead of the 2024 presidential election. The operation uses AI-generated fake content, such as fabricated TikTok videos and doctored news articles, to spread false narratives. Recent emails aimed at smearing Vice President Kamala Harris highlight the evolving tactics. It's critical for newsrooms and voters to remain vigilant and fact-check claims.

Key Insight: Be cautious of AI-generated content that mimics legitimate sources to manipulate public opinion.

Further Reading: CheckFirst Report

Phishing Attack Uses Two-Step Approach to Evade Detection

Summary: A new phishing attack leverages a two-step process, using legitimate platforms like Microsoft Office Forms as an intermediary to evade detection. After clicking the phishing email link, users are directed to a legitimate form before being redirected to a fake login page designed to steal credentials. This sophisticated approach helps attackers bypass security filters by exploiting trusted platforms.

Key Insight: Be cautious of phishing links that utilize legitimate services as intermediaries before redirecting to malicious sites.

Further Reading: KnowBe4 Blog

Investment Scam Losses Surge Six-Fold Since 2021

Summary: The Better Business Bureau reports a six-fold increase in losses from investment scams since 2021. Scammers frequently exploit dating platforms and hacked social media accounts to lure victims into fraudulent cryptocurrency schemes. Victims are often promised high returns on investments, only to lose significant amounts of money. Common red flags include promises of guaranteed returns, little-known cryptocurrencies, and requests to share wallet details.

Key Insight: Be cautious of unsolicited investment offers and avoid sharing cryptocurrency wallet details with unverified individuals.

Further Reading: KnowBe4 Blog

HR-Related Phishing Tactics on the Rise

Summary: Threat actors are using HR-related phishing emails, posing as internal messages like "Updated Employee Handbook," to trick employees into clicking malicious links. These attacks often lead victims to fake login pages that steal their credentials. The emails appear legitimate, making it crucial for employees to be extra cautious with HR communications and verify any unusual requests directly with their HR department.

Key Insight: Always verify HR-related emails before clicking links or providing sensitive information.

Further Reading: Cofense Blog

Foreign Influence Operations Using AI to Target U.S. Elections

Summary: According to a recent ODNI election security update, foreign actors—primarily Russia and Iran—are increasingly using AI-generated content to influence U.S. voters. These actors are deploying manipulated media across various formats, including text, images, audio, and video, to spread disinformation and fuel divisive political narratives. As Election Day approaches, U.S. citizens should be vigilant about AI-generated content and misinformation campaigns.

Key Insight: Verify sources and be cautious of sensationalized or divisive media, especially content that seems AI-generated.

Further Reading: ODNI Election Security Update

Expert Tips to Identify Phishing Links

Summary: Phishing attacks are becoming more sophisticated, but there are key ways to spot phishing links. Security experts advise checking for suspicious URLs with complex characters, paying attention to redirect chains, and inspecting page titles or missing favicons. Attackers also abuse CAPTCHA and Cloudflare checks to mask phishing attempts. Tools like ANY.RUN’s Safebrowsing can help safely analyze suspicious links before engaging with them.

Key Insight: Always inspect URLs carefully and use tools to analyze suspicious links in a safe environment.

Further Reading: The Hacker News

The Dangerous Intersection Between Cybercrime and Harm Groups

Summary: A recent investigation reveals that some cybercriminals involved in ransomware attacks are also tied to violent online communities. These groups, often targeting young people, manipulate victims into self-harm or harming others. They use platforms like Telegram and Discord to coordinate harassment and extortion, demonstrating the increasing overlap between cybercrime and real-world violence.

Key Insights:

Cybercriminals are also involved in harm groups.

Young people are often victims of online manipulation.

Cybercrime is increasingly crossing into physical violence.

Cyber Predators Exploit Healthcare Vulnerabilities with Ransomware and Data Theft

Summary: Cybercriminals are increasingly targeting healthcare organizations, exploiting weaknesses to steal patient data and extort hospitals via ransomware attacks. These criminals collaborate through darknet marketplaces, offering ransomware-as-a-service, and trading access to compromised healthcare systems. With attacks up 32% globally in 2024, healthcare remains a prime target due to its valuable data and often outdated security infrastructure.

Key Insights:

Healthcare sees an average of 2,018 attacks weekly, with APAC and Latin America hit hardest.

Ransomware-as-a-service empowers less experienced criminals.

Hospitals face high risks due to the critical nature of their operations.

Beware of Funeral Streaming Scams on Facebook

Summary: Scammers are exploiting Facebook by creating fake funeral streaming groups, tricking grieving families into providing credit card information to view a supposed service. These fraudulent groups use the deceased's images to appear legitimate and direct users to malicious websites requesting payment. This scheme preys on vulnerable people, often at their most emotional moments.

Key Insights:

Fake funeral streaming pages ask for credit card details.

Scammers use social media to create convincing, emotional traps.

Stay vigilant and verify event details before engaging.

Phishing Campaign Exploits Google Apps Script for Sophisticated Attacks

Summary: A new phishing campaign manipulates Google Apps Script macros to target users across multiple languages. The phishing emails falsely claim to provide “account details” and include links to malicious pages mimicking legitimate Google services. Victims are tricked into disclosing sensitive information, leading to data theft and operational disruption.

Key Insights:

Attack uses Google’s infrastructure to appear legitimate.

Affected users may disclose sensitive data via a deceptive Google Apps Script URL.

Advanced email filtering, real-time URL scanning, and phishing awareness training are crucial defenses.

For more details, visit Checkpoint Research.

New Windows PowerShell Phishing Campaign Highlights Serious Risks

Summary: A recently discovered phishing campaign uses GitHub-themed emails to trick recipients into launching PowerShell commands, enabling the download of password-stealing malware. The attack uses social engineering techniques, disguising itself as a CAPTCHA verification process. By exploiting PowerShell’s automation capabilities, attackers gain unauthorized access to credentials stored on victims' systems.

Key Insights:

Attack targets GitHub users but could be adapted for broader use.

Exploits PowerShell to execute malicious commands.

Vigilance and disabling unnecessary PowerShell access are crucial defenses.

For more, visit Krebs on Security.

Phishing Attacks Exploit Content Creation and Collaboration Platforms

Summary: A recent phishing campaign abuses popular content creation and collaboration tools to trick users into clicking malicious links. Cybercriminals use legitimate-looking posts and documents with embedded phishing URLs, leading to credential theft through fake login pages. These attacks have been seen in both business and educational environments.

Key Insights:

Phishing emails from trusted platforms contain hidden threats.

Common platforms include design tools and document-sharing services.

Users should be cautious of unexpected links and suspicious login requests.

For more information, visit KnowBe4.

Scammers Exploit Virtual Shopping Lists to Target Walmart Customers

Summary: Cybercriminals are using Walmart’s virtual shopping list feature to scam customers by embedding fake customer support numbers. Clicking these links, often promoted via malicious ads, leads users to scammers who impersonate law enforcement or bank employees. Victims are coerced into transferring funds, often under false threats of legal consequences.

Key Insights:

Scammers misuse legitimate platforms like Walmart's shopping lists.

Ads can redirect to fake support numbers.

Stay vigilant of scare tactics and unsolicited requests for money.

For more details, visit KnowBe4.

Cyber Threats Looming for the 2024 U.S. Election

Summary: As the 2024 U.S. election approaches, cyber threats from nation-state actors, hacktivists, and cybercriminals are expected to rise. These include disinformation campaigns, phishing attacks, and attacks on electoral infrastructure. Businesses should brace for phishing campaigns and SEO poisoning targeting politically charged topics.

Key Insights:

Nation-state groups may conduct hack-and-leak operations and influence campaigns.

Expect a surge in phishing attacks and scams using election-related themes.

Businesses should implement advanced cybersecurity measures to mitigate risks.

For more details, visit ReliaQuest.

Timeshare Scam Linked to Mexican Drug Cartel Targets U.S. Owners

Summary: The FBI has issued a warning about a telemarketing scam targeting timeshare owners, linked to the Jalisco New Generation drug cartel. Scammers posing as buyers lure victims into paying advance fees for fraudulent timeshare sales. The funds are used to finance other cartel activities. Victims are often reluctant to report the scam due to fear or embarrassment.

Key Insights:

Scammers pose as buyers offering above-market prices.

Victims lose thousands in fraudulent fees.

Report scams to authorities to prevent further harm.

For more details, visit Krebs on Security.

Phishing Threat Intelligence Newsletter for October 2024

October 18, 2024

This is a monthly newsletter I put together for our internal security team with a lean towards phishing and healthcare. Created with help from ChatGPT.

Phishing via Google Ads Targets Lowe’s Employees

Summary: Interesting technicque to watch. A recent malvertising campaign targeted Lowe’s employees by impersonating the company’s employee portal through fraudulent Google ads. Threat actors used phishing pages that closely resembled the legitimate MyLowesLife site to steal login credentials. These attacks underline the need for caution when clicking on sponsored links, especially for accessing internal portals.

Key Insight: Avoid using search engines to access internal portals—bookmark them instead to reduce exposure to phishing.

Further Reading: Malwarebytes Blog

Emerging Phishing Threats: Typosquatting and Brand Impersonation Trends

Summary: Zscaler's research uncovers a growing trend in phishing attacks involving typosquatting and brand impersonation. Attackers are increasingly mimicking popular brands using lookalike domains to trick users into divulging sensitive information.

Key Insights:

Over 10,000 malicious domains detected between February and July 2024.

Google, Microsoft, and Amazon are the top impersonated brands.

Attackers use free TLS certificates to evade detection.

Sectors like Internet Services and Online Shopping are prime targets.

For more details, visit Zscaler's blog.

Suspected Espionage Campaign Delivers “Voldemort” Malware

Summary: Proofpoint researchers identified a sophisticated espionage campaign distributing custom malware named "Voldemort." This campaign used advanced techniques like abusing Google Sheets for command and control (C2) and targeting organizations globally by impersonating tax authorities. The malware, likely tied to an APT actor, has intelligence-gathering capabilities and is suspected of espionage rather than financial gain.

Key Insights:

Targeted over 70 organizations across multiple sectors.

Abuses Windows file protocols and advanced C2 mechanisms.

For more details, visit Proofpoint's blog.

Scattered Spider Targets Insurance and Financial Sectors Using Cloud Ransomware

Summary: The Scattered Spider group has intensified its ransomware attacks on the insurance and financial industries, leveraging cloud vulnerabilities and phishing campaigns to compromise high-privileged accounts. The group uses social engineering tactics, including SIM swapping, smishing, and cloud credential theft, to gain unauthorized access. Their advanced techniques, combined with partnerships like BlackCat, have made them a formidable threat to cloud-based infrastructures.

Further Reading: EclecticIQ Blog

Top Cyber Attacker Techniques: May-July 2024 Insights

Summary: ReliaQuest’s report from May to July 2024 highlights the growing threat of phishing, accounting for 37% of incidents. The “SocGholish” malware, delivered via fake browser updates, remains widespread. Additionally, exposed credentials make up 88.75% of alerts, posing significant risks. Key sectors targeted by ransomware include manufacturing and tech. To defend against these threats, organizations should enhance multi-factor authentication, monitor user behavior, and deploy rapid response measures.

Key Insights:

Phishing remains a top threat.

Credential exposure is a major risk.

Ransomware is heavily targeting manufacturing and tech sectors.

Further Reading: ReliaQuest Blog

Unveiling RECORDSTEALER: A Persistent Infostealer Targeting Sensitive Data

Summary: RECORDSTEALER (Raccoon Stealer V2) is a malware targeting sensitive information like passwords, payment data, and cryptocurrency wallets. It infects systems through malvertising and fake downloads, focusing on web browsers for data exfiltration. RECORDSTEALER’s infrastructure has been disrupted, but related malware such as VIDAR and STEALC are still active.

Key Insights:

Uses browser exploits for credential harvesting.

Communicates with command-and-control servers using encrypted channels.

Evades detection via obfuscation and process injection.

Further Reading: Google Cloud Blog

Splinter: A New Post-Exploitation Red Team Tool

Summary: Splinter, a post-exploitation tool developed in Rust, allows for remote command execution, file uploads, and process injection. It uses encrypted HTTPS for command-and-control (C2) communication, making it harder to detect. Initially built for red team operations, the tool's misuse poses significant risks to compromised systems.

Technical Key Insights:

Splinter supports process injection into system processes.

Uses encrypted C2 channels for communication.

Built with Rust for enhanced performance and cross-platform compatibility.

Further Reading: Unit 42 Article

Supershell Malware Targeting Linux SSH Servers

Summary: Supershell, a Go-based backdoor, is being deployed on Linux SSH servers through brute-force attacks. Once installed, it provides attackers with remote access via a reverse shell, enabling them to hijack systems and deploy additional payloads like cryptocurrency miners.

Key Insights:

Uses reverse shell for remote control.

Exploits weak SSH credentials via brute-force attacks.

Can execute additional malicious payloads, such as XMRig miners.

Written in Go, enhancing cross-platform capabilities.

Further Reading: AhnLab ASEC Report

Cybercriminals Exploit Legitimate Software with CAMO Techniques

Summary: ReliaQuest's latest findings reveal the growing use of legitimate IT tools by cybercriminals in "Commercial Applications, Malicious Operations" (CAMO). These tools, such as PDQ Deploy and SoftPerfect, are used for spreading ransomware, exfiltrating data, and evading detection by blending into normal network operations. This trend complicates incident detection and response.

Key Insights:

CAMO tools can bypass detection by leveraging legitimate system capabilities.

Attackers use trusted tools to move laterally and exfiltrate data.

Network segmentation, monitoring, and whitelisting can mitigate these threats.

Further Reading: ReliaQuest Blog

Phishing Attack Uses Two-Step Approach to Evade Detection

Key Insight: Be cautious of phishing links that utilize legitimate services as intermediaries before redirecting to malicious sites.

Further Reading: KnowBe4 Blog

Surge in Malicious Links Marks 133% Increase in Q1 2024

Summary: Phishing attacks using malicious links surged by 133% in the first quarter of 2024, as attackers shift away from traditional attachments to evade detection. Links allow attackers to obfuscate malicious content and use redirects, CAPTCHA, and legitimate services to conceal their payloads. This growing trend emphasizes the need for organizations to enhance email security and continuously train employees to spot suspicious links.

Further Reading: KnowBe4 Blog

HR-Related Phishing Tactics Grow More Sophisticated

Summary: Threat actors are increasingly using HR-related phishing emails, disguised as official company communications, to trick employees into providing credentials. These phishing attacks often use urgent subjects like “Revised Employee Handbook,” leading victims to a fake Microsoft login page. Attackers use the stolen credentials for further exploitation. The campaign evades email security platforms by leveraging legitimate-looking content and psychological manipulation.

Further Reading: Cofense Blog

Inc Ransom Attack: Advanced Extortion Techniques Emerge

Summary: The Inc Ransom group uses advanced techniques like data exfiltration without encryption, exploiting firewall vulnerabilities and hiding within legitimate network traffic using tools like Impacket and PowerShell. By deploying Rclone for data transfer, they evade detection while pressuring victims through extortion. The report includes details on a recent attack against a healthcare organization.

Technical Key Insights:

Use of Rclone for stealth data exfiltration.

Abuse of firewall vulnerabilities for initial access.

Impacket and PowerShell used to blend into legitimate traffic.

Data theft replaces encryption in the extortion strategy.

Further Reading: ReliaQuest Blog

RansomHub Reigns, Meow Ransomware Surges in August 2024

Summary: RansomHub leads ransomware threats, targeting Windows, macOS, Linux, and VMware ESXi systems using sophisticated encryption techniques. Meanwhile, Meow ransomware shifts focus from encryption to selling stolen data on leak marketplaces, employing the ChaCha20 encryption algorithm. Both groups aggressively target exposed RDP configurations and vulnerable systems.

Technical Analysis:

RansomHub uses robust encryption across multi-platform environments, complicating recovery.

Meow exploits ChaCha20 for file encryption and omits .exe files, leveraging leak sites for extortion.

Both utilize exposed RDP ports for initial access.

Further Reading: Checkpoint Blog

Phishing-as-a-Service Platform Sniper Dz Gains Traction with Unique Tactics

Summary: The Sniper Dz Phishing-as-a-Service (PhaaS) platform has facilitated the creation of over 140,000 phishing websites. It offers pre-made phishing templates targeting major brands, leveraging public proxy servers and SaaS platforms to evade detection. Sniper Dz uses unique obfuscation techniques, enabling phishing campaigns to bypass traditional security measures while collecting stolen credentials.

Key Insights:

Sniper Dz uses proxy servers to hide phishing activities, making detection more difficult.

Phishers can easily launch campaigns targeting popular services without needing technical expertise.

Integrating proxy detection mechanisms and monitoring SaaS usage can help identify such attacks.

Further Reading: Unit42 Article

DragonForce Ransomware: Advanced Tactics and Affiliate Program

Summary: DragonForce, using both LockBit and ContiV3 forks, targets critical sectors through its RaaS affiliate program. The ransomware employs sophisticated tactics like BYOVD to disable EDR/XDR systems, coupled with SystemBC for persistence and lateral movement. Affiliates can customize attacks using the builder to encrypt files, terminate security processes, and evade detection through advanced anti-analysis features. Mimikatz and Cobalt Strike are used for credential harvesting and system reconnaissance.

Key Technical Insights:

BYOVD: Drivers like TrueSight.sys and RentDrv.sys disable security.

RSA-1024 & Salsa20 encryption for ransomware payloads.

Use of PowerShell and Cobalt Strike for malware execution and persistence.

Further Reading: Group-IB Blog

RDP Brute-Force Attacks

Summary: Remote Desktop Protocol (RDP) brute-force attacks remain a high-risk method for attackers to gain unauthorized access to networks. Cybercriminals exploit weak/default credentials and exposed RDP ports using automated tools, making it a preferred method for both nation-state and cybercriminal groups. Attackers can use compromised access for data theft, deploying ransomware, or selling credentials on dark web forums.

Technical Highlights:

Attackers use tools like Hydra and Medusa for brute-forcing RDP.

RDP exploits involve enumeration via port scans and credential stuffing.

Initial access brokers often sell RDP access for further attacks.

Defense Recommendations:

Use strong, unique passwords and multi-factor authentication.

Limit RDP exposure to the internet, utilizing VPN and firewalls.

Implement rate-limiting and robust monitoring to detect unusual RDP activity.

For more details, you can visit ReliaQuest's article on RDP Brute-Force Attacks.

New Phishing Tactic Exploits HTTP Headers for Stealthy Redirects

Summary: Attackers are using a new technique involving HTTP response headers to automatically redirect users to phishing pages. The tactic leverages compromised websites, making the phishing links appear legitimate. This technique is particularly challenging to detect and has been observed in phishing campaigns targeting various industries.

Key Insights:

HTTP headers are manipulated for silent phishing page redirects.

Attackers pre-populate victim data (like email addresses) to enhance credibility.

Detection is difficult, requiring heightened user vigilance and advanced security monitoring.

For more details, visit KnowBe4.

Cyber Predators Exploit Healthcare Vulnerabilities with Ransomware and Data Theft

Key Insights:

Healthcare sees an average of 2,018 attacks weekly, with APAC and Latin America hit hardest.

Ransomware-as-a-service empowers less experienced criminals.

Hospitals face high risks due to the critical nature of their operations.

Phishing Campaign Exploits Google Apps Script for Sophisticated Attacks

Key Insights:

Attack uses Google’s infrastructure to appear legitimate.

Affected users may disclose sensitive data via a deceptive Google Apps Script URL.

Advanced email filtering, real-time URL scanning, and phishing awareness training are crucial defenses.

For more details, visit Checkpoint Research.

New Windows PowerShell Phishing Campaign Highlights Serious Risks

Key Insights:

Attack targets GitHub users but could be adapted for broader use.

Exploits PowerShell to execute malicious commands.

Vigilance and disabling unnecessary PowerShell access are crucial defenses.

For more, visit Krebs on Security.

Phishing Attacks Exploit Content Creation and Collaboration Platforms

Key Insights:

Phishing emails from trusted platforms contain hidden threats.

Common platforms include design tools and document-sharing services.

Users should be cautious of unexpected links and suspicious login requests.

For more information, visit KnowBe4.

Cyber Threats Looming for the 2024 U.S. Election

Key Insights:

Nation-state groups may conduct hack-and-leak operations and influence campaigns.

Expect a surge in phishing attacks and scams using election-related themes.

Businesses should implement advanced cybersecurity measures to mitigate risks.

For more details, visit ReliaQuest.

How to Get a Pentest: A Step-by-Step Guide for Organizations

September 23, 2024

I like to call them security assessments. A test you can flunk; an assessment tells you where you’re at.
-Dave Chronister founder of Parameter Security

In today's rapidly evolving cybersecurity landscape, penetration testing (pentesting) is a crucial practice for organizations aiming to protect their systems and data. Pentesting involves simulating cyberattacks to identify vulnerabilities in a company’s infrastructure, allowing businesses to fix potential weaknesses before malicious actors can exploit them. But how do you approach getting a pentest, and what should your organization consider? Here’s a step-by-step guide to help you navigate the process.

Why Should Your Organization Get a Pentest?

Pentesting is essential for organizations of all sizes and industries. It provides a proactive approach to cybersecurity by identifying vulnerabilities and offering actionable solutions. Companies should consider scheduling a pentest if they are experiencing any of the following:

Deployment of new systems or applications
Significant organizational changes, such as mergers or expansions
Meeting compliance requirements (e.g., PCI-DSS, HIPAA)
Preparing for audits or certifications
Regular cybersecurity maintenance to ensure ongoing protection

In short, a pentest is your best defense against unknown vulnerabilities that could put your business at risk of being compromised.

Common Misconceptions About Pentesting

Many businesses have misconceptions about pentesting when they first approach the process. Some think it's a one-time event or believe that only large enterprises need it. In reality, pentesting should be a continuous part of an organization’s cybersecurity efforts. Even small businesses and startups can be targets for cyberattacks, making it essential to stay vigilant.

Additionally, pentests do not guarantee total security; instead, they highlight risks and provide insights to improve overall security measures.

Preparing for a Pentest

Before reaching out to a pentesting service, companies should take several steps to prepare:

Identify scope: Determine whether you want to test your entire network, specific applications, or particular security controls.
Understand your risks: Have an internal discussion to identify the most important assets of the organization.
Ensure cooperation: Make sure relevant teams are on board and ready to provide necessary information to the pentesters.
- Relevant teams could include: Infrastructure, networking, application owner, development. and leadership.
Plan for remediation: Have a plan in place to quickly address vulnerabilities that the pentesters may find.
Avoid Q4 pentests: The fourth quarter of the year is notorious for being the busiest time of year for companies that do pentests because organizations have waited too long to get their annual assessment done. Try to get pentests scheduled earlier in the year and spread them out if multiple are needed.

Proper preparation will not only streamline the process but also ensure the pentest delivers valuable results.

What Information Should You Provide to Pentesters?

To get the most accurate and comprehensive results, your organization needs to share critical information with the pentesters, including:

Network architecture details
System configurations
Known vulnerabilities or past security incidents
Specific security policies and procedures This collaboration ensures that the pentesters have a clear understanding of your environment and can deliver actionable insights tailored to your organization's needs.
A single point of contact for regular and emergency communication.

How to Choose the Right Pentesting Provider

Choosing a pentesting provider can be daunting, but there are several factors to consider to ensure you're making the right decision:

Certifications and Experience: Look for certifications such as OSCP, CEH, or CREST, but also ask about the provider’s industry experience. This can also include profiles on the individuals that will be performing the assessment.
Client References: Request client references or case studies to understand their track record.
Methodology: Ensure they use recognized frameworks like PTES for pentesting in general, OWASP for web applications or NIST for broader networks.
Communication: A strong pentesting provider should communicate clearly, explaining technical details in a way that stakeholders at all levels can understand. Avoid providers who overpromise or seem to offer too-good-to-be-true results—security is complex, and no single test can guarantee protection.
Reporting: A sample report will allow organizations to see how the report overall is structured. If a pentest is unwilling to provide one that’s a red flag.
Pricing: Pentests are expensive. If a company comes in significantly lower than other pentest companies then this is an indication that the company lacks the proper skillset or outsources to a company with cheap labor.

The Pentesting Process: What to Expect

Once you’ve chosen a provider and prepared your organization, the pentest begins. Here’s an overview of what you can expect during the process:

Initial Scoping: The pentesting team will meet with you to define the scope of the test and identify what will be targeted.
Rules of Engagement: This ensure that everyone is aligned on the goals, risks, and limitations of the engagement
Testing Phase: The pentesters will simulate attacks based on the agreed-upon scope. This can include network testing, application testing, or social engineering.
Reporting: After the test, the pentesters will compile a detailed report outlining the vulnerabilities they discovered, along with recommendations for remediation.
Debrief: The pentesting team will explain the findings and answer any questions. They may also help prioritize which vulnerabilities to address first and any technical questions on the exploitability of a vulnerability.

Different Types of Pentests: Black-Box, Gray-Box, and White-Box

Not all pentests are the same. Depending on your needs, you might choose between different types:

Black-Box Testing: The pentesters have no prior knowledge of the environment. This simulates how an outside attacker would approach your systems. This will often take the most time and be the most expensive.
Gray-Box Testing: The pentesters have limited knowledge, like login credentials or partial access. This allows for a balance between simulating internal and external threats.
White-Box Testing: The pentesters have full access to system information, source code, and infrastructure. This test is the most thorough but requires significant collaboration. This is the most comprehensive and the most efficient for both time and budget.

Each type offers different insights, and choosing the right one depends on your objectives and current security posture.

Understanding Pentesting Reports

A pentesting report is one of the most important deliverables of the process. It typically includes:

Detailed vulnerability findings: With severity rankings for each issue.
Recommendations for fixes: Practical steps your organization can take to address the vulnerabilities.
Risk analysis: How each vulnerability impacts your overall security.

Your team should use the report as a roadmap to improve security, focusing first on high-severity issues.

What If No Vulnerabilities Are Found?

If a pentest finds no major vulnerabilities, that’s great news! However, it doesn’t mean your company is fully secure forever. Cybersecurity is a continuous process, and as new threats emerge, regular pentests are necessary to stay ahead of potential risks.

Innovative Trends in Pentesting

As cybersecurity threats evolve, so does the practice of pentesting. Organizations should stay aware of trends like:

Bug Bounty Programs: More companies are adopting crowd-sourced pentesting through ethical hacker communities. These programs are for mature companies that have address findings from several previous pentests. Bug bounties often require some sort of compensation to get value out of the program. If the environment is not in a state of low findings then the organization will be buying out large sums of bounties.
Automated Pentesting: This is not a pentest. While adding it can help improve security it will have lots of false positives and only catch low hanging fruit. At the time of this blog post, nothing can replace a humans critical thinking in regards to a pentest.

By staying on top of these trends, businesses can ensure their security practices remain effective and up to date.

Conclusion: Why Pentesting is a Must for Every Business

Pentesting provides critical insights into your organization’s security and helps protect against evolving cyber threats. By understanding the process, preparing adequately, and choosing the right provider, businesses can significantly reduce their security risks.

Investing in regular pentests is not just a one-time event; it’s part of a continuous effort to keep your organization secure in a world where cyber threats are always changing.

Image created by ChatGPT.

Security Awareness Newsletter From August 2024

September 10, 2024

These are news stories I’ve shared internally at my company. Feel free to take and use as part of your security awareness program.

Russia-linked Operations Target Paris 2024 Olympics

In the lead-up to the 2024 Summer Olympics in Paris, Russian-linked actors launched a disinformation campaign to discredit France’s hosting capabilities and spread fear of terrorist attacks. These operations employed tactics like AI-generated videos, fake news reports, and social media hashtags to undermine confidence and create chaos. France's support for Ukraine has made it a target for these hybrid destabilization efforts. Stay vigilant against misinformation and verify sources before sharing content online.

Key Insights:

Russian-linked actors are targeting the Paris 2024 Olympics.

Disinformation tactics include AI-generated content and fake news.

The campaign aims to undermine confidence and spread fear.

Verify information from trusted sources to avoid spreading misinformation.

For more details, visit the DFRLab article.

Ransomware Attacks on Blood Suppliers

In a concerning trend, blood suppliers have faced three ransomware attacks in the past three months. The latest victim, OneBlood, experienced a significant disruption, impacting over 350 hospitals and causing a critical shortage of blood supplies. This follows similar attacks on Synnovis and Octapharma, highlighting the growing threat to healthcare infrastructure. The American Hospital Association urges health systems to review their contingency plans to mitigate such risks.

Key Insights:

OneBlood hit by ransomware, causing severe blood supply disruptions.

Recent attacks also targeted Synnovis and Octapharma.

Increased targeting of healthcare infrastructure by ransomware groups.

Review and update contingency plans to ensure operational resilience.

For more details, visit the Healthcare IT News article.

Surge in Data Breach Victims in 2024

In the first half of 2024, over 1 billion individuals were affected by data breaches, a staggering increase compared to 2023. The majority of breaches targeted financial services, healthcare, and manufacturing sectors. Alarmingly, there is a significant rise in attacks with unspecified vectors, highlighting a need for improved transparency and information sharing to bolster defense strategies. Phishing remains the primary attack method, underscoring the importance of robust security awareness training.

Key Insights:

Over 1 billion victims in the first half of 2024.

Top targets: financial services, healthcare, manufacturing.

Increase in unspecified attack vectors.

Phishing remains the leading attack method.

For more details, visit the KnowBe4 article.

Foreign Influence Actors Adapting to U.S. Presidential Race

U.S. intelligence agencies have identified that foreign influence actors are adapting their strategies in response to changes in the 2024 U.S. presidential race. These actors are leveraging social media, misinformation campaigns, and other digital tactics to sway public opinion and disrupt the electoral process. Key sources of influence include Russia, China, and Iran, each employing sophisticated techniques to achieve their objectives.

Key Insights:

Foreign actors are evolving their methods to interfere in the U.S. elections.

Tactics include social media manipulation and misinformation.

Vigilance and media literacy are crucial to counter these threats.

For more details, visit the Reuters article.

$40 Million Recovered from International Email Scam

Interpol's Global Rapid Intervention of Payments (I-GRIP) mechanism helped recover over $40 million from an international email scam targeting a Singapore-based commodity firm. The scam involved a fraudulent email from a fake supplier requesting payment to a new bank account. Swift action by Singapore and Timor Leste authorities led to the interception of funds and the arrest of seven suspects.

Key Insights:

Swift action: Crucial in intercepting fraudulent funds.

Global cooperation: Essential for combating international scams.

Awareness: Verify email requests for fund transfers.

For more details, visit the Interpol article.

Cyberattack on France's Grand Palais During Olympics

France's Grand Palais suffered a ransomware cyberattack during the 2024 Olympic Games. The attack led to operational disruptions, particularly affecting museum bookstores and boutiques. Swift action was taken to prevent the spread of the attack, and temporary autonomous solutions were implemented to keep stores operational. Authorities, including ANSSI and CNIL, were informed, and preliminary investigations found no data exfiltration. This incident highlights the importance of robust cybersecurity measures, especially during major events.

Key Insights:

Ransomware Attack: Disrupted operations at Grand Palais.

Immediate Response: Systems shut down to prevent spread.

No Data Exfiltration: Preliminary findings are positive.

For more details, visit the Bleeping Computer article.

Rising Costs of Data Breaches in Healthcare

A recent report by IBM and the Ponemon Institute revealed that the healthcare industry faces the highest average data breach costs at $10.93 million, significantly above the global average of $4.45 million. These breaches, often involving stolen credentials, can take up to 292 days to resolve. Healthcare organizations are urged to implement AI and automation in cybersecurity to reduce breach lifecycle and costs. Incident response planning and stringent data protection measures are essential to mitigate these risks.

For more details, visit the Security Intelligence article.

Enhanced Protection in Chrome

Google has revamped the Chrome downloads experience to boost security and user awareness. The redesigned interface now offers detailed warnings, classifying files as either suspicious or dangerous, using AI-powered assessments. Enhanced Protection mode users benefit from automatic deep scans for suspicious files, providing extra layers of safety against new malware. Additionally, Chrome now tackles encrypted malicious files by prompting users to enter passwords for deep scans, enhancing protection even further. These updates aim to reduce user bypassing of warnings and improve overall safety when downloading files.

For more details, visit the Google Security Blog.

New Phishing Campaign Exploits Google Drawings and WhatsApp

Menlo Security has uncovered a sophisticated phishing campaign that abuses Google Drawings and WhatsApp's URL shortener to deceive users. The attack redirects victims from what appears to be legitimate links to malicious sites mimicking trusted brands like Amazon. These tactics make it difficult for users and traditional security tools to detect the threat. Stay cautious of unexpected emails with links or attachments, even if they appear to be from familiar sources.

Key Insights:

Exploited Platforms: Google Drawings and WhatsApp's URL shortener.

Phishing Tactics: Redirection to malicious sites mimicking trusted brands.

Recommendation: Be cautious of unexpected emails with links, even from known sources.

For more details, visit the Menlo Security article.

Real Social Engineering Attack on KnowBe4 Employee Foiled

KnowBe4 recently thwarted a social engineering attack targeting one of its employees. The attacker, posing as a customer support representative, attempted to gain unauthorized access to internal systems by exploiting trust and urgency. The employee recognized the signs of a phishing attempt and reported the incident immediately. This event underscores the importance of ongoing security awareness training and vigilance against social engineering tactics.

Key Insights:

Social Engineering: Attackers may pose as trusted sources to gain access.

Vigilance: Recognizing and reporting suspicious activity is crucial.

Training: Regular security awareness training is essential to prevent such attacks.

For more details, visit the KnowBe4 article.

Beware of Misinformation on TikTok: Protect Yourself from Political Lies

In today's digital age, social media platforms like TikTok are not just sources of entertainment—they have become powerful tools for spreading information, both true and false. A recent study revealed that a staggering 33% of young Americans have been exposed to political lies on TikTok. This statistic highlights a growing concern: the rapid spread of misinformation, particularly among younger generations.

Why This Matters: Misinformation, especially on social media, can influence opinions, sway elections, and even create social unrest. For cybercriminals, misinformation is a weapon. They can use false information to manipulate public perception, incite division, or even scam users by blending lies with phishing attacks.

How to Protect Yourself:

Verify Before You Trust: Always cross-check information from multiple credible sources before believing or sharing it. Look for news from established, reputable outlets.

Be Skeptical of Viral Content: Just because something is popular doesn't mean it's true. Viral videos and posts may be designed to elicit strong emotional responses, making it easier to spread falsehoods.

Watch for Red Flags: Pay attention to signs of misinformation, such as sensational headlines, lack of credible sources, and emotionally charged language.

Educate Yourself and Others: Stay informed about the tactics used by those who spread misinformation. Share your knowledge with friends and family to help them avoid being misled.

Conclusion: As we continue to navigate the complex world of social media, staying vigilant against misinformation is crucial. By adopting a skeptical mindset and verifying the content we encounter online, we can protect ourselves and our communities from the harmful effects of political lies and other forms of disinformation.

Exposed Passwords Highlight Risk

A recent breach at National Public Data (NPD) underscores the critical need for strong security practices. NPD inadvertently published administrator passwords to their backend database, exposing sensitive information. This incident, coupled with a previous massive data leak, highlights the importance of securing credentials and regularly updating passwords. Users of similar services should take immediate steps to protect their personal information, including freezing their credit files and monitoring their accounts for suspicious activity.

Key Takeaway: Ensure your passwords are strong, unique, and updated regularly to avoid similar risks.

Unmasking Styx Stealer

Checkpoint Research uncovered the Styx Stealer malware, designed to steal browser data, cryptocurrency, and instant messenger sessions. The developer's operational security mistakes, including leaking data during debugging, led to a treasure trove of intelligence. This discovery linked Styx Stealer to the Agent Tesla malware campaign, revealing details about the cybercriminals involved, including their identities and operations.

Key Insights:

Malware Functionality: Steals browser data, cryptocurrency, and instant messenger sessions.

OpSec Failures: Leaks led to significant intelligence gathering.

Linkage: Connected to the Agent Tesla campaign and other cybercriminals.

For more details, visit the Checkpoint article.

AI Vishing Threats on the Rise

Recent research by KnowBe4 has demonstrated that unsuspecting call recipients are highly vulnerable to AI-driven vishing (voice phishing) attacks. These attacks leverage AI to create highly convincing voice manipulations, often impersonating trusted individuals or authority figures. The study highlights the importance of being skeptical of unsolicited calls, even if the caller sounds familiar. Employees should verify the authenticity of any unexpected requests over the phone before taking action.

Key Insights:

AI Vishing: Increasingly sophisticated and convincing.

Verification: Always verify unexpected phone requests.

Awareness: Stay vigilant against unsolicited calls.

For more details, visit the KnowBe4 article.

Employment Scams Targeting Job Seekers

KnowBe4 reports a surge in employment scams targeting job seekers. Scammers pose as legitimate employers, often using fake job postings or direct outreach to collect personal information and money from victims. These scams exploit the urgency and desperation of job seekers, making them particularly effective. To protect yourself, always verify job offers through official channels, be cautious of unsolicited communications, and avoid sharing sensitive information without thorough verification.

Key Insights:

Scam Tactics: Fake job postings and direct outreach.

Target: Personal information and money from job seekers.

Recommendation: Verify job offers through official channels.

For more details, visit the KnowBe4 article.

Protect Yourself from File-Sharing Phishing Attacks

Over the past year, file-sharing phishing attacks have surged by 350%, targeting employees through fake notifications from services like Google Drive or Dropbox. These attacks aim to steal sensitive information or infect your device with malware. To protect yourself, always verify the legitimacy of file-sharing requests, avoid clicking on suspicious links, and report any unusual emails to IT immediately. Staying vigilant is key to keeping our organization secure.

For more details, visit the KnowBe4 article.

Beware of Travel-Themed Spam Scams

Bitdefender’s AntiSpam Lab warns that half of all travel-themed spam messages circulating worldwide are scams. Attackers are specifically targeting users of popular travel sites like Booking.com and Airbnb. These scams often involve fake booking confirmations and travel deals designed to steal personal information or deliver malware. With the travel season in full swing, it's essential to verify the authenticity of any travel-related emails and avoid clicking on suspicious links.

Key Insights:

50% of travel-themed spam messages are scams.

Targeted Platforms: Booking.com and Airbnb users.

Recommendation: Verify emails and book through trusted sources.

For more details, visit the Bitdefender article.

Beware of Phishing Attacks Using URL Shorteners

Phishing attacks are increasingly leveraging URL shorteners to obfuscate malicious links, making it harder for users to recognize potential threats. These shortened URLs often appear in emails or text messages, leading victims to fraudulent websites that steal personal information or deploy malware. To protect yourself, always hover over links to reveal their true destination, and avoid clicking on shortened URLs from unknown sources.

For more details, visit the KnowBe4 article.

Surge in Microsoft Brand Impersonation Attacks

A recent report shows a 50% increase in phishing attacks impersonating Microsoft in just one quarter. These attacks target users by mimicking Microsoft’s branding to steal credentials or deploy malware. Given Microsoft’s widespread use in organizations, employees should be extra cautious when receiving emails claiming to be from Microsoft, especially those requesting login details or prompting downloads. Always verify the sender's address and report suspicious emails to IT.

For more details, visit the KnowBe4 article.

North Korean IT-Worker Scheme Exposed in Tennessee

A Nashville resident, Matthew Isaac Knoot, was arrested for facilitating a scheme that funneled hundreds of thousands of dollars to North Korea’s illicit weapons program. Knoot allegedly helped North Korean IT workers secure remote jobs with U.S. and British companies by using stolen identities. The funds, earned through six-figure salaries, were laundered and funneled back to North Korea. This case underscores the growing threat of North Korean cyber operations targeting remote work environments.

For more details, visit the full article.

Cyber Threats Targeting US Elections 2024

As the US elections approach on November 5, 2024, cybercriminals are intensifying their efforts to exploit the event. From phishing campaigns using candidate names to fake websites and domains designed to mislead voters, these threats are aimed at manipulating voter sentiment and stealing personal information.

Key Insights:

Candidate Names: Used in domains to create believable phishing sites.

Election Manipulation: Emotional appeals to influence voter behavior.

Financial Fraud: Fake donation sites and meme coins targeting voters.

For more information, visit BforeAI.

Beware of QR Code Phishing: Microsoft Sway Abused

A new phishing campaign is leveraging QR codes in emails to trick users into visiting malicious websites hosted on Microsoft Sway. This attack is particularly dangerous because it bypasses traditional email security filters and targets users on mobile devices, where security controls are often weaker.

Key Insights:

Targets: Tech, manufacturing, and finance sectors.

Method: QR codes embedded in phishing emails.

Action: Be cautious when scanning QR codes, especially from unsolicited emails.

Stay vigilant and educate your teams about this evolving threat. For more details, visit BleepingComputer.

Malvertising Campaign Impersonates Google Products

A recent malvertising campaign has been detected, impersonating various Google products to lure users into tech support scams. These malicious ads, exploiting Google’s Looker Studio, redirect victims to fake Microsoft or Apple warning pages, urging them to call a fraudulent support number. This campaign serves as a reminder to be cautious of online ads, even those that appear to represent trusted brands.

Key Insights:

Target: Users of Google products.

Tactics: Fake tech support scams via malvertising.

Impact: Potential malware installation and data theft.

For more details, visit KnowBe4.

When Get-Out-The-Vote Efforts Resemble Phishing Scams

As election season approaches, many citizens receive text messages urging them to get out and vote. While these messages often come from well-intentioned organizations, a recent campaign highlighted by KrebsOnSecurity shows how such efforts can closely resemble phishing scams.

In this case, a fake political consulting firm sent out mass texts linking to websites that requested personal information under the guise of verifying voter registration. The messages were a scam trying to get people to give up sensitive personal information.

Here’s how you can protect yourself:

Verify the Source: Always check the sender’s identity and verify the website independently. Visit official government websites directly rather than clicking on links in unsolicited messages.

Look for Red Flags: Be wary of messages that create a sense of urgency, request personal information, or direct you to unfamiliar websites.

Report Suspicious Messages: If you suspect a message is a phishing attempt, report it to the relevant authorities or your organization's IT department.

While voter registration is crucial, ensuring the integrity of the process and protecting personal information is equally important. Stay informed and vigilant to avoid falling victim to phishing scams during election season.

For more details, visit KrebsOnSecurity.

GenAI and the Surge of AI-Driven Fraudulent Websites

Cybercriminals are increasingly leveraging large language models (LLMs) to scale the creation of fraudulent websites, including phishing sites and fake online stores. Netcraft reports a significant rise in AI-generated content for scams, with a 3.95x increase in such websites from March to August 2024. These AI tools enhance the credibility of scams by improving text quality, making malicious content more convincing and harder to detect. Organizations must enhance their defenses to mitigate the risks posed by this emerging threat.

Key Insights:

LLMs are used to generate convincing text for scams.

AI-driven scams have seen a sharp increase in recent months.

Monitoring and takedown strategies are essential to combat this trend.

Further Reading: Netcraft Blog

Scammers Exploit Fake Funeral Livestreams for Financial Gain

Cybercriminals are using fake funeral livestreams on social media to exploit grieving families. These scams, often promoted through compromised accounts, lead victims to payment pages that charge excessive fees. This trend underscores the need for vigilance online, even during sensitive moments like a loved one's passing. Users should be cautious when encountering unexpected payment requests for livestreams and report suspicious activity.

Further Reading: KnowBe4 Blog

Originally posted on exploresec.com.

Phishing Threat Intelligence From August 2024

September 9, 2024

These are news articles from August 2024. Feel free to take and share with your internal cybersecurity team. A mention of explores.com would be great!

Dismantling Smart App Control

Elastic Security Labs recently uncovered multiple vulnerabilities in Windows Smart App Control (SAC) and SmartScreen. These weaknesses allow attackers to bypass security measures using techniques such as signed malware, reputation hijacking, and LNK stomping. These methods enable initial access without triggering security warnings, posing significant risks. Security teams should focus on detecting these evasive tactics and not rely solely on OS-native features.

Key Insights:

Signed Malware: Attackers use valid certificates to bypass SAC.

Reputation Hijacking: Leveraging trusted apps to execute malicious code.

LNK Stomping: Crafting LNK files to evade MotW checks.

For more details, visit the Elastic Security Labs article.

Securing Domain Names from Takeover

Recent research highlights vulnerabilities in domain name management that leave over a million domains susceptible to hijacking. This issue arises from weak authentication practices at several web hosting providers and domain registrars. Cybercriminals exploit these weaknesses to take control of domains, using them for phishing, spam, and malware distribution. To mitigate risks, it is crucial to ensure proper DNS configuration and use DNS providers with strong verification processes.

Key Insights:

Vulnerability: Over a million domains at risk.

Exploitation: Hijacked domains used for malicious activities.

Recommendation: Strengthen DNS configuration and provider verification.

For more details, visit the Krebs on Security article.

Exploitation of Google Drawings and WhatsApp

A newly identified phishing campaign exploits Google Drawings and WhatsApp's URL shortener to create convincing redirects to malicious sites. This method allows attackers to bypass security filters and deceive users into thinking they are visiting legitimate sites like Amazon. These tactics highlight the increasing sophistication of phishing threats, emphasizing the need for heightened vigilance and advanced security measures.

Key Insights:

Exploited Tools: Google Drawings and WhatsApp's URL shortener.

Attack Strategy: Redirects users to malicious sites mimicking trusted brands.

Recommendation: Implement advanced phishing detection and maintain user vigilance.

For more details, visit the Menlo Security article.

Concerns Over Cloudflare’s Anti-Abuse Posture

Spamhaus has raised concerns about Cloudflare's anti-abuse policies, highlighting that cybercriminals are exploiting Cloudflare’s services to mask malicious activities. Despite numerous abuse reports, Cloudflare's current approach often shields the true location of harmful content, complicating efforts to combat cybercrime. This situation underscores the need for stronger abuse management practices to prevent cybercriminals from leveraging trusted services to conduct illegal activities.

Key Insights:

Exploitation: Cybercriminals are using Cloudflare to hide malicious activities.

Response: Current anti-abuse measures are inadequate in addressing the issue.

Recommendation: Enhanced abuse management and accountability are needed.

For more details, visit the Spamhaus article.

Royal Ransomware Rebrands as BlackSuit

The ransomware group formerly known as Royal has rebranded as BlackSuit, increasing their ransom demands to over $500 million. This shift indicates a more aggressive approach, with the group targeting larger organizations across various sectors. BlackSuit continues to use sophisticated tactics, including double extortion, where they threaten to release stolen data if their demands are not met. Organizations should strengthen their defenses and ensure incident response plans are up-to-date.

Key Insights:

Rebranding: Royal ransomware is now BlackSuit.

Increased Ransom: Demands exceed $500 million.

Tactics: Double extortion remains a primary threat.

Recommendation: Strengthen defenses and update incident response plans.

For more details, visit the KnowBe4 article.

New Phishing Scam Using Cross-Site Scripting

A recent phishing scam uncovered by KnowBe4 employs cross-site scripting (XSS) attacks to harvest personal details from unsuspecting victims. Attackers use this method to inject malicious scripts into legitimate websites, tricking users into entering sensitive information like login credentials. This technique bypasses traditional security measures, making it a particularly dangerous threat. Users should be cautious when clicking on links in emails and ensure that websites they interact with are secure.

Key Insights:

Attack Method: Cross-site scripting (XSS) used to steal personal details.

Target: Login credentials and sensitive information.

Recommendation: Verify website security before entering personal information.

For more details, visit the KnowBe4 article.

Surge in File-Sharing Phishing Attacks

KnowBe4 reports a staggering 350% increase in file-sharing phishing attacks over the past year. These attacks often disguise themselves as notifications from popular file-sharing services, tricking users into revealing sensitive information or downloading malware. The rapid rise in these attacks highlights the need for enhanced email security and ongoing employee training.

Key Insights:

350% Increase: Significant rise in file-sharing phishing attacks.

Attack Method: Disguised as legitimate file-sharing notifications.

Recommendation: Strengthen email security and employee awareness.

For more details, visit the KnowBe4 article.

Rising Use of URL Shorteners in Phishing Attacks

Recent intelligence highlights a growing trend where cybercriminals use URL shorteners to obscure malicious links in phishing campaigns. This tactic effectively conceals the true destination of links, making it difficult for users and traditional security tools to detect threats. These shortened URLs often appear in seemingly legitimate emails or text messages, leading to fraudulent websites designed to steal credentials or deploy malware.

For more details, visit the KnowBe4 article.

Surge in Microsoft Brand Impersonation Attacks

For more details, visit the KnowBe4 article.

Dark Angels Ransomware Group Rakes in Record Ransoms

The Dark Angels ransomware group has secured a record $75 million ransom payment from a fortune 50 company recently. Unlike other groups, Dark Angels avoid public leaks and minimize operational disruptions for their victims, making it easier to coerce payments quietly.

For more details, visit the Krebs on Security article.

Inc Ransom Attack Analysis

Overview: In April 2024, the "Inc Ransom" group targeted a ReliaQuest customer, employing a double-extortion strategy without encrypting files. They exploited an unpatched Fortinet vulnerability to gain access, installed remote management tools like AnyDesk, and used techniques like pass-the-hash for lateral movement. Data was exfiltrated using unconventional tools such as Restic.

Key Insights:

Mitigations: Prioritize patch management, enforce network segmentation, and deploy host-based controls to prevent unauthorized software execution.

Emerging Trends: Use of legitimate tools by attackers to blend in with normal activity.

Actionable Steps: Strengthen defenses by regularly updating and auditing systems, ensuring proper segmentation, and limiting privileges to essential accounts.

For a detailed analysis, visit the full report here.

URL Rewriting Exploited by Threat Actors

Overview: Threat actors are increasingly abusing URL rewriting, a security feature intended to protect against phishing, to mask malicious links. By compromising legitimate email accounts and using URL rewriting, attackers can disguise phishing URLs as safe, often leveraging the security vendor's domain to gain trust.

Key Insights:

Mitigations: Enhance vigilance when clicking on links, even those appearing to be from trusted sources.

Emerging Trends: Attackers are exploiting the gap between initial scans and later weaponization of URLs.

For a detailed analysis, visit the full report here.

Exfiltration Tools on the Rise

A recent analysis by ReliaQuest highlights the growing use of advanced exfiltration tools by cybercriminals to steal sensitive data. Tools like Rclone, WinSCP, and FileZilla are increasingly being leveraged to exfiltrate data from compromised networks. These tools are difficult to detect as they mimic legitimate traffic, making traditional defenses less effective.

For more details, visit the ReliaQuest article.

North Korean IT-Worker Scheme Exposed in Tennessee

For more details, visit the full article.

Top Malware in July 2024: Remcos and RansomHub

The July 2024 Threat Index highlights a surge in activity by the RansomHub ransomware group and a new Remcos malware campaign. RansomHub continues to dominate as the most prevalent ransomware, accounting for 11% of attacks, while LockBit3 and Akira follow closely behind. A critical security lapse led to the distribution of Remcos via a malicious ZIP file disguised as a CrowdStrike update. Additionally, FakeUpdates remains a persistent threat, utilizing fake browser updates to deploy RATs like AsyncRAT.

Key Insights:

RansomHub: Leading ransomware, targeting Windows, macOS, Linux, and VMware ESXi.

Remcos Campaign: Exploits a security software update issue, spreading via phishing attacks.

FakeUpdates: Tops the malware list, leveraging compromised websites to deliver Remote Access Trojans.

For a deeper dive, visit Checkpoint’s Threat Index.

Focus on Malware Loaders: Evolving Threats in 2024

In 2024, nearly 40% of malware incidents involved advanced loaders like SocGholish, GootLoader, and Raspberry Robin. These loaders are pivotal in deploying ransomware and Remote Access Trojans (RATs). SocGholish has notably enhanced its tactics with Python scripts, making it harder to detect, while GootLoader and Raspberry Robin use sophisticated evasion techniques, posing significant threats to critical sectors.

Key Insights:

SocGholish: Now using Python for persistence.

GootLoader: Continues to exploit legitimate platforms.

Raspberry Robin: Notable for its complex evasion tactics.

For more detailed insights, visit the full article here.

Emerging Malware Variants to Watch in 2024

In recent months, several malware variants have gained prominence in the cyber threat landscape. Notable among them are LummaC2, Rust-based stealers, SocGholish, AsyncRAT, and Oyster, each posing significant risks to organizations across all sectors.

Key Insights:

LummaC2: A powerful infostealer with increasing reach.

Rust-based Stealers: Notable for their advanced evasion techniques.

SocGholish: Continues to be a persistent threat through fake browser updates.

AsyncRAT: Versatile and widely used for remote access.

Oyster: A backdoor linked to Wizard Spider, signaling targeted attacks.

For more details, visit ReliaQuest.

Exploring the Abuse of Impacket: A Growing Threat

Impacket, a versatile Python-based toolkit, has become a favored tool among threat actors for lateral movement, privilege escalation, and remote code execution in Windows environments. Threat actors commonly exploit Impacket scripts like psexec.py, smbexec.py, and wmiexec.py to perform these actions stealthily. The toolkit’s ability to mimic legitimate network activity complicates detection, making it a significant challenge for organizations to defend against.

Key Insights:

psexec.py: Used for executing remote commands with elevated privileges.

smbexec.py: Facilitates lateral movement without additional software installation.

wmiexec.py: Enables stealthy command execution through WMI.

For more information, visit ReliaQuest.

Copybara Android Malware: A Rising Threat

The latest variant of Copybara, an Android malware family, has evolved to use the MQTT protocol for command-and-control (C2) communication, enhancing its stealth. This malware exploits Android’s Accessibility Service for keylogging, screen capturing, and phishing attacks, particularly targeting cryptocurrency exchanges and financial institutions. Copybara’s ability to impersonate legitimate apps makes it especially dangerous.

Key Insights:

MQTT Protocol: Used for stealthy C2 communication.

Accessibility Service Exploitation: Enables comprehensive device control.

Targeted Attacks: Focus on financial institutions and cryptocurrency exchanges.

For more details, visit Zscaler.

Massive QR Code Phishing Campaign Abuses Microsoft Sway

A significant phishing campaign has been detected, exploiting Microsoft Sway to host malicious landing pages targeting Microsoft 365 users. The campaign, identified by Netskope Threat Labs, saw a 2,000-fold increase in activity, primarily targeting sectors in Asia and North America. Attackers use QR codes embedded in phishing emails, redirecting victims to malicious sites. This method exploits the weaker security controls of mobile devices and evades email scanners, making it particularly effective and dangerous.

Key Insights:

Targeted Sectors: Technology, manufacturing, and finance.

Attack Method: QR codes bypass traditional security by embedding in images.

Risk Increase: Heightened threat to mobile device users.

For more details, visit BleepingComputer.

Malvertising Campaign Impersonates Google Products

Key Insights:

Target: Users of Google products.

Tactics: Fake tech support scams via malvertising.

Impact: Potential malware installation and data theft.

For more details, visit KnowBe4.

Deceptive AI: A New Wave of Cyber Threats

As AI technology advances, cybercriminals are increasingly using AI-generated content (AIGC) to deceive users on social media. This includes creating fake profiles, deepfake videos, and AI-crafted messages that are nearly indistinguishable from real content. A recent survey revealed that a significant portion of users struggle to identify these threats, which can lead to fraud, identity theft, and misinformation. It's crucial to be aware of these risks and stay vigilant online.

For more details, visit KnowBe4.

North Korean IT Workers Target U.S. Tech Companies

North Korean IT workers are increasingly applying for remote jobs at U.S. tech firms using false identities. They employ AI-generated profile images and fake job histories, aiming to funnel earnings back to the North Korean regime, posing security risks and potential sanctions violations. Key insights include the importance of rigorous background checks and enhanced candidate verification processes to counter this threat. Collaboration with security experts and intelligence sharing is critical.

For more insights, visit Cinder.

Risks in Publicly Exposed GenAI Development Services

A recent analysis highlights significant security risks in publicly exposed GenAI development services, particularly vector databases and low-code LLM tools. These platforms often handle sensitive data but can be misconfigured, leading to potential data leakage, data poisoning, and exploitation of vulnerabilities. To mitigate these risks, organizations should enforce strict access controls, monitor activity, and ensure all software is updated.

For a deeper dive, visit Legit Security.

How Attackers Exploit Digital Analytics Tools

Cybercriminals are increasingly weaponizing digital analytics tools like link shorteners, IP geolocation services, and CAPTCHA challenges. These tools, often used for legitimate purposes, are repurposed to obscure malicious activity, evade detection, and tailor attacks to specific targets. Organizations should implement automated analysis and monitor suspicious patterns in these tools to mitigate risks.

Key Insights:

Threat actors use link shorteners to mask phishing URLs.

IP geolocation data helps attackers target specific regions.

CAPTCHA services are abused to bypass automated security scans.

Further Reading: Google Cloud Blog

GenAI and the Surge of AI-Driven Fraudulent Websites

Key Insights:

LLMs are used to generate convincing text for scams.

AI-driven scams have seen a sharp increase in recent months.

Monitoring and takedown strategies are essential to combat this trend.

Further Reading: Netcraft Blog

So-Phish-ticated Attacks: A New Wave of Social Engineering

A sophisticated threat actor is conducting targeted social engineering attacks against over 130 U.S. organizations. These attacks, which include phishing via SMS and direct phone calls, are designed to harvest credentials and one-time passcodes. The use of native English speakers and tactics that bypass traditional security tools makes these attacks particularly challenging to detect.

Key Insights:

Attacks bypass traditional detection.

Focus on credential harvesting.

Targeting multiple industry verticals.

Further Reading: GuidePoint Security Blog

Originally posted on exploresec.com