Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Threat Intelligence. Show all posts

Nearly Half of Companies Lack AI-driven Cyber Threat Plans, Report Finds

 

Mimecast has discovered that over 55% of organisations do not have specific plans in place to deal with AI-driven cyberthreats. The cybersecurity company's most recent "State of Human Risk" report, which is based on a global survey of 1,100 IT security professionals, emphasises growing concerns about insider threats, cybersecurity budget shortages, and vulnerabilities related to artificial intelligence. 

According to the report, establishing a structured cybersecurity strategy has improved the risk posture of 96% of organisations. The threat landscape is still becoming more complicated, though, and insider threats and AI-driven attacks are posing new challenges for security leaders. 

“Despite the complexity of challenges facing organisations—including increased insider risk, larger attack surfaces from collaboration tools, and sophisticated AI attacks—organisations are still too eager to simply throw point solutions at the problem,” stated Mimecast’s human risk strategist VP, Masha Sedova. “With short-staffed IT and security teams and an unrelenting threat landscape, organisations must shift to a human-centric platform approach that connects the dots between employees and technology to keep the business secure.” 

95% of organisations use AI for insider risk assessments, endpoint security, and threat detection, according to the survey, but 81% are concerned regarding data leakage from generative AI (GenAI) technology. In addition to 46% not being confident in their abilities to defend against AI-powered phishing and deepfake threats, more than half do not have defined tactics to resist AI-driven attacks.

Data loss from internal sources is expected to increase over the next year, according to 66% of IT leaders, while insider security incidents have increased by 43%. The average cost of insider-driven data breaches, leaks, or theft is $13.9 million per incident, according to the research. Furthermore, 79% of organisations think that the increased usage of collaboration technologies has increased security concerns, making them more vulnerable to both deliberate and accidental data breaches. 

With only 8% of employees accountable for 80% of security incidents, the report highlights a move away from traditional security awareness training and towards proactive Human Risk Management. To identify and eliminate threats early, organisations are implementing behavioural analytics and AI-driven surveillance. A shift towards sophisticated threat detection and risk mitigation techniques is seen in the fact that 72% of security leaders believe that human-centric cybersecurity solutions will be essential over the next five years.

Terror Ourfits Are Using Crypto Funds For Donations in India: TRM Labs

 

Transaction Monitoring (TRM) Labs, a blockchain intelligence firm based in San Francisco and recognised by the World Economic Forum, recently published a report revealing the links between the Islamic State Khorasan Province (ISKP) and ISIS-affiliated fund-collecting networks in India. ISKP, an Afghan terrorist outfit, is reportedly using the cryptocurrency Monero (XMR) to gather funds.

Following the departure of US soldiers from Afghanistan, the ISKP terrorist group garnered significant attention. The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on unlawful cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. 

The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on illicit cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. However, it also emphasises the evolving techniques employed by terrorist organisations. 

TRM Labs' report uncovered on-chain ties between ISKP-affiliated addresses and covert fundraising campaigns in India. The on-chain link is a component of the Chainlink network that runs directly on a blockchain, featuring smart contracts that handle data requests and connect to off-chain oracles. The TRM report states that the ISKP has begun receiving donations in Monero (XMR). 

News reports state that Voice of Khorasan, a periodical created by ISKP's media branch, al-Azaim, announced the commencement of the organization's first donation drive in support of Monero. Since then, Monero's fundraising activities have consistently included requests for donations. 

According to the report, ISKP and other terrorist organisations are favouring Monero more and more because of its blockchain anonymity capabilities. Monero is now worth ₹19,017.77. This powerful privacy tool aids in transaction concealment. However, the report emphasises that terrorist groups will choose more stable cryptocurrencies over Monero money for the foreseeable future due to its volatility and possible crackdowns. 

Furthermore, reliance on cryptocurrency mixers and unidentified wallets has risen. The primary venues for exchanging guidance on best practices and locating providers with the highest security requirements are now online forums. Fake proofs are being used by people to get over Know Your Customer (KYC) rules enforced by exchanges, which makes it challenging for law enforcement to follow the illicit transactions. 

In contrast to Bitcoin and other well-known digital assets, Monero gained attention for its sophisticated privacy features that make transactions trickier to identify. Because of this, they are a tempting option for people who engage in illicit financial activity.

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.

Quantum Computers Threaten to Breach Online Security in Minutes

 

A perfect quantum computer could decrypt RSA-2048, our current strongest encryption, in 10 seconds. Quantum computing employs the principle of quantum physics to process information using quantum bits (qubits) rather than standard computer bits. Qubits can represent both states at the same time, unlike traditional computers, which employ bits that are either 0 or 1. This capacity makes quantum computers extremely effective in solving complicated problems, particularly in cryptography, artificial intelligence, and materials research. 

While this computational leap opens up incredible opportunities across businesses, it also raises serious security concerns. When quantum computers achieve their full capacity, they will be able to break through standard encryption methods used to safeguard our most sensitive data. While the timescale for commercial availability of fully working quantum computers is still uncertain, projections vary widely.

The Boston Consulting Group predicts a significant quantum advantage between 2030 and 2040, although Gartner believes that developments in quantum computing could begin to undermine present encryption approaches as early as 2029, with complete vulnerability by 2034. Regardless of the precise timetable, the conclusion is unanimous: the era of quantum computing is quickly approaching. 

Building quantum resilience 

To address this impending threat, organisations must: 

  • Adopt new cryptographic algorithms that are resistant against impending quantum attacks, such as post-quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) recently published its first set of PQC algorithm standards (FIPS 203, FIPS 204, and FIPS 205) to assist organisations in safeguarding their data from quantum attacks. 
  • Upgrades will be required across the infrastructure. Develop crypto agility to adapt to new cryptographic methods without requiring massive system overhauls as threats continue to evolve. 

This requires four essential steps: 

Discover and assess: Map out where your organisation utilises cryptography and evaluate the quantum threats to its assets. Identify the crown jewels and potential business consequences. 

Strategise: Determine the current cryptography inventory, asset lives against quantum threat timelines, quantum risk levels for essential business assets, and create an extensive PQC migration path. 

Modernise: Implement quantum-resilient algorithms while remaining consistent with overall company strategy.

Enhance: Maintain crypto agility by providing regular updates, asset assessments, modular procedures, continual education, and compliance monitoring. 

The urgency to act 

In the past, cryptographic migrations often took more than ten years to finish. Quantum-resistant encryption early adopters have noticed wide-ranging effects, such as interoperability issues, infrastructure rewrites, and other upgrading challenges, which have resulted in multi-year modernisation program delays. 

The lengthy implementation period makes getting started immediately crucial, even though the shift to PQC may be a practical challenge given its extensive and dispersed distribution throughout the digital infrastructure. Prioritising crypto agility will help organisations safeguard critical details before quantum threats materialise.

Big Tech's Interest in LLM Could Be Overkill

 

AI models are like babies: continuous growth spurts make them more fussy and needy. As the AI race heats up, frontrunners such as OpenAI, Google, and Microsoft are throwing billions at massive foundational AI models comprising hundreds of billions of parameters. However, they may be losing the plot. 

Size matters 

Big tech firms are constantly striving to make AI models bigger. OpenAI recently introduced GPT-4o, a huge multimodal model that "can reason across audio, vision, and text in real time." Meanwhile, Meta and Google both developed new and enhanced LLMs, while Microsoft built its own, known as MAI-1.

And these companies aren't cutting corners. Microsoft's capital investment increased to $14 billion in the most recent quarter, and the company expects that figure to rise further. Meta cautioned that its spending could exceed $40 billion. Google's concepts may be even more costly.

Demis Hassabis, CEO of Google DeepMind, has stated that the company plans to invest more than $100 billion in AI development over time. Many people are chasing the elusive dream of artificial generative intelligence (AGI), which allows an AI model to self-teach and perform jobs it wasn't prepared for. 

However, Nick Frosst, co-founder of AI firm Cohere, believes that such an achievement may not be attainable with a single high-powered chatbot.

“We don’t think AGI is achievable through (large language models) alone, and as importantly, we think it’s a distraction. The industry has lost sight of the end-user experience with the current trajectory of model development with some suggesting the next generation of models will cost billions to train,” Frosst stated. 

Aside from the cost, huge AI models pose security issues and require a significant amount of energy. Furthermore, after a given amount of growth, studies have shown that AI models might reach a point of diminishing returns.

However, Bob Rogers, PhD, co-founder of BeeKeeperAI and CEO of Oii.ai, told The Daily Upside that creating large, all-encompassing AI models is sometimes easier than creating smaller ones. Focussing on capability rather than efficiency is "the path of least resistance," he claims. 

Some tech businesses are already investigating the advantages of going small: Google and Microsoft both announced their own small language models earlier this year; however, they do not seem to be at the top of earnings call transcripts.

New Alert: Windows and Mac Are the Target of a Self-Deleting Ransomware

 

The ransomware epidemic may have been stopped by recent law enforcement operations that disrupted attack infrastructure, led to the arrest of cybercriminals, and broke up some threat groups, but this would be wrong as well. A recent study on the cross-platform, self-deleting NotLockBit ransomware assault has confirmed that the threat is not only still present but is also evolving. Here's what Windows and macOS users should know. 

Pranita Pradeep Kulkarni, a senior engineer of threat research at Qualys, has revealed in a recently published technical deep dive into the NotLockBit ransomware assault family that the threat is not only cross-platform but also sophisticated in using a self-deleting mechanism to mask attacks.

The NotLockBit malware is named after the fact that it "actively mimics the behaviour and tactics of the well-known LockBit ransomware," according to Kulkarni. It targets macOS and Windows systems and illustrates "a high degree of sophistication while maintaining compatibility with both operating systems, highlighting its cross-platform capabilities." The latest investigation revealed that the current evolution of the NotLockBit ransomware has many advanced capabilities: targeted file encryption, data exfiltration and self-deletion mechanisms. 

NotLockBit encrypts files after stealing data and moving it to storage under the attacker's control so that it can be exploited for extortion, just like the majority of ransomware currently. Depending on how sensitive it is, such data can be sold to the highest criminal bidder or held hostage in exchange for publication on a leaked website. 

However, NotLockBit can delete itself to conceal any proof of the cyberattack, unlike other ransomware. According to Kulkarni, "the malware uses unlink activity to remove itself after it has finished operating; this is a self-removal mechanism designed to delete any evidence of its existence from the victim's system." 

Files with extensions like.csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, .vmsd, and .vbox are the main targets of NotLockBit, according to samples examined by Qualys, "because they frequently represent valuable or sensitive data typically found in personal or professional environments.” 

The investigation into NotLockBit ransomware exposed an increasingly sophisticated threat, the report concluded, and one that the researcher said, continues to evolve in order to maximize its impact. “It employs a combination of targeted encryption strategies, deceptive methods like mimicking well-known ransomware families,” Kulkarni concluded, “self-deletion mechanisms to minimize forensic traces.”

'Nearest Neighbour Attack': Russian Hackers Breach US Firm Wi-Fi

 


Russian state-sponsored hacking group APT28 (Fancy Bear/Forest Blizzard/Sofacy) has employed a novel "nearest neighbor attack" to breach enterprise WiFi networks from thousands of miles away. The attack, first detected on February 4, 2022, targeted a U.S. company in Washington, D.C., involved in Ukraine-related projects. Cybersecurity firm Volexity identified the intrusion, highlighting APT28’s innovative approach to bypass multi-factor authentication (MFA).

Details of the Attack

APT28 initiated the attack by breaching a nearby organization’s WiFi network, exploiting dual-home devices such as laptops or routers with both wired and wireless connections. These devices allowed the hackers to connect to the target’s WiFi network. By daisy-chaining access to multiple organizations, the hackers were able to connect to the victim's wireless network and move laterally across the system.

The hackers were able to bypass multi-factor authentication on the company’s WiFi network, despite being physically located thousands of miles away. Once within range, they compromised access to three wireless access points near the target’s conference room windows and used remote desktop protocol (RDP) from an unprivileged user to roam across the network.

Exfiltration and Data Theft

The attackers dumped Windows registry hives (SAM, Security, and System) using a script called servtask.bat, compressing them into a ZIP file for exfiltration. This process allowed APT28 to gather sensitive data without causing significant disruptions to the target network. The focus of the attack was on individuals and projects related to Ukraine, in line with Russia’s geopolitical interests.

Volexity's investigation revealed that APT28 was particularly interested in data from individuals with expertise in Ukraine-related projects. This highlights the targeted nature of the attack, aimed at collecting intelligence from a specific field of work.

Implications and Security Measures

The attack underscores the need for robust WiFi security and network segmentation. APT28’s ability to exploit physical proximity and dual-home devices highlights the growing sophistication of cyberattacks. Organizations should consider the following measures:

  • Enhance WiFi network encryption and authentication protocols.
  • Implement strict network segmentation to limit lateral movement.
  • Regularly audit devices with dual wired and wireless connections.
  • Monitor for unusual network activity and lateral movements.

APT28’s "nearest neighbor attack" serves as a reminder of the advanced techniques used by state-sponsored hackers. Vigilance, along with layered cybersecurity defenses, is crucial in defending against such sophisticated attacks.

Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Redline And Meta Infostealers Targeted in Operation Magnus

 

The Dutch National Police claimed on Monday that they had secured "full access" to all servers employed by the Redline and Meta infostealers, two of the most common cybercrime tools on the internet.

Infostealer malware is a major cybersecurity issue that is frequently sold as a malware-as-a-service tool. It infects users' devices and harvests information such as credit card numbers and autofill password data. 

Cybercriminals who use the infostealer then bundle the information into logs, which are sold on credential marketplaces to fraudsters and other criminals looking to breach any organisations whose login information has been compromised.

Earlier this week on Monday, the Dutch National Police, in collaboration with the FBI and other partner agencies in the United States, Australia, and the United Kingdom, announced the disruption of these two infostealers on a website for "Operation Magnus," which includes a timer promising "more news" counting down to noon on Tuesday, Dutch local time. 

A video on the site that mimics the criminals' own marketing claims that the police have supplied a "final update" for both the Redline and Meta infostealer strains, adding that the multinational operation "gained full access to all Redline and Meta servers." The video shows the depth of this access, including many administrator panels, the malware source code, and what appears to be a large number of usernames for people who use the malware-as-a-service tool. 

“Involved parties will be notified, and legal actions are underway,” reads the site, while the video adds, alongside a graphic of cuffed hands: “Thank you for installing this update. We’re looking forward to seeing you soon.” 

Cybercriminals find ways

In conjunction with the disruption operations, the US Justice Department unsealed charges against Maxim Rudometov, one of RedLine's developers and administrators.

According to the Attorney's Office for the Western District of Texas, Rudometov may face a maximum sentence of 35 years if convicted of access device fraud, conspiracy to commit computer intrusion, and money laundering. This follows a series of operations by law enforcement agencies aimed at disrupting the activities of high-profile cybercrime groups around the world.

In December 2023, US officials seized the leak site of ALPHV/BlackCat, one of the most prolific ransomware collectives in recent years, in what was regarded as a severe blow to the outfit.

Security Experts Downplay the Significance of the Chinese Quantum "Hack"

 

Security experts have recommended caution following a series of doom-laden reports in recent days claiming that Chinese researchers have cracked military-grade encryption via quantum computing technology.

The reports, which first appeared in the South China Morning Post last week, are based on a study published in a Chinese journal called Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage. 

Shanghai University researchers employed a D-Wave Advantage quantum computer to study Substitution-Permutation Network (SPN) algorithms, notably the Present, Gift-64, and Rectangle algorithms, which are fundamental to Advanced Encryption Standard (AES) cryptography. 

AES-256 is regarded as a nearly unbreakable symmetric encryption method employed by banks, governments, and the military to safeguard data, prompting the research team to reportedly claim that their findings prove quantum poses a "real and substantial threat" to current encryption. 

However, Avesta Hojjati, DigiCert's chief of R&D, has criticised some of the media coverage of the research, stating that it sensationalised the findings in order to instill fear, uncertainty, and doubt in readers. 

“While the research shows quantum computing's potential threat to classical encryption, the attack was executed on a 22-bit key – far shorter than the 2048 or 4096-bit keys commonly used in practice today. The suggestion that this poses an imminent risk to widely used encryption standards is misleading,” he argued. “This research, while intriguing, does not equate to an immediate quantum apocalypse.” 

Indeed, even the initial study apparently warned that a real quantum threat to the symmetric encryption currently in use is still some time off due to environmental interference and immature hardware. The difficulties of creating a single algorithm that could be used to reveal several encryption schemes was also mentioned. 

"We are still far from a practical attack that can threaten real-world encryption systems, especially with the current state of quantum computing,” Hojjati aded. “The [media] coverage may serve as a cautionary tale, but it exaggerates the timeline and feasibility of quantum threats to make for a more dramatic story. While the research advances discussion on quantum readiness, we should remain cautious but not alarmist.”

Law Enforcement From Thirty Nine Nations Team Up to Tackle Ransomware Attacks

 

Ransomware continues to pose significant issues for businesses and organisations around the world, and with attacks on the rise, the UK and 38 other nations have joined forces with international cyber insurance authorities to create new guidelines aimed at bolstering resilience and providing help to victims.

The new guidance will advise ransomware victims to carefully evaluate all options before making payments, as data restoration and malware eradication are not guaranteed even if the ransom is paid, and hackers are just encouraged to continue. 

Instead, firms are advised to create a thorough response architecture in the case of an attack, that includes regulations and contingency plans. If an organisation is targeted, the policy suggests reporting the attack to law police and consulting with security professionals. 

Global crackdown 

With an expected $1 billion lost to ransomware attacks in 2023, ransomware is a lucrative business for criminals. But the new regulations aim to undercut the ransomware playbook and, if at all possible, stop future attacks by removing the incentive for attackers. 

“Cyber criminality does not recognize borders. That is why international co-operation is vital to tackle the shared threat of ransomware attacks. This guidance will hit the wallets of cyber criminals, and ultimately help to protect businesses in the UK and around the world”, stated Security Minister Dan Jarvis.

The United Kingdom is eager to lead the collaborative approach to combating cybercrime, so three major UK insurance bodies (the Association of British Insurers, the British Insurance Brokers' Association, and the International Underwriting Association) have joined forces to launch co-sponsored guidance for businesses. 

The UK National Crime Agency recently sanctioned 16 members of the 'Evil Corp' cybercriminal outfit, which is responsible for stealing more than $300 million from critical infrastructure, healthcare, and government organisations worldwide.

“Ransomware remains an urgent threat and organisations should act now to boost resilience," noted Jonathon Ellison, NCSC Director for National Resilience. “The endorsement of this best practice guidance by both nations and international cyber insurance bodies represents a powerful push for organisations to upgrade their defences and enhance their cyber readiness. "

“This collective approach, guided by last year’s CRI statement denouncing ransomware and built on guidelines from the NCSC and UK insurance associations earlier this year, reflects a growing global commitment to tackling the ransomware threat.”

Microsoft Issues New Warnings For Windows Users

 

As we approach the weekend, a new warning has been issued that a "global attack" is now targeting Windows users in multiple nations worldwide. The campaign is surprisingly basic, but it highlights the risk for the hundreds of millions of Windows 10 customers who will be without security upgrades in a year. 

Palo Alto Networks' Unit 42 warned about the risks of fake new CAPTCHAs last month. Although it didn't receive much attention at the time, researcher John Hammond's video on X helped spread the word. McAfee researchers have recently released a fresh alert regarding these fraudulent CAPTCHA popups that are currently circulating. 

These assaults should be easy to detect—but they’re designed to be casually effective. The fake challenges are designed to distribute Lumma Stealer. “These pages have a button that, when clicked, shows instructions for victims to paste PowerShell script into a Run window. This copy/paste PowerShell script retrieves and runs a Windows EXE for Lumma Stealer malware. The associated Lumma Stealer EXE files retrieve and use zip archives that don't appear to be inherently malicious on their own,” researchers explained. In its latest research, McAfee cautions that the ClickFix infection chain operates by tricking people into clicking on buttons like Verify you are a human' or 'I am not a robot.'" 

When clicked, a malicious script is copied to the user's clipboard. Users are then tricked into pasting the script after pressing the Windows key + R, unknowingly launching the malware. This technique speeds up the infection process, allowing attackers to easily deploy malware. 

The pattern is apparent to you. The crypto wallets and your account credentials are the main targets of the information-stealing malware that will be installed on your device. It doesn't appear to be a typical CAPTCHA, even if they are evolving and becoming more difficult to figure out. However, if, at that moment, copying and pasting isn't making you feel uneasy, turn off your computer and perhaps take a break. 

Furthermore, McAfee identifies two deviously created lures, one aimed at consumers ready to download illegally copied games and the other at software developers concerned about a security flaw in code they wrote and distributed. 

Users searching online for illegal copies of games are likely to have their guard up in any case; yet, the team warns that "they may encounter online forums, community posts, or public repositories that redirect them to malicious links.” 

The second target group is even more sneaky. Users get phishing emails that frequently target GitHub contributors, pushing them to fix a fake security flaw. These emails provide links to the same fraudulent CAPTCHA pages. 

This fake CAPTCHA campaign is starting to propagate; be cautious and take a moment to look for any signs of compromise when faced with one. It won't always be as clear as it is in this instance. These attacks will change and become more difficult to identify. It goes without saying that you should never, ever copy and paste and then execute from within a CAPTCHA. 

This serves as another timely reminder to Windows 10 users that discontinuing support should not be one of their actions between now and October of next year. You'll need to switch to Windows 11 if Microsoft doesn't offer reasonably priced extension alternatives and workarounds aren't sufficient to close the gap.

Here's Why Attackers Have a Upper Hand Against CISOs

 

Security experts have an in-depth knowledge of the technical tactics, techniques, and procedures (TTPs) that attackers employ to launch cyberattacks. They are also knowledgeable about critical defensive methods, such as prioritising patching based on risk and creating a zero-trust policy. 

However, the world for business security appears to be one step behind hackers, who successfully launch an increasing number of attacks year after year. Here's one reason: many CISOs underappreciate, overlook, and sometimes underestimate all of the knowledge that hackers bring to the table — the nontechnical insights that they use to gain an advantage. 

“Hackers know that the average CISO has a lot on their plates and they don’t have enough [resources] to get everything done. So CISOs really have to pay attention to what hackers are doing and what they know so they can best defend against them,” stated Stephanie “Snow” Carruthers, chief people hacker at IBM.

So, what do hackers know that may not be credible? According to security researchers, these are three main hacking tactics that may go unnoticed by CISOs. 

Hackers know business schedule 

It's not a coincidence that many attacks occur during the most challenging times. Hackers do boost their attacks on weekends and holidays when security teams are understaffed. They're also more likely to strike just before lunchtime and at the end of the day, when employees are rushed thereby less aware of red indicators indicating a phishing attack or fraudulent behaviour.

“Hackers typically deploy their attacks during those times because they’re less likely to be noticed,” stated Melissa DeOrio, global threat intelligence lead at S-RM, a global intelligence and cybersecurity consultancy.

DeOrio agrees that many hackers are based in regions where daytime working hours overlap with non working hours in the Americas and Western Europe. However, she claims that research suggests that hackers exploit this disparity by timing their attacks. 

Furthermore, Tomer Bar, vice president of security research at SafeBreach, adds that threat actors seek out moments of organisational upheaval (e.g., mergers, acquisitions, layoffs, etc.) to exploit. "Threat actors will try to launch an attack at the most difficult time for the CISO and the blue team.” 

To counter this hacking technique, long-time security leaders encourage CISOs to include it into their own defence strategies. They should use third-party services during off-business hours to supplement the security team's work schedule, increase automation to improve staff efficiency at all hours, add extra layers of security such as more monitoring or tighter filters at times of increased risk, ensure priority security work is completed before busy times such as holidays, and educate all employees about the heightened risks that exist during such times. 

Gathering insights on organisations 

The attackers actively gather open-source intelligence (OSINT) in order to plan attacks. It's hardly unexpected that hackers seek out information on transformative events such as large layoffs, mergers, and the like, she says. However, CISOs, their teams, and other executives may be astonished to hear that hackers hunt for news about seemingly innocuous activities such as technology installations, new alliances, hiring sprees, and CEO schedules that show when they are away from the office. 

To counter this, CISOs can monitor OSINT about their organisations, collaborate with other executives on announcements and their timing, and run simulations on how such announcements play out from a business perspective. All of this allows CISOs and their teams to see what hackers see, better understand their thinking, and prepare for potential targeted attacks. 

Ignorant corporate culture 

Security awareness training typically demands employees to take time to review emails or think through requests to help determine whether a request is legitimate or suspicious. Yet workplace culture today generally works against that approach, Huffman notes. “We praise ourselves for putting ourselves in an emotional hot state,” he says, pointing to job postings that use phrases such as “fast-paced,” “dynamic” and “high-intensity” to describe the workplace culture as evidence. 

According to Huffman, Employees do not have — nor are they encouraged to take — extra time to review incoming messages (whether via email, phone, video, text, or other means). "And that's why hackers are successful: they catch us in constant emotional hot states when you're clicking through 1,000 emails.”

Beyond Prioritization: Security Journey for Organizations

Prioritization tools typically rely on factors like severity, exploitability, and potential impact. While these criteria are valuable, they don't provide the full picture.

Organizations face an overwhelming number of vulnerabilities, and deciding which ones to address first can be a challenge for many. However, it's essential to recognize that prioritization is merely the beginning of a more comprehensive security journey.

The Limitations of Prioritization

Prioritization tools typically rely on factors like severity, exploitability, and potential impact. While these criteria are valuable, they don't provide the full picture. Here are some limitations:
  1. Context Matters: Prioritization tools often lack context. They don't consider an organization's unique environment, business processes, or specific threats. A high-severity vulnerability might be less critical if it doesn't align with an organization's risk profile.
  2. Dynamic Threat Landscape: Threats evolve rapidly. A vulnerability that seems low-risk today could become a weaponized exploit tomorrow. Prioritization models need to account for this dynamic nature.
  3. Resource Constraints: Organizations have finite resources—time, budget, and personnel. Prioritization doesn't address how to allocate these resources effectively.

The Holistic Approach

To move beyond prioritization, consider the following steps:
  • Risk Assessment: Start by understanding your organization's risk appetite. Conduct a risk assessment that considers business impact, regulatory compliance, and threat intelligence. This assessment informs your vulnerability management strategy.
  • Asset Inventory: Create a comprehensive asset inventory. Knowing what you're protecting allows you to prioritize vulnerabilities based on critical assets. Not all systems are equal; some are more vital to your operations.
  • Threat Intelligence: Stay informed about emerging threats. Collaborate with industry peers, subscribe to threat feeds, and monitor security forums. Threat intelligence helps you contextualize vulnerabilities.
  • Attack Surface Reduction: Minimize your attack surface. Remove unnecessary services, close unused ports, and segment your network. Fewer entry points mean fewer vulnerabilities to manage.
  • Patch Management: Prioritize patching based on risk. Critical systems should receive immediate attention, while less critical ones can follow a staggered schedule.
  • Security Hygiene: Regularly review configurations, permissions, and access controls. Misconfigurations often lead to vulnerabilities. Implement security baselines and automate hygiene checks.
  • Incident Response Readiness: Prepare for incidents. Develop an incident response plan, conduct tabletop exercises, and ensure your team knows how to respond effectively.

Transparency and Communication

Transparency is crucial. Communicate with stakeholders—executives, IT teams, and end-users. Explain the rationale behind vulnerability management decisions. Transparency builds trust and ensures everyone understands the risks.

Vulnerability prioritization is essential, but it's not the destination—it's the starting point. Embrace a holistic approach that considers context, risk, and resource constraints. By navigating the security journey with diligence and transparency, organizations can better protect their digital assets.

DarkMe RAT: Microsoft SmartScreen Vulnerability Explored

Microsoft SmartScreen Vulnerability Explored

In recent months, cybersecurity researchers have detected a surge in the exploitation of a critical vulnerability known as CVE-2024-21412. This vulnerability specifically targets Microsoft SmartScreen, a security feature designed to protect users from malicious websites and downloads. 

In this blog post, we’ll delve into the details of CVE-2024-21412, its impact, and the tactics employed by threat actors to bypass SmartScreen.

The Basics: What Is CVE-2024-21412?

CVE-2024-21412 is a security flaw that affects Microsoft SmartScreen, a component integrated into various Microsoft products, including Windows Defender and Microsoft Edge. SmartScreen analyzes URLs and files to determine their safety and warns users if they attempt to access potentially harmful content. However, this vulnerability allows attackers to evade SmartScreen’s protective measures.

Exploitation Techniques

1. Internet Shortcuts (URL Files)

The primary vector for exploiting CVE-2024-21412 is through internet shortcuts (URL files). These files contain references to websites and are commonly used for creating desktop shortcuts or bookmarks. By crafting a malicious URL file, threat actors can trick SmartScreen into allowing access to dangerous sites or downloads.

2. Water Hydra APT Group

The Water Hydra advanced persistent threat (APT) group is at the forefront of exploiting this vulnerability. Their sophisticated techniques involve creating specially crafted URL files that appear harmless to SmartScreen. Once a victim clicks on the shortcut, the associated website delivers a payload—often the DarkMe remote access trojan (RAT).

3. Bypassing Patched Vulnerabilities

Interestingly, CVE-2024-21412 emerged as a result of bypassing a previously patched SmartScreen vulnerability (CVE-2023-36025). This highlights the cat-and-mouse game between security researchers and threat actors. Even after a patch is released, attackers continue to explore new attack vectors, rendering the patch ineffective.

Geographical Targets

The Water Hydra group’s campaign exploiting CVE-2024-21412 has primarily targeted regions such as Spain, the United States, and Australia. Their choice of targets suggests a deliberate strategy to compromise high-value systems and organizations.

Mitigation and Recommendations

1. Keep Software Updated

Ensure that your operating system and security software are up to date. Regularly check for patches and apply them promptly.

2. Exercise Caution with URL Files

Be cautious when opening internet shortcuts (URL files). Verify the source and destination before clicking on any links.

3. Educate Users

Educate users about the risks associated with SmartScreen bypass vulnerabilities. Awareness is crucial in preventing successful attacks.

Employees Claim OpenAI and Google DeepMind Are Hiding Dangers From the Public

 

A number of current and former OpenAI and Google DeepMind employees have claimed that AI businesses "possess substantial non-public data regarding the capabilities and limitations of their systems" that they cannot be expected to share voluntarily.

The claim was made in a widely publicised open letter in which the group emphasised what they called "serious risks" posed by AI. These risks include the entrenchment of existing inequities, manipulation and misinformation, and the loss of control over autonomous AI systems, which could lead to "human extinction." They bemoaned the absence of effective oversight and advocated for stronger whistleblower protections. 

The letter’s authors said they believe AI can bring unprecedented benefits to society and that the risks they highlighted can be reduced with the involvement of scientists, policymakers, and the general public. However, they said that AI companies have financial incentives to avoid effective oversight. 

Claiming that AI firms are aware of the risk levels of different kinds of harm and the adequacy of their protective measures, the group of employees stated that the companies have only weak requirements to communicate this information with governments "and none with civil society." They further stated that strict confidentiality agreements prevented them from publicly voicing their concerns. 

“Ordinary whistleblower protections are insufficient because they focus on illegal activity, whereas many of the risks we are concerned about are not yet regulated,” they wrote.

Vox revealed in May that former OpenAI employees are barred from criticising their former employer for the rest of their life. If they refuse to sign the agreement, they risk losing all of their vested stock gained while working for the company. OpenAI CEO Sam Altman later said on X that the standard exit paperwork would be altered.

In reaction to the open letter, an OpenAI representative told The New York Times that the company is proud of its track record of developing the most powerful and safe AI systems, as well as its scientific approach to risk management.

Such open letters are not uncommon in the field of artificial intelligence. Most famously, the Future of Life Institute published an open letter signed by Elon Musk and Steve Wozniak calling for a 6-month moratorium in AI development, which was disregarded.

Pirated Microsoft Office Distributes a Malware Cocktail to Infiltrates Systems

 

The hackers are distributing a malware cocktail via cracked versions of Microsoft Office marketed on torrent websites. Malware distributed to customers includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs. 

The AhnLab Security Intelligence Centre (ASEC) has recognised the ongoing attempt and warns against the risks of downloading unauthorised software. Korean researchers identified that the attackers employ a variety of lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea. 

MS Office to malware 

The cracked Microsoft Office installer has a well-designed UI that allows users to choose the version they wish to install, the language, and whether to use 32- or 64-bit versions. 

However, in the background, the installer launches an obfuscated.NET malware that contacts a Telegram or Mastodon channel to obtain a valid download URL from which it will download other components. The URL refers to Google Drive or GitHub, both of which are reliable websites that are unlikely to trigger AV warnings. 

The malware component 'Updater' registers tasks in the Windows Task Scheduler to make sure they persist between system reboots. According to ASEC, the malware installs the following forms of malware on the compromised system: 

Orcus RAT: Provides extensive remote control, such as keylogging, webcam access, screen capture, and system modification for data exfiltration. 

XMRig: It is a cryptocurrency miner that exploits system resources to mine Monero. It halts mining during periods of high resource demand, such as while the victim is gaming, to avoid detection. 

3Proxy: Turns infected systems into proxy servers by opening port 3306 and inserting it into normal processes, allowing attackers to redirect malicious traffic. 

Even if the user detects and wipes any of the aforementioned malware, the 'Updater' module, which runs at system launch, will reintroduce it. Users should exercise caution when installing files downloaded from suspicious sources, and they should avoid using pirated/cracked software. 

Similar advertisements have been used to promote the STOP ransomware, which is the most active ransomware operation targeting consumers. Because these files are not digitally signed and users are willing to disregard antivirus warnings when launching them, they are frequently used to infect systems with malware, in this case a whole set.

Invest in Future-Proofing Your Cybersecurity AI Plan

 

With the ongoing barrage of new attacks and emerging dangers, one might argue that every day is an exciting day in the security operations centre (SOC). However, today's SOC teams are experiencing one of the most compelling and transformative changes in how we detect and respond to cybersecurity threats. Innovative security organisations are attempting to modernise SOCs with extended detection and response (XDR) platforms that incorporate the most recent developments in artificial intelligence (AI) into the defensive effort. 

XDR systems combine security telemetry from several domains, such as identities, endpoints, software-as-a-service apps, email, and cloud workloads, to provide detection and response features in a single platform. As a result, security teams employing XDR have greater visibility across the company than ever before. But that's only half the tale. The combination of this unprecedented insight and an AI-powered SOC aid can allow security teams to operate at the pace required to turn the tables on potential attackers. 

Innovative security organisations need to have a strategic implementation plan that considers the future in order to effectively leverage today's AI capabilities and provide the foundation for tomorrow's breakthroughs. This is because the industry is evolving rapidly. 

XDR breadth matters 

Unlike traditional automated detection and blocking solutions, which frequently rely on a single indicator of compromise, XDR platforms employ AI to correlate cross-domain security signals that analyse a full attack and identify threats with high confidence. AI's greater fidelity improves the signal-to-noise ratio, resulting in fewer false positives for manual investigation and triage. Notably, the larger the dataset on which the AI is operating, the more effective it will be; therefore, XDR's inherent breadth is critical. 

An effective XDR strategy should identify and account for high-risk regions, cybersecurity maturity, modern architecture and technologies, and budgetary limits, among other things. While adoption should be gradual to minimise operational impact, organisations must also examine how to acquire the broadest XDR coverage possible in order to make the most of AI's capabilities. 

Create AI-Confident teams

The purpose of AI is not to replace humans in your SOC, but to enable them. If your team lacks faith in the tools they use they will be unable to fully realise the platform's potential. As previously noted, minimising false positives will help increase user trust over time, but it is also critical to provide operational transparency so that everyone understands where data is coming from and what actions have been taken. 

XDR platforms must provide SOC teams with complete control over investigating, remediating, and bringing assets back online when they are required. Tightly integrating threat detection and automatic attack disruption capabilities into existing workflows will speed up triage and provide a clear view of threats and remedial operations across the infrastructure. 

Stay vigilant 

The indicators of attack and compromise are continually evolving. An effective, long-term XDR plan will meet the ongoing requirement for rapid analysis and continuous vetting of the most recent threat intelligence. Implementation roadmaps should address how to facilitate the incorporation of timely threat intelligence and include flexibility to grow or augment teams when complex incidents demand additional expertise or support. 

As more organisations look to engage in XDR and AI to improve their security operations, taking a careful, future-focused approach to deployment will allow them to better use today's AI capabilities while also being prepared for tomorrow's breakthroughs. After all, successful organisations will not rely solely on artificial intelligence to stay ahead of attackers. They will plan AI investments to keep them relevant.

Have You Been Defrauded? This Scam Survival Toolkit Can Help You Recover

 

Wondering what to do in the aftermath of a fraud can be extremely difficult. The Better Business Bureau's (BBB) new fraud Survival Toolkit helps fraud survivors navigate the recovery process.

Fraudsters target people from many walks of life. BBB frequently shares tips on how to avoid scammers, but you may still be at risk immediately after a scam happens. 

Scams not only cause financial harm, but they also have an emotional impact on victims. Survivors of scams often experience feelings of shame, guilt, or wrath, even if it is not their fault they were victimised.

Scammers capitalise on strong emotions, and emotions are high in the days following a scam, putting survivors at risk. According to the BBB's 2023 Scam Tracker Risk Report, 10% of respondents were victims of three or more frauds. 

The first step following a scam is to protect oneself from further harm. Everyone's situation is unique, but the methods below can help you secure your money, credit, or identity. 

Prevention tips 

Secure your finances: If you have lost money or bank information to a scammer, contact your financial institution. They may be able to initiate a fraud inquiry or cancel the transactions. If your credit card information has been hacked, they can cancel it and provide you a new one.

Protect your credit: If you lose personal or credit card information, it could be exploited to steal your identity; thus, place a fraud warning on your credit reports or freeze your credit. Consider acquiring a free credit report to keep track of any suspicious activities.

Change your password: If a specific account has been compromised, notify the company and change your password. Follow the BBB's password-creation instructions and consider using multifactor authentication to protect your account. Keep an eye out for any unusual behaviour on your other accounts.

Keep an eye out for recovery scams: Some scammers strike after a fraud has occurred, offering phoney credit repair or tech assistance services that steal money or information from susceptible people. 

Report the scam: Once you've taken steps to safeguard yourself, report the scam to BBB Scam Tracker to assist others. Last year, 36.6% of customers who visited BBB fraud Tracker reported that it helped them prevent fraud.