Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Detection. Show all posts
Threat Detection
Compliance Cyber Security Cybersecurity Data Breach Network Security OT security Ransomware Threat Detection

Cybersecurity Threats Are Evolving: Seven Key OT Security Challenges

 

Cyberattacks are advancing rapidly, threatening businesses with QR code scams, deepfake fraud, malware, and evolving ransomware. However, strengthening cybersecurity measures can mitigate risks. Addressing these seven key OT security challenges is essential.

Insurance broker Howden reports that U.K. businesses lost $55 billion to cyberattacks in five years. Basic security measures could save $4.4 million over a decade, delivering a 25% ROI.

Experts at IDS-INDATA warn that outdated OT systems are prime hacker entry points, with 60% of breaches stemming from unpatched systems. Research across industries identifies seven major OT security challenges.

Seven Critical OT Security Challenges

1. Ransomware & AI-Driven Attacks
Ransomware-as-a-Service and AI-powered malware are escalating threats. “The speed at which attack methods evolve makes waiting to update your defences risky,” says Ryan Cooke, CISO at IDS-INDATA. Regular updates and advanced threat detection systems are vital.

2. Outdated Systems & Patch Gaps
Many industrial networks rely on legacy systems. “We know OT is a different environment from IT,” Cooke explains. Where patches aren’t feasible, alternative mitigation is necessary. Regular audits help address vulnerabilities.

3. Lack of OT Device Visibility
Limited visibility makes networks vulnerable. “Without visibility over your connected OT devices, it’s impossible to secure them,” says Cooke. Asset discovery tools help monitor unauthorized access.

4. Growing IoT Complexity
IoT expansion increases security risks. “As more IoT and smart devices are integrated into industrial networks, the complexity of securing them grows exponentially,” Cooke warns. Prioritizing high-risk devices is essential.

5. Financial & Operational Risks
Breaches can cause financial losses, production shutdowns, and life-threatening risks. “A breach in OT environments can cause financial loss, shut down entire production lines, or, in extreme cases, endanger lives,” Cooke states. A strong incident response plan is crucial.

6. Compliance with Evolving Regulations
Non-compliance with OT security regulations leads to financial penalties. Regular audits ensure adherence and minimize risks.

7. Human Error & Awareness Gaps
Misconfigured security settings remain a major vulnerability. “Investing in cybersecurity awareness training for your OT teams is critical,” Cooke advises. Security training and monitoring help prevent insider threats.

“Proactively addressing these points will help significantly reduce the risk of compromise, protect critical infrastructure, ensure compliance, and safeguard against potentially severe disruptions,” Cooke concluded. 

Moreover, cyberattacks will persist regardless, but proactively addressing these challenges significantly improves the chances of defending against them.
Read more »
Threat Detection
2024 Authentication Cyber Fraud CyberCrime Cybersecurity Mamba 2FA MFA phishing phishing-as-a-service SEKOIA Telegram Threat Detection

Mamba 2FA Emerges as a New Threat in Phishing Landscape

 

In the ever-changing landscape of phishing attacks, a new threat has emerged: Mamba 2FA. Discovered in late May 2024 by the Threat Detection & Research (TDR) team at Sekoia, this adversary-in-the-middle (AiTM) phishing kit specifically targets multi-factor authentication (MFA) systems. Mamba 2FA has rapidly gained popularity in the phishing-as-a-service (PhaaS) market, facilitating attackers in circumventing non-phishing-resistant MFA methods such as one-time passwords and app notifications.

Initially detected during a phishing campaign that imitated Microsoft 365 login pages, Mamba 2FA functions by relaying MFA credentials through phishing sites, utilizing the Socket.IO JavaScript library to communicate with a backend server. According to Sekoia's report, “At first, these characteristics appeared similar to the Tycoon 2FA phishing-as-a-service platform, but a closer examination revealed that the campaign utilized a previously unknown AiTM phishing kit tracked by Sekoia as Mamba 2FA.” 

The infrastructure of Mamba 2FA has been observed targeting Entra ID, third-party single sign-on providers, and consumer Microsoft accounts, with stolen credentials transmitted directly to attackers via Telegram for near-instant access to compromised accounts.

A notable feature of Mamba 2FA is its capacity to adapt to its targets dynamically. For instance, in cases involving enterprise accounts, the phishing page can mirror an organization’s specific branding, including logos and background images, enhancing the believability of the attack. The report noted, “For enterprise accounts, it dynamically reflects the organization’s custom login page branding.”

Mamba 2FA goes beyond simple MFA interception, handling various MFA methods and updating the phishing page based on user interactions. This flexibility makes it an appealing tool for cybercriminals aiming to exploit even the most advanced MFA implementations.

Available on Telegram for $250 per month, Mamba 2FA is accessible to a broad range of attackers. Users can generate phishing links and HTML attachments on demand, with the infrastructure shared among multiple users. Since its active promotion began in March 2024, the kit's ongoing development highlights a persistent threat in the cybersecurity landscape.

Research from Sekoia underscores the kit’s rapid evolution: “The phishing kit and its associated infrastructure have undergone several significant updates.” With its relay servers hosted on commercial proxy services, Mamba 2FA effectively conceals its true infrastructure, thereby minimizing the likelihood of detection.

Read more »
training
Awareness Cyber Security Cybersecurity employee engagement proactive culture Threat Detection training

Fostering Cybersecurity Culture: From Awareness to Action

 

The recent film "The Beekeeper" opens with a portrayal of a cyberattack targeting an unsuspecting victim, highlighting the modern challenges posed by technology-driven crimes. The protagonist, Adam Clay, portrayed by Jason Statham, embarks on a mission to track down the perpetrators and thwart their ability to exploit others through cybercrimes.

While security teams may aspire to emulate Clay's proactive approach, physical prowess and combat skills are not within their realm. Instead, prioritizing awareness becomes paramount. Educating the workforce proves to be a formidable task but stands as the most effective defense against individual-targeted threats. New training methodologies integrate traditional techniques, emphasizing adaptability over repetition.

In cybersecurity, the technology operates predictably, unlike humans. Recognizing this distinction underscores the necessity for personalized training during onboarding processes. Interactive training acknowledges the complexity of human behavior, emphasizing adaptability to address evolving threats and individual learning preferences. Unlike automated methods, personalized approaches can swiftly adjust to cater to unique challenges and learner needs, fostering a deeper understanding of security practices.

Organizations must evaluate their readiness to combat AI-based threats, considering that human error contributes to the majority of data breaches. Prioritizing education and resource allocation towards cultivating an informed workforce emerges as a critical strategy. Utilizing security champions and fostering collaboration among teams are advocated over solely relying on automation.

Establishing a robust cybersecurity culture involves encouraging employees to share their personal experiences with security incidents openly. Storytelling proves to be a powerful tool in imparting valuable security lessons, promoting a sense of community, and normalizing discussions around cybersecurity.

Testing and monitoring employee responses are crucial aspects of assessing the effectiveness of security programs. Conducting simulated phishing or smishing attacks allows organizations to gauge employee awareness and readiness to detect and report potential threats. Active engagement and communication among staff members indicate the success of the security program in fostering a proactive security culture.

Moreover, while we may not engage in the direct confrontation depicted in "The Beekeeper," building a resilient security culture through awareness remains our primary defense against cybercrime. Encouraging employee participation, personalized training, and proactive testing are pivotal in equipping individuals to identify and mitigate potential threats effectively. The benefits of these strategies extend beyond the workplace, empowering individuals to navigate the digital landscape safely in both personal and professional spheres, and contributing to a safer online environment for all.
Read more »
Vulnerabilities and Exploits
Breach data security IT Companies Threat Detection Vulnerabilities and Exploits

End-User Risks: Enterprises on Edge Amid Growing Concerns of the Next Major Breach

 

The shift to remote work has been transformative for enterprises, bringing newfound flexibility but also a myriad of security challenges. Among the rising concerns, a prominent fear looms large - the potential for end-users to inadvertently become the cause of the next major breach. 

As organizations grapple with this unsettling prospect, the need for a robust security strategy that addresses both technological and human factors becomes increasingly imperative. Enterprises have long recognized that human error can be a significant factor in cybersecurity incidents. However, the remote work surge has amplified these concerns, with many organizations now expressing heightened apprehension about the potential for end-users to inadvertently compromise security. 

A recent report highlights that this fear is not unfounded, as enterprises increasingly worry that employees may become the weak link in their cybersecurity defenses. The complexity of the remote work landscape adds a layer of difficulty to security efforts. Employees accessing sensitive company data from various locations and devices create a broader attack surface, making it challenging for IT teams to maintain the same level of control and visibility they had within the confines of the corporate network. 

This expanded attack surface has become a breeding ground for cyber threats, and organizations are acutely aware that a single unintentional action by an end-user could lead to a major breach. Phishing attacks, in particular, have become a prevalent concern. Cybercriminals have adeptly adapted their tactics to exploit the uncertainties surrounding the pandemic, capitalizing on the increased reliance on digital communication channels. End-users, potentially fatigued by the constant influx of emails and messages, may unwittingly click on malicious links or download infected attachments, providing adversaries with a foothold into the organization's systems. 

While end-users can be the first line of defense, their actions, if not adequately guided and secured, can also pose a significant risk. Enterprises are grappling with the need to strike a delicate balance between enabling a seamless remote work experience and implementing stringent security measures that mitigate potential threats arising from end-user behavior. Education and awareness emerge as critical components of the solution. Organizations must invest in comprehensive training programs that equip employees with the knowledge and skills to identify and thwart potential security threats. 

Regularly updated security awareness training can empower end-users to recognize phishing attempts, practice secure online behavior, and promptly report any suspicious activity. Moreover, enterprises need to implement advanced cybersecurity technologies that provide an additional layer of protection. AI-driven threat detection, endpoint protection, and multi-factor authentication are crucial elements of a modern cybersecurity strategy. These technologies not only bolster the organization's defenses but also alleviate some of the burdens placed on end-users to be the sole gatekeepers of security. 

Collaboration between IT teams and end-users is paramount. Establishing open communication channels encourages employees to report security incidents promptly, enabling swift response and mitigation. Additionally, organizations should foster a culture of cybersecurity responsibility, emphasizing that every employee plays a crucial role in maintaining a secure digital environment. As the remote work landscape continues to evolve, enterprises must adapt their cybersecurity strategies to address the shifting threat landscape. 

The concerns about end-users being the potential cause of the next major breach underscore the need for a holistic approach that combines technological advancements with ongoing education and collaboration. By fortifying the human element of cybersecurity, organizations can navigate the complexities of remote work with confidence, knowing that their employees are not unwittingly paving the way for the next significant security incident.
Read more »
Threat Detection
communication protocol Cyber Security cybersecurity playbook incident response plan ransomware attacks security response tactics Threat Detection

The Essential Role of a Cybersecurity Playbook for Businesses

 

In the realm of sports, playbooks serve as strategic roadmaps. A similar concept applies to cybersecurity, where an updated security playbook, also known as an incident response plan, equips IT teams with a targeted strategy to mitigate risks in the event of an attack.

However, a significant number of companies lack a comprehensive security playbook. Instead, they resort to ad hoc responses that offer short-term relief but fail to address the underlying issues. Surprisingly, 36 percent of midsized companies don't have a formal incident response plan, and while most back up their data, 58 percent don't perform daily backup testing.

This article delves into the crucial elements that companies should incorporate into their cybersecurity playbook, emphasizes the importance of regular updates, and underscores the necessity of having a playbook in place prior to a security incident.

Inclusion Criteria for a Cybersecurity Playbook

Recent data reveals that over 72 percent of global firms have encountered ransomware attacks in the past year. These attacks often stem from spam emails and malicious links that compromise staff accounts. Consequently, it is imperative for companies to be proactive rather than reactive. A well-structured security playbook should encompass:

1. Assignment of Responsibilities: Clearly defining which team members are tasked with specific duties, such as identifying attack vectors, pinpointing compromise points, and isolating critical systems.

2. Communication Protocol: Establishing a streamlined communication chain for notifying the right individuals promptly when an attack occurs. This chain should be regularly updated.

3. Contingency Plans: Anticipating scenarios where key personnel may be unavailable due to illness, vacation, or departure from the company. Playbooks should incorporate backup plans for such situations.

4. Incident Handling Procedures: Detailing the process for addressing specific incidents like stolen credentials, ransomware attacks, or compromised endpoints. This encompasses detection, identification, and remediation steps.

Maintaining the Currency of Your Cybersecurity Playbook

Just as threat actors evolve their tactics, incident response plans must also adapt. For instance, cyber attackers recently exploited a fake Windows update to compromise business and government devices. Security playbooks should be regularly reviewed quarterly and updated annually to ensure they address contemporary threats effectively. Conducting simulated attacks to assess the playbook's efficacy is also advisable.

Furthermore, playbooks serve a dual purpose – not only for incident response but also as a requirement for cybersecurity insurance. Companies should update their response plans when integrating new technologies, such as deploying public cloud services, which introduce new connections and potential attack surfaces.

The Significance of Crafting a Security Playbook

While businesses can create their own security playbooks, this can be a time-consuming endeavor, particularly for smaller companies with limited IT resources or large enterprises operating internationally.

CDW offers incident response services that assist companies in tailoring custom playbooks to their specific needs. Access to CDW statement-of-work services is provided at no cost, outlining the defensive actions CDW can take to support a company in the event of an incident, along with associated fees.

For a comprehensive approach, organizations can opt for paid services, which encompass an incident response program and playbook development, readiness assessments, and tabletop exercises.

In the face of corporate network breaches, swift and well-prepared action is paramount. An in-depth security playbook ensures readiness and equips companies to navigate the challenges that arise.
Read more »
Threat Detection
2023 Global Threat Report CrowdStrike Cyber Crime Data Extortion Ransomware ransomware attacks Threat Detection

CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

Read more »
Vaccine
APT Group Cobalt Strike Cyberattack hacking groups Healthcare malware Threat Detection Vaccine

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.
Read more »
Threat Detection
Authentication Keys Cyber Security email security Google Journalists Russian APT Security Keys Threat Detection

Google: Russian APT Targeting Journalists and Politicians

 

On October 7, 14,000 Google customers were informed that they were potential targets of Russian government-backed threat actors. The next day, the internet giant released cybersecurity upgrades, focusing on high-profile users' email accounts, such as politicians and journalists. 

APT28, also known as Fancy Bear, a Russian-linked threat organisation, has allegedly increased its efforts to target high-profile people. According to MITRE ATT&CK, APT28 has been operating on behalf of Russia's General Staff Main Intelligence Directorate 85th Main Special Service Center military unit 26165 since at least 2004. 

This particular operation, discovered in September, prompted a Government-Backed Attack alert to Google users this week, according to Shane Huntley, head of Google's Threat Analysis Group, or TAG, which handles state-sponsored attacks. 

Huntley verified that Gmail stopped and categorised the Fancy Bear phishing operation as spam. Google has advised targeted users to sign up for its Advanced Protection Program for all accounts. 

Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center, told ISMG: "Nation-state-backed APTs are nothing new and will continue to be a significant menace … as cyber warfare is simply a part of modern geopolitics."

Huntley said on Thursday in his Twitter thread, "TAG sent an above-average batch of government-backed security warnings. … Firstly these warnings indicate targeting NOT compromise. … The increased numbers this month come from a small number of widely targeted campaigns which were blocked." 

"The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. … If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn't be a surprise. At some point some govt. backed entity probably will try to send you something."

Google's Security Keys 

Following the news of Fancy Bear's supposed targeting of high-profile individuals, Google stated in a blog post that cybersecurity functionalities in its APP programme will safeguard against certain attacks and that it was collaborating with organisations to distribute 10,000 free security keys to higher-profile individuals. The keys are two-factor authentication devices tapped by users during suspicious logins. 

According to Grace Hoyt, Google's partnerships manager, and Nafis Zebarjadi, its product manager for account security, Google's APP programme is updated to adapt to evolving threats - it is accessible to users, but is suggested for elected officials, political campaigns, activists, and journalists. It protects from phishing, malware, harmful downloads, and unwanted access. 

Alvarado, currently the threat intelligence team lead at the security firm Digital Shadows stated, "Although Google's actions are certainly a step in the right direction … the old saying, 'Where there is a will, there is a way,' still applies. … These [security] keys will undoubtedly make an attacker's job more difficult, but there are plenty of other options and vulnerabilities for [threat actors] to achieve their goals. 

KnowBe4's Kron alerted, "These security keys, while useful in their own limited scope, do not stop phishing emails from being successful. They only help when an attacker already has access to, or a way to bypass, the username and password for the email account being targeted." 

Global Partnerships 

Google stated it has partnered with the International Foundation for Electoral Systems, the UN Women Generation Equality Action Coalition for Technology and Innovation; and the nonprofit, nonpartisan organisation Defending Digital Campaigns in its initiatives to distribute 10,000 security keys. Google claims that as part of its partnership with the IFES, it has sent free security keys to journalists in the Middle East and female activists throughout Asia. 

Google stated it is giving security training through UN Women for UN chapters and groups that assist women in media, politics, and activism, as well as those in the C-suite. 

2FA Auto-Enrollment 

In a blog post on October 5, Google's group product manager for Chrome, AbdelKarim Mardini, and Guemmy Kim, Google's director of account security and safety, wrote that by the end of 2021, Google also aims to auto-enrol 150 million additional users in two-factor authentication - and require 2 million YouTubers to do the same. 

"We know that having a second form of authentication dramatically decreases an attacker's chance of gaining access to an account," Mardini and Kim wrote. 

"Two-step verification [is] one of the most reliable ways to prevent unauthorized access," Google said in May that it will soon begin automatically enrolling customers in 2-Step Verification if their accounts were configured correctly. 

This week, Google announced that it is auto-enrolling Google accounts with "proper backup mechanisms in place" to move to 2SV.
Read more »
Subscribe to: Posts (Atom)