On July 24, 2024, the USDoD group announced an English-language cybercrime forum, stating that they had obtained and leaked CrowdStrike’s comprehensive threat actor database.
The group provided a link to download the alleged list and shared sample data fields to substantiate their claims.
The leaked information reportedly includes:
Adversary aliases
Adversary status
The last active dates for each adversary
Region/Country of Adversary Origin
Number of targeted industries and countries
Actor type and motivation
The sample data contained “LastActive” dates up to June 2024, while the Falcon portal’s last active dates for some actors extend to July 2024, suggesting the potential timeframe of the data acquisition.
Cyber Press researchers stated that they were able to view some of the documents leaked.
Background on USDoD
USDoD has a history of exaggerating claims, likely to enhance its reputation within hacktivist and eCrime communities.
For example, they previously claimed to have conducted a hack-and-leak operation targeting a professional networking platform, which was later debunked by industry sources as mere web scraping.
Since 2020, USDoD has engaged in both hacktivism and financially motivated breaches, primarily using social engineering tactics.
In recent years, they have focused on high-profile targeted intrusion campaigns and have sought to expand their activities into administering eCrime forums.
USDoD also claimed to possess “two big databases from an oil company and a pharmacy industry (not from the USA).” However, the connection between these claims and the alleged CrowdStrike data acquisition remains unclear.
The potential leak of CrowdStrike’s threat actor database could have significant implications for cybersecurity:
Compromise of ongoing investigations
Exposure of tracking methods for malicious actors
Potential advantage for cybercriminals in evading detection
This story unfolds following a CrowdStrike update that caused Windows machines to experience the Blue Screen of Death (BSOD) error.
CrowdStrike’s Response
CrowdStrike, a leading cybersecurity firm known for its threat intelligence and incident response services, has responded to the claims. The company stated:
“The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
While USDoD has been involved in legitimate breaches, its credibility in this specific case is questionable.
Their history of exaggeration, the inconsistencies in the leaked data, and CrowdStrike’s response all cast doubt on the authenticity and severity of the claimed leak.
Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.
Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.
The SEG Versus SEG Threat
The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.
“We do not have access to the internals of SEGs, so I can’t say for certain,” Gannon says. “But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the [receiving] SEG assumes the URL itself is legitimate.”
In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender’s SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.
In these situations, problems can arise if the recipient’s secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient’s SEG scans the URL, but only sees the sending email gateway’s domain and not the final destination.
“Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination,” Cofense wrote in its report this week. “As a result, when an email already has SEG-encoded URLs, the recipient’s SEG often allows the email through without properly checking the embedded URLs.”
A Substantial Increase
Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.
According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.
Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.
Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. “Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with,” he says. “For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp[:]//badplace[.]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect[.]cudasvc[.]com/url?a=hxxp[:]//badplace[.]com/.”
Gannon says one reason why threat actors likely aren’t using the tactic on a much broader scale is because it involves additional work. “The biggest thing it comes down to is effort,” he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to.”
Protecting against the tactic can be relatively difficult, as most SEGs don’t have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. “A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG.”
Ransomware attacks against manufacturers, utilities and other industrial companies were up 50% last year.
The pace and sophistication of cyberattacks against industrial companies are escalating rapidly, as administration officials warn that nation-states are heavily targeting U.S. critical infrastructure sectors.
Ransomware attacks against industrial companies increased by around 50% last year, according to an annual report from cybersecurity company Dragos published Tuesday, which tracked 905 strikes.
The Hanover, Md.-based company, which specializes in protecting systems used by heavy industries such as electric grids and wastewater plants, said it tracked 28% more groups specifically targeting “operational technology” last year than the year before. The term refers to the heavy machinery and industrial control systems used by manufacturing plants, water utilities and similar organizations, as opposed to information technology, which generally comprises software such as accounting and human resources systems. Among industrial companies, manufacturers were targeted most, said Rob Lee, chief executive of Dragos.
“It’s not so much that they’re OT experts, it’s just they know that they’re impacting the revenue-generating portions of those companies,” Lee said, “so the companies are willing to pay, and pay faster.”
Even when ransomware attacks target manufacturers’ corporate technology systems and not their operational technology machinery, there can be collateral damage for production, said Mark Orsi, president of the Manufacturing Information Sharing and Analysis Center, a nonprofit that coordinates the sharing of threat data among manufacturers.
“The vast majority of ransomware variants only target the IT infrastructure of an organization, but all too often the manufacturing plant floor operations are disrupted as a result of compromise to IT systems,” he said.
But ransomware is just the tip of the iceberg, say industry observers. The tools used by hackers to specifically target operations have become more sophisticated in recent years.
The emergence of Pipedream, for instance, a tool believed to have been authored by a nation-state team, has many concerned. Pipedream is able to target industrial systems across industries, and doesn’t rely on common attack methods, such as exploiting vulnerabilities in software.
“When Pipedream or Pipedream-like capabilities leak out into the community, they will be the Cobalt Strikes of OT. That’s the stuff that worries me,” Lee said during a call with reporters on Jan. 30, referring to a suite of cybersecurity tools, Cobalt Strike, developed for network defenders, which gave rise to a slew of malicious hacking tools when it was leaked.
U.S. officials have also ratcheted up warnings of attempts to infiltrate U.S. critical infrastructure. Christopher Wray, director of the Federal Bureau of Investigation, on Sunday said Chinese efforts to secure footholds in critical infrastructure networks are occurring at an unprecedented scale.
While Beijing routinely denies involvement in hacking, Wray’s comments follow a series of similar remarks made by Rob Joyce, cybersecurity director of the National Security Agency. Last month, Joyce told an FBI-sponsored conference that Chinese hackers are positioning themselves within those networks so as to be able to strike at U.S. infrastructure in the event of a conflict. The U.S. government in January said it disrupted one such operation, without specifying the types of infrastructure targeted.
“It’s not just an electric company issue, it’s not just a water issue or a manufacturing issue. I think it’s an issue that affects all of us,” said Jason Nations, director of enterprise security at Oklahoma City-based
Critical infrastructure operators also face supply-chain security threats common to companies in many industries. German company
PSI Software, which said last week it had been the victim of a cyberattack, specified on Monday that it had been hit by ransomware, and took its systems offline to prevent further intrusions. PSI Software supplies software specialized for energy providers and other industrial processes. PSI didn’t respond to a request for comment.
One difficulty critical-infrastructure companies struggle with is finding cybersecurity experts to defend their networks. While there is a shortage of around 4 million corporate cyber professionals globally, according to trade association ISC2, some companies say it is especially difficult to hire people with both cyber skills and expertise in heavy machinery and industrial technology.
Cybercriminal tactics continue to grow in number and advance in ability; in response, many organisations have seen the need to reach a security posture where their teams can proactively combat threats.
Threat hunting plays a pivotal role in modern organizations’ cybersecurity strategies. It involves actively searching for signs of advanced threats and vulnerabilities beyond passive defense mechanisms. The MITRE ATT&CK Framework is an industry-standard threat hunters can use to proactively ensure they have protection against new and evolving attacks. Automating these processes for threat hunting can advance any security team’s capabilities.
However, it can be challenging to integrate or collect security data for effective threat hunting. The number of security technologies often results in fragmented data and hinders a comprehensive threat-hunting approach. Automated threat hunting has become a solution that can advance the capabilities of any security team.
Understanding Disparate Security Technologies
Modern organisations employ a variety of security technologies to safeguard their digital assets. These include firewalls, intrusion detection systems, antivirus software, and endpoint protection. While effective, the sheer number of disparate security technologies poses challenges in centralising security data. Each solution generates logs and alerts, creating data silos.
The Problem of Non-integrated Security Data
Scattered security data creates several difficulties. Security teams grapple with a deluge of data from diverse sources, making identifying relevant threat indicators and patterns challenging. The absence of comprehensive visibility into potential threats leaves organisations vulnerable to increasingly advanced adversaries, who will exploit these data gaps. Inefficiencies plague threat-hunting processes because analysts must manually correlate data from various sources, slowing response times and increasing the likelihood of missing critical threats.
The Concept of Automated Threat Hunting
Automated threat hunting remediates the challenges inherent in integrating disparate security data. Security systems use advanced algorithms to streamline and enhance the threat hunting process. Automated threat hunting empowers security teams to pull security data from different technologies on demand, ensuring they have the right data.
Automating the MITRE ATT&CK Framework for Threat Hunting
Organizations should enhance the use of MITRE ATT&CK Frameworks in their threat hunting processes and techniques with automation to free up time and improve detection.
Automation #1: Pre-Built Response Playbooks
MITRE ATT&CK provides updated data sets of indicators of compromise (IOC) and techniques, tactics, and procedures (TTPs) that adversaries use. Threat hunters use this data to create procedures and processes around known threats to properly respond. Automation can save this set of procedures as a pre-defined playbook, which can be applied in the future for the same threat. It will also search across all data sources in your security environment for a comprehensive visibility into threats.
Automation #2: Collecting the Right Hunt Data
When collecting security data during a hunt, it’s common to collect too much or too little information. Pinpointing the right data saves time and increases hunt accuracy. MITRE ATT&CK frameworks ensure you have the correct data sources by telling you which to collect from logs, security systems, and threat intelligence. Automation allows you to save parameters for data collection of the right sources to apply for future hunts.
Automation #3: Penetration Testing/Red Teaming
Cyberattacks and tactics change all the time, and red/blue teaming are great exercises that help you understand where your proactive abilities are and your defence against them. Automation can provide a great lift here by automating simulations of known TTPS from MITRE Frameworks to fine-tune detection and response management.
Advantages of Automating Threat Hunting
Automating threat hunting allows security teams to effortlessly access security data from diverse technologies when needed, streamlining hunting and procedures, while reducing manual effort. Security analysts can swiftly identify suspicious activities and patterns, resulting in quicker threat detection. The accelerated detection and response to security incidents are crucial in today’s threat landscape. Automated threat hunting expedites the identification of threats, enabling organisations to respond promptly and mitigate potential damage.
The Role of the Security Operations Platform
A security operations platform offers a wide range of capabilities. It centralises security data from disparate technologies and provides security teams with a unified, real-time view of their environment, thus facilitating improved threat detection and response. An essential aspect of this platform is its ability to query security data from all technologies. This functionality ensures that all artifacts, regardless of their source, are examined, making it an invaluable tool in the hunt for threats.
Conclusion
Automating threat hunting via a security operations platform enhances efficiency, augments visibility, and expedites incident response. As we look to the future of cybersecurity, the seamless integration of security data will remain central to effective threat hunting, ensuring that organizations stay ahead of evolving cyber threats.
Identity isn’t a security problem — it’s the security problem.
This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.
The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.
CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.
“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area
Identity Is the New Perimeter
Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said.
With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.
Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.
Below are nine use cases for the identity protection capability, in his own words.
1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.
2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.
3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.
“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”
4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.
5.We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.
6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.
“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”
7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.
8.We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.
9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.
“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.
CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).
GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.
The malware uses an anti-analysis technique to avoid execution in virtualized environments.
“In dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.” reads the analysis published by CrowdStrike.
“New redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions.”
GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT.
Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.
“GuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.” reads the analysis.
A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:
The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
Thesecond stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.
The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.
The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.
“It then maps that section via NtMapViewofSection on the suspended process.” continues the analysis. “If this injection technique fails, it uses the following redundancy method:
a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:
mov eax,18
mov edx,ntdll.77178850
call edx
ret 18
It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.”
Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.
is this website safe ? In this digital world, Check website safety is most important concern since there are countless malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy website. We need tobrowse smart and need to make sure the site is not dangerous by using Multiple approaches.
In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.
Investigating: is this website safe
In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it. Copy the URL to analyzers that available over the Internet and ensure it’s Integrity.
If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.
Methods to analyze Websites
To check website safety, the first and the most recommended method is to check online page scanners, which uses the latest fingerprinting technology to show web applications are up to date or infected by malware.
Website reputation check needs to be done to find the trustworthiness of website with WOT .
Ensure SSL is there before making a purchase
In order to check website safety, Ensure the website availability with https before entering the payment card details. We can audit the HTTPS availability with the SSL analyzer URL’s available over the internet.
Also, there is a range of certificates available over the Internet from low assured (domain validation) to the Most trusted Extended validation certificates, you can refer the URL for more details.
Moreover, we can verify their prompt installation with various popular checkers available
According to Google, in order to check, is this website Safe, Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users and webmasters of potential harm.
In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.
We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.
Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.
Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.
Check the Browsing Website have Any unsafe Content or not – Google Safe Browsing
To Report Malicious websites
Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.
analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This service helps you identify websites involved in malware incidents, fraudulent activities, and phishing websites.
Important tools for Check the Website Reputation and confirm is this website Safe
Cyber criminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. so beware of the malicious website, don’t blindly open the website and check the website safety before open it.
Here are eight top security threats that IT is likely to see in 2023.
Top 8 security threats for next year
1. Malware
Malware is malicious software that is injected into networks and systems with the intention of causing disruption to computers, servers, workstations and networks. Malware can extract confidential information, deny service and gain access to systems.
IT departments use security software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but malware bad actors continue to evolve ways to elude these defenses. That makes maintaining current updates to security software and firewalls essential.
2. Ransomware
Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victim companies pay them cash ransoms to unlock systems or return information.
So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back, only to be hit again by the same ransomware perpetrators.
Ransomware attacks are costly. They can damage company reputations. Many times ransomware can enter a corporate network through a channel that is open with a vendor or a supplier that has weaker security on its network.
One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
3. Phishing
Almost everyone has received a suspicious email, or worse yet, an email that appears to be legitimate and from a trusted party but isn’t. This email trickery is known as phishing.
Phishing is a major threat to companies because it is easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help. IT should team with HR to ensure that sound email habits are taught.
4. IoT
In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow. IoT vendors are notorious for implementing little to no security on their devices. IT can combat this threat by vetting IoT vendors upfront in the RFP process for security and by resetting IoT security defaults on devices so they conform to corporate standards.
If your organization is looking for more guidance on IoT security, the experts at TechRepublic Premium have put together an ebook for IT leaders that is filled with what to look out for and strategies to deal with threats.
5. Internal employees
Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected. This is why there has been an uptick in the number of companies that use social engineering audits to check how well employee security policies and procedures are working. In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.
6. Data poisoning
An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this, too.
Cases of data poisoning in AI systems have started to appear. In a data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.
Data poisoning is a new attack vector into corporate systems. One way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of the data.
7. New technology
Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them. One step IT can take is to carefully vet each new technology and its vendors before signing a purchase agreement.
8. Multi-layer security
How much security is enough? If you’ve firewalled your network, installed security monitoring and interception software, secured your servers, issued multi-factor identification sign-ons to employees and implemented data encryption, but you forgot to lock physical facilities containing servers or to install the latest security updates on smartphones, are you covered?
There are many layers of security that IT must batten down and monitor. IT can tighten up security by creating a checklist for every security breach point in a workflow.
While knowing full well that human lives may be at stake, criminal gangs have been increasingly targeting the healthcare sector with high-impact attacks like ransomware.
1. Tighten up email security
Healthcare providers should set up numerous layers of defense for a variety of email-borne threats. A good email security solution should be the first layer but will only be effective if it is able to detect multiple malicious signals (malicious IPs, suspicious URLs, hidden malware files, etc.).
Training staff to recognize malicious emails can be useful, but personnel should not bear the brunt of responsibility when it comes to catching signs of attack. Instead, training should focus on the importance of proper policies, such as confirming payments and transfers with a second channel outside of email.
2. Follow best practice for passwords and credentials
Obtaining login credentials is a primary goal in most cyberattacks, and many threat actors now specialize in selling information on to others. Investigations by the Trustwave SpiderLabs team found a large quantity of stolen login credentials and browser sessions enabling access to healthcare facilities advertised on dark web markets.
In addition to following best practices around phishing emails, all employees should be using complex passwords that can’t be easily guessed. When storing passwords, organizations must make sure to use modern and robust password hashing algorithms. Two-factor authentication should also be implemented across the organization as a priority (Note: SMS 2FA should not be considered secure).
3. Improve cyber security awareness
While the responsibility of spotting and stopping cyberattacks should not rest on ordinary healthcare personnel, a well-trained workforce can make a real difference in averting disaster. Attackers will be counting on healthcare staff being too busy and focused on supporting their patients to concentrate on security.
Security training is often limited to a few one-off PowerPoint-driven seminars, but this will do little to increase awareness. Healthcare providers should instead consider more in-depth exercises that replicate serious incidents such as ransomware attacks. This will help decision makers to gain experience in making snap decisions under pressure, better equipping them for when a real crisis looms.
4. Prepare for ransomware attacks
Ransomware is a threat to all sectors, but healthcare is particularly vulnerable to its disruptive effects. A paralyzed IT network will mean more than lost data or productivity – human lives may be on the line if data and equipment are locked down. Callous criminals are counting on healthcare providers caving and paying up to restore systems quickly. Further, attackers increasingly exfiltrate data to pile on more pressure and secure additional profits from dark web buyers.
A strong email security system will stop most malicious emails, but not all – and organizations should be prepared for that. Effective managed detection and response (MDR) capabilities, backed by a skilled team of threat hunters, will help identify and stop ransomware quickly to reduce its impact. A managed security service provider (MSSP) is one of the most affordable ways of acquiring these capabilities on a limited budget.
5. Secure extended IoT networks
Internet of Things (IoT)-enabled equipment has been hugely beneficial in enabling healthcare providers to automate and facilitate remote working. But if not properly monitored and patched, these connected devices can also provide threat actors with an easy attack path.
Hospitals are likely to have hundreds of devices deployed across their facilities, so keeping them all updated and patched can be an extremely resource-heavy task. Many health providers also struggle to accommodate the required downtime to update vital equipment.
Automating device discovery and update processes will make it easier to keep devices secured. Providers should also vet future purchases to ensure they have key security functionality and are accessible for maintenance and updates.
6. Understand supply chain risks
Healthcare providers sit in the center of extremely large and complex supply networks. Suppliers for medical materials, consultants, hardware, and facilities maintenance are just a few examples, alongside a growing number of digital services.
These suppliers often have a large degree of network connectivity or access to data, making them a prime target for threat actors seeking a way into the healthcare provider’s network. Organizations can also become the victim of a second-hand breach if a firm trusted to host or manage their data is attacked.
Supply chain risk can be reduced by vetting the security level of all third-party connections. This can be achieved without invasive network scans through publicly available information such as DNS server configurations and the presence of insecure ports open to the internet (e.g., MS-TERM-SERV, SMB, etc.).
7. Test out your preparations
Security is never a one-and-done affair. Even if the right solutions are in place, the workforce has been well-trained and processes are watertight, it is important to continually test defenses and look for ways to improve them.
Regular vulnerability scans are essential for keeping up with the shifting IT and cyber threat landscape. Application and network penetration tests will take things a step further by leveraging the ingenuity of experienced security personnel to look for a crack that can be found and exploited.
Larger healthcare providers such as hospitals may also consider physical penetration tests to determine if their facility’s IT infrastructure is vulnerable to an intruder on their grounds.
Defending against healthcare threats: Preparation is everything
Hospitals and other frontline healthcare providers are used to dealing with medical emergencies. Personnel have the equipment and processes they need in place, and they have the training to adopt the cool head needed to handle a crisis.
As attackers continue to target the sector, the same level of preparation is increasingly essential for cyber threats.
Criminal gangs are counting on budget cuts and staffing shortages to leave healthcare organizations vulnerable to their attacks. By focusing on these seven steps, providers will be able to present a hardened target that sends these callous opportunists in search of easier prey.
Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.
Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.
Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.
Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
Refund fraud services increased by almost 150% from 2019 – 2021
Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.
“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”
Additional steps include:
Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
Conclusion
The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.
This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.
The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.
In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.
But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.
Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.
Just Look out for the Humans
But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.
Humans: The Biggest Cyber Security Threats
When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?
But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.
Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.
This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.
Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.
Here’s a breakdown of the leading issues:
Credential problems account for nearly 50% of non-error, non-misuse breaches
Phishing accounts for nearly 20% of breaches
Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
Vulnerability exploits account for less than 10% of attacks
The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.
3 Types of Internal Threats
The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.
These are the three types of internal threats to be aware of:
Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.
How To Prevent the Biggest Cyber Security Attacks
It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.
So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.
Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.
Naturally, this will mean investing in training. These are the key topics that should be addressed:
Password management
Phishing attacks, how they work, how to avoid them
Encryption and digital signing
Authentication
Creating backups
Best practices in sending personal or sensitive information
Account access and privileges as well as oversight and management
Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.
Researchers from Cyble analyzed a new, highly evasive JavaScript skimmer used by Magecart threat actors.
Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites.
In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS to gain access to the source code of the website and inject malicious JavaScript. The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.
In this specific case, the researchers discovered that when a user visits the compromised website, the skimmer loads the payment overlay and asks the user to enter the payment information.
The skimmer is obfuscated and embedded in the JavaScript file “media/js/js-color.min.js”
nce the victim has entered its payment data in the form, the JavaScript file collects them and then sends the Base64-encoded data to the URL included in the JavaScript using the POST method
Cyble experts noticed that upon executing the JavaScript, it checks if the browser’s dev tool is open to avoid being analyzed.
“Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected.” concludes the report. “Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.”
Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.
NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.
The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.
Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.
Contradicting the cyberattackers’ claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company’s internal networks.
NATO, meanwhile, is “assessing claims relating to data allegedly stolen from MBDA,” a NATO official told Dark Reading on Monday.
“We have no indication that any NATO network has been compromised,” the official said.
Double Extortion
MBDA acknowledged in early August that it was “the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company’s information networks,” in a post on its website.
The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.
Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.
NATO is investigating one of the firm’s suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.
The company is working with authorities in Italy, where the breach occurred.
MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.
Classified Info & Ukraine
Hackers claimed in their ad for the leaked data to have “classified information about employees of companies that took part in the development of closed military projects,” as well as “design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies,” according to the BBC.
Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.
This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.
After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.
The sample data viewed by the BBC also included documents labelled “NATO CONFIDENTIAL,” “NATO RESTRICTED,” and “Unclassified Controlled Information,” according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.
The criminals also sent by email documents to the BBC including two marked “NATO SECRET,” according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.
Nonetheless, MBDA insists that the verification processes that the company has executed so far “indicate that the data made available online are neither classified data nor sensitive.”
South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.
South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.
The problem? Thames Water wasn’t breached.
Apparently, Clop got its UK water companies confused.
South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service.
“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said.
Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports.
“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror.
While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence.
“I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”
Microsoft’s announcement that it would block macros in Microsoft Office apps by default didn’t stop threat actors—they have simply resorted to new tricks.
“Threat actors across the landscape responded by shifting away from macro-based threats,” Proofpoint researchers noted in a blog post. In fact, an analysis of campaign data, “which include threats manually analyzed and contextualized,” showed the use of VBA and XL4 Macros ticked down 66% or so between October 2021 and June 2022.
“While Proofpoint observed a notable increase in other attachment types, macro-enabled documents are still used across the threat landscape,” the researchers wrote, explaining that the tactics, techniques and procedures (TTPs) have changed, with miscreants turning to use of container files—like ISO and RAR—and Windows Shortcut files to pass malware along, according to Proofpoint research.
Threat actors have long used VBA macros “to automatically run malicious content when a user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can also be weaponized by threat actors,” researchers pointed out. “Typically, threat actors distributing macro-enabled documents rely on social engineering to convince a recipient the content is important, and enabling macros is necessary to view it.”
Microsoft took steps to block VBA macros by keying on a Mark of the Web (MOTW) attribute called the Zone.Identifier that shows whether a file comes from the internet and is added by Microsoft apps to some documents downloaded from the web. But bad actors can bypass MOTW by using container file formats.
By using container file formats like ISO (.iso), RAR (.rar), ZIP (.zip) and IMG (.img) files to send macro-enabled documents, “ … the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.”
They also can distribute payloads directly using container files so that when they’re opened they can contain “additional content such as LNKs, DLLs or executable (.exe) files that lead to the installation of a malicious payload.”
“The change to block macros by default is a very good thing; has been suggested for years and it’s good Microsoft is finally doing it,” said Rob Jenks, SVP strategy and business at Tanium. He explained that “as with all security techniques, it’s not a silver bullet and attackers inevitably move on to the next attack pathway(s)—so the findings aren’t surprising.”
But “regarding the new attacks, there are other restrictions on not trusting zip content, so these other mechanisms throw more consent dialogs into the user’s face, potentially making a phishing attack less reliable,” Jenks said.
Proofpoint researchers have not only noted a two-thirds decrease in macro-enabled documents leveraged as attachments in email-based threats, but they observed “the number of campaigns leveraging container files including ISO and RAR, and Windows Shortcut (LNK) attachments increased nearly 175%,” researchers said.
“They attribute the increase in part to the uptick in use of ISO and LNK files in campaigns. Cybercriminal threat actors are increasingly adopting these as initial access mechanisms, such as actors distributing Bumblebee malware,” they said. “The use of ISO files increased over 150% between October 2021 and June 2022. More than half of the 15 tracked threat actors that used ISO files in this time began using them in campaigns after January 2022.”
Most notably, LNK files have emerged as a go-to for threat actors—at least 10 of them have begun using LNK files since February.  In fact, the number of campaigns containing LNK files exploded an incredible 1,675% since October 2021.
While fewer campaigns are using XL4 macros, Proofpoint did see a spike in macro use in March 2022, which researchers attributed to an uptick in campaigns with higher volumes of messages conducted by the TA542 actor delivering Emotet. “Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros,” the researcher wrote. “Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add-In (XLL) files and zipped LNK attachments in subsequent campaigns.”
The adoption of ISO and other container file formats is driving the pivot away from macro-enabled documents to different file types that can bypass the macro-blocking protections offered by Microsoft. “Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft and ransomware,” said Proofpoint researchers, who called the change “one of the largest email threat landscape shifts in recent history.”
Proofpoint has also observed a slight increase in threat actors using HTML attachments to deliver malware. The number of malware campaigns using HTML attachments more than doubled from October 2021 to June 2022, but the overall number remains low. Proofpoint researchers also observed threat actors increasingly adopt HTML smuggling, a technique used to “smuggle” an encoded malicious file within a specially crafted HTML attachment or web page.
American investigative reporter Emma Best knows how arduous it is to ask for information from government agencies.
She made more than 5,000 such requests during her career at MuckRock, a non-profit ​​news site that publishes original government documents and conducts investigations based on them. Best was so persistent that the FBI temporarily banned her from filing any more information requests.
She found a way to cut through the government bureaucracy. Together with an anonymous partner known as The Architect, Best founded the whistleblower site Distributed Denial of Secrets (DDoSecrets) in 2018.Â
Since then, it has distributed hacked and leaked data from more than 200 entities, including U.S. law enforcement agencies, fascist groups, shell companies, tax havens, and the far-right social media sites Gab and Parler.
Unlike cybercriminals who sell hacked data on the darknet for personal gain, DDoSecrets says it exposes leaked information for the public good. “Secrets can be used for extortion by threatening to make it public, while public information can’t,” Best said.
Her website has become a go-to place for whistleblowers and hackers, especially given the absence of its most famous predecessor, WikiLeaks, which has been inactive for the last two years.
I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.
Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.
ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.
The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges. Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative. ENISA seeks to provide targeted as well as general reports, recommendations, analyses and other actions on future cybersecurity scenarios and threat landscapes, supported through a clear and publicly available methodology.
By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. The following threat landscapes could be considered as examples.
Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.
Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.
The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).
You can download the ENISA Threat Landscape Methodology here:
During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.
It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8. This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server.
Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.
RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.
Please note that patches for these specific vulnerabilities have been released by Resi.
What GEMINI-NET from Resi is
GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.
It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 – RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78) Software Version: 4.2 NIST:
CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.
Below are the details that have been published on the institutional website and NIST ratings.
CVE-2022-29539 – RESI S.p.A
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78) Software Version: 4.2 NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29539 CVSv3: 9.8 Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.
In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.
In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.
Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.
It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.