Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat Landscape. Show all posts
User Security
Cyber Security Data Privacy Insider Threat Threat Landscape User Security

Internal Threats Loom Large as Businesses Deal With External Threats

 

Most people have likely been forced by their employer to undergo hour-long courses on how to prevent cyberattacks such as phishing, malware, and ransomware. Companies compel their staff to do this since cybercrime can be quite costly. According to FBI and IMF estimates, the cost is predicted to rise from $8.4 trillion in 2022 to $23 trillion by 2027. There are preventative methods available, such as multifactor authentication. 

The fact is, all of these threats are external. As companies develop the ability to handle these concerns, leadership's attention will move to an even more important concern: risks emanating from within the organisation. Being on "the inside" generally entails having access to highly sensitive and confidential information required to perform their duties. 

This can include financial performance statistics, product launch timelines, and source code. While this seems reasonable at first look, allowing access to this information also poses a significant risk to organizations—from top-secret government agencies to Fortune 500 companies and small businesses—if employees leak it.

Unfortunately, insider disclosures are becoming increasingly common. Since 2019, the number of insider occurrences reported by organisations has increased from 66% to an astounding 76%. Furthermore, these insider leaks are costly. In 2023, organisations spent an average of $16.2 million on resolving insider threats, with North American companies incurring the greatest overall cost of $19.09 million. 

There are several recent examples. Someone has leaked Israeli documents regarding an attack on Iran. An Apple employee leaked information about the iPhone 16. Examples abound throughout history. For example, in 1971, the Pentagon Papers altered public perception of the Vietnam War. However, the widespread use of internet media has made these risks simpler to propagate and more difficult to detect. 

Prevention tips 

Tech help: Monitoring for suspicious behaviour with software and AI is one technique to prevent leaks. Behaviour modelling technology, particularly AI-powered ones, can be quite effective at generating statistical conclusions using predictive analytics to, well, forecast outcomes and raise red flags. 

These solutions can provide an alarm, for example, if someone in HR, who would ordinarily not handle product design files, suddenly downloads a large number of product design files. Or if an employee has saved a large amount of information to a USB drive. Companies can use this information to conduct investigations, adjust access levels, or notify them that they need to pay more attention. 

Shut down broad access: Restricting employee access to specific data and files or eliminating certain files completely are two other strategies to stop internal leaks. This can mitigate the chance of leakage in the short term, but at what cost? Information exchange can inspire creativity and foster a culture of trust and innovation. 

Individualize data and files: Steganography, or the act of concealing information in plain sight, dates back to Ancient Greece and is a promising field for preventing leaks. It employs forensic watermarks to change a piece of content (an email, file, photo, or presentation) in imperceptible ways that identify the content so that sharing can be traced back to a single person. 

In recent times, the film industry was the first to employ steganography to combat piracy and theft of vital content. Movies and shows streamed on Hulu or Netflix are often protected with digital rights management (DRM), which includes audio and video watermarking to ensure that each copy is unique. Consider applying this technology to a company's daily operations, where terabytes of digital communications including potentially sensitive information—emails, presentations, photos, customer data—could be personalised for each individual. 

One thing is certain, regardless of the approach a business takes: it needs to have a strategy in place for dealing with the escalating issue of internal leaks. The danger is genuine, and the expenses are excessive. Since most employees are good, it only takes one bad actor to leak information and bring significant damage to their organisation.
Read more »
Threat Landscape
Artificial Intelligence Cyber Security Machine learning Quantum Computers Threat Landscape

Quantum Computing Meets AI: A Lethal Combination

 

Quantum computers are getting closer to Q-day — the day when they will be able to crack existing encryption techniques — as we continue to assign more infrastructure functions to artificial intelligence (AI). This could jeopardise autonomous control systems that rely on AI and ML for decision-making, as well as the security of digital communications. 

As AI and quantum converge to reveal remarkable novel technologies, they will also combine to develop new attack vectors and quantum cryptanalysis.

How far off is this threat?

For major organisations and governments, the transition to post-quantum cryptography (PQC) will take at least ten years, if not much more. Since the last encryption standard upgrade, the size of networks and data has increased, enabling large language models (LLMs) and related specialised technologies. 

While generic versions are intriguing and even enjoyable, sophisticated AI will be taught on expertly picked data to do specialised tasks. This will quickly absorb all of the previous research and information created, providing profound insights and innovations at an increasing rate. This will complement, not replace, human brilliance, but there will be a disruptive phase for cybersecurity.

If a cryptographically relevant quantum computer becomes available before PQC is fully deployed, the repercussions are unknown in the AI era. Regular hacking, data loss, and even disinformation on social media will bring back memories of the good old days before AI driven by evil actors became the main supplier of cyber carcinogens.

When AI models are hijacked, the combined consequence of feeding live AI-controlled systems personalised data with malicious intent will become a global concern. The debate in Silicon Valley and political circles is already raging over whether AI should be allowed to carry out catastrophic military operations. Regardless of existing concerns, this is undoubtedly the future. 

However, most networks and economic activity require explicit and urgent defensive actions. To take on AI and quantum, critical infrastructure design and networks must advance swiftly and with significantly increased security. With so much at stake and new combined AI-quantum attacks unknown, one-size-fits-all upgrades to libraries such as TLS will not suffice. 

Internet 1.0 was built on old 1970s assumptions and limitations that predated modern cloud technology and its amazing redundancy. The next version must be exponentially better, anticipating the unknown while assuming that our current security estimations are incorrect. The AI version of Stuxnet should not surprise cybersecurity experts because the previous iteration had warning indications years ago.
Read more »
User Security
Cyber Security Data Leak Data Privacy Threat Landscape User Security

Five Common Cybersecurity Errors and How to Avoid Them

 

In the cultural mishmash of modern tech-savvy consumers, the blue screen of death looms large. The screen serves as a simple reminder informing the user that the device is unable to resolve the issue on its own. A computer crash can indicate that your CPU is degrading after years of use, but a cybersecurity compromise can also cause hardware to malfunction or operate unexpectedly. 

A significant portion of the total amount of theft and illegal conduct that impacts people today is carried out by cybercriminals. According to the FBI's 2023 Internet Crime Report, cybercrime complaints resulted in losses above $12.5 billion. The numbers showed a 10% increase in complaints and a 22% increase in financial losses.

As defenders, we must constantly look for what we have missed and how we can get better. Five common cybersecurity errors are listed below, along with tips on how to prevent them: 

Using simple password:  Employing strong passwords to safeguard your sensitive data is a vital part of any effective cybersecurity plan. Strong passwords can make it difficult for hackers to access your credentials. These passwords must include capital letters, symbols, and broken words, if any. Nearly everyone is aware of this aspect of internet use, and many online systems require users to include these security features in their profiles. However, 44% of users hardly ever change their passwords (though over a third of internet users participate in monthly refreshes), and 13% of Americans use the same password for every online account they create. 

Underestimating the human element: This is a fatal error because you would be overlooking a significant contributor to 74% of data breaches. According to the Ponemon Cost of a Data Breach 2022 Report, the top attack vector last year was stolen or compromised credentials; it appears that many of us are falling for scams and disclosing critical information. That's why black hats keep coming back: we provide a consistent, predictable source of funds. To tighten those reigns, implement an employee Security Awareness Training (SAT) program and follow the principle of least privilege. 

Invincible thinking:  Small firms frequently fall into this attitude, believing they have nothing of value to an outside attacker. If all attackers were pursuing billions of money and governmental secrets, this could be accurate. But they aren't. There are innumerable black hats who profit from "small" payments, compounded dividends, and the sale of credential lists. Any company having users and logins can find what they're looking for. This same approach can and should be applied to organisations of all sizes. Combat the "it can't happen to me" mentality with regular risk assessments, pen tests, SAT training, and red teaming to prepare your organisation; because it can. 

Not caring enough:   This is exactly where fraudsters want you: clueless and "I don't care." This can happen all too easily when SOCs become overwhelmed by the 1,000-plus daily notifications they receive, let alone attempting to stay ahead of the game with proactive preventive measures (or even strategy). Threat actors take advantage of teams that are overburdened. If your resources are stretched thin, the correct investment in the right area might alleviate some of the stress, allowing you to do more with less. 

Playing a defensive game:   We've all heard that the best defence is a good offence. And that is true. Cybersecurity frequently receives a solely defensive rap, which unfairly underestimates its value. Cybercriminals are continuously catching organisations off guard, and all too often, SOCs on the ground have never dealt with anything like them before. They patched vulnerabilities. They dodged phishing emails. However, an APT, advanced threat, or even a true red-alert cyber incursion might all be new territory. Prepare your digital and people nervous systems for an attack by instilling offensive security techniques such as penetration testing and red teaming in them before day zero.
Read more »
User Security
Artificial Intelligence Dark Patterns Generative AI Technology Threat Landscape User Security

AI-Powered Dark Patterns: What's Up Next?

 

The rapid growth of generative AI (artificial intelligence) highlights how urgent it is to address privacy and ethical issues related to the use of these technologies across a range of sectors. Over the past year, data protection conferences have repeatedly emphasised AI's expanding role in the privacy and data protection domains as well as the pressing necessity for Data Protection Officers (DPOs) to handle the issues it presents for their businesses. 

These issues include the creation of deepfakes and synthetic content that could sway public opinion or threaten specific individuals as well as the public at large, the leakage of sensitive personal information in model outputs, the inherent bias in generative algorithms, and the overestimation of AI capabilities that results in inaccurate output (also known as AI hallucinations), which often refer to real individuals. 

So, what are the AI-driven dark patterns? These are deceptive UI strategies that use AI to influence application users into making decisions that favour the company rather than the user. These designs employ user psychology and behaviour in more sophisticated ways than typical dark patterns. 

Imagine getting a video call from your bank manager (created by a deepfake) informing you of some suspicious activity on your account. The AI customises the call for your individual bank branch, your bank manager's vocal patterns, and even their look, making it quite convincing. This deepfake call could tempt you to disclose sensitive data or click on suspicious links. 

Another alarming example of AI-driven dark patterns may be hostile actors creating highly targeted social media profiles that exploit your child's flaws. The AI can analyse your child's online conduct and create fake friendships or relationships that could trick the child into disclosing personal information or even their location to these people. Thus, the question arises: what can we do now to minimise these ills? How do we prevent future scenarios in which cyber criminals and even ill-intentioned organisations contact us and our loved ones via technologies on which we have come to rely for daily activities? 

Unfortunately, the solution is not simple. Mitigating AI-driven dark patterns necessitates a multifaceted approach that includes consumers, developers, and regulatory organisations. The globally recognised privacy principles of data quality, data collection limitation, purpose specification, use limitation, security, transparency, accountability, and individual participation are universally applicable to all systems that handle personal data, including training algorithms and generative AI. We must now test these principles to discover if they can actually protect us from this new, and often thrilling, technology.

Prevention tips 

First and foremost, we must educate people on AI-driven dark trends and fraudulent techniques. This can be accomplished by public awareness campaigns, educational tools at all levels of the education system, and the incorporation of warnings into user interfaces, particularly on social media platforms popular with young people. Cigarette firms must disclose the risks of their products, as should AI-powered services to which our children are exposed.

We should also look for ways to encourage users, particularly young and vulnerable users, to be critical consumers of information they come across online, especially when dealing with AI systems. In the twenty-first century, our educational systems should train members of society to question (far more) the source and intent of AI-generated content. 

Give the younger generation, and even the older ones, the tools they need to control their data and customise their interactions with AI systems. This might include options that allow users or parents of young users to opt out of AI-powered suggestions or data collection. Governments and regulatory agencies play an important role to establish clear rules and regulations for AI development and use. The European Union plans to propose its first such law this summer. The long-awaited EU AI Act puts many of these data protection and ethical concerns into action. This is a positive start.
Read more »
Threat Landscape
BlueNoroff macOS malware North Korea Hackers Threat Landscape

North Korean Hackers Employ macOS Malware to Target Crypto Firms

 

BlueNoroff, a North Korean threat actor, has been attacking crypto firms with a new multistage malware for macOS systems. 

According to the researchers, the campaign is known as Hidden Risk, and it lures victims with emails that include fake data on the current activities in the cryptocurrency market.

The malware employed in these attacks depends on a novel persistence method on macOS that does not generate any alerts on the most recent versions of the operating system, allowing it to bypass detection. 

BlueNoroff is known for cryptocurrency theft and has previously targeted macOS with a payload malware called 'ObjCShellz' that opens remote shells on affected Macs. 

Infection chain 

The attacks begin with a phishing email containing crypto-related news and subjects, disguised as if forwarded by a bitcoin influencer to boost credibility. The mail includes a link to a PDF containing the information, but it actually points to the attackers' "delphidigital[.]org" domain. 

According to SentinelLabs experts, the "URL currently serves a benign form of the Bitcoin ETF document with titles that change over time," but it also serves the first step of a malicious application bundle known as 'Hidden Risk Behind New Surge of Bitcoin Price.app'. 

The researchers state that for the Hidden Risk campaign, the threat actor employed an original academic paper from the University of Texas. The first stage is a dropper software signed and notarised with a valid Apple Developer ID, "Avantis Regtech Private Limited (2S8XHJ7948)," which Apple has since revoked. 

When activated, the dropper gets a decoy PDF from a Google Drive link and opens it in the default PDF browser to distract the victim. In the background, however, the following stage payload is downloaded from "matuaner[.]com.”

Interestingly, the hackers have effectively circumvented Apple's App Transport Security standards by altering the app's 'Info. plist' file to permit unsafe HTTP connections to the attacker-controlled site. 

The "Hidden Risk" campaign, according to SentinelLabs, has been in operation for the past 12 months or more. It employs a more straightforward phishing strategy that excludes the customary "grooming" on social media that other DPRK hackers partake in. 

In order to get beyond macOS Gatekeeper, the researchers also point out that BlueNoroff has demonstrated a consistent capacity to find new Apple developer accounts and have their payloads notarised.
Read more »
Threat Landscape
APT36 Cyber Attacks Indian Organizations Pakistan Hacker Threat Landscape

Check Point Uncover Pakistan-Linked APT36’s New Malware Targeting Indian Systems

 

Pakistan's APT36 threat outfit has been deploying a new and upgraded version of its core ElizaRAT custom implant in what looks to be an increasing number of successful assaults on Indian government agencies, military entities, and diplomatic missions over the last year. 

Cybersecurity researchers at Check Point Research (CPR) identified that the latest ElizaRAT variant includes new evasion strategies, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it more difficult for defenders to spot the malware.

A new stealer payload known as ApoloStealer has been used by APT36 to collect specified file types from compromised systems, retain their metadata, and transport the data to the attacker's C2 server, therefore increasing the risk. 

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," stated Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal.”

The threat group's use of legitimate software, living off the land binaries (LoLBins), and lawful C2 communication services such as Telegram, Slack, and Google Drive complicates the situation. According to Shykevich, the adoption of these services has made it much more difficult to monitor malware transmissions in network traffic. 

APT36, also known as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard by security vendors, is a Pakistani threat group that has predominantly targeted Indian government and military entities in intelligence gathering operations from about 2013. Like many other tightly focused threat groups, APT36's attacks have occasionally targeted organisations in other nations, such as Europe, Australia, and the United States.

The malware that the threat actor now possesses comprises tools for infiltrating Android, Windows, and increasingly Linux devices. BlackBerry revealed earlier this year that in an APT36 campaign, ELF binaries (Linkable Executable and Linkable Format) accounted for 65% of the group's attacks against Maya OS, a Unix-like operating system created by India's defence ministry as a Windows substitute. Additionally, SentinelOne reported last year that APT36 was spreading the CopraRAT malware on Android devices owned by Indian military and diplomatic personnel by using romantic lures. 

ElizaRAT is malware that the threat actor included in their attack kit last September. The malware has been propagated using phishing emails that include links to malicious Control Panel files (CPL) hosted on Google Storage. When a user opens the CPL file, code is executed that starts the malware infection on their device, potentially granting the attacker remote access or control of the system. 

Over the last year, Check Point analysts detected APT36 operators using at least three different versions of ElizaRAT in three consecutive campaigns, all of which targeted Indian businesses. The first was an ElizaRAT variation that utilised Slack channels for C2 infrastructure. APT36 began employing that variation late last year, and approximately a month later began deploying ApoloStealer with it. 

Starting early this year, the threat group began using a dropper component to discreetly drop and unpack a compressed file carrying a new and enhanced version of ElizaRAT. The new variation, like its predecessor, initially checked to see if the machine's time zone was configured to Indian Standard Time before executing and engaging in malicious behaviour.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR noted in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.”
Read more »
User Security
Cyber Crime LAPSUS$ Teen Hackers Threat Landscape User Security

Advanced Persistent Teenagers: A Rising Security Threat

 

If you ask some of the field's top cybersecurity executives what their biggest concerns are, you might not expect bored teenagers to come up. However, in recent years, this totally new generation of money-motivated hackers has carried out some of the biggest hacks in history and shows no signs of slowing. 

Meet the "advanced persistent teenagers," as stated by the security community. These are skilled, financially motivated attackers, such as Lapsus$ and Scattered Spider, who have proven capable of digitally breaching into hotel companies, casinos, and tech behemoths.

The hackers can deceive unsuspecting employees into giving over their company passwords or network access by using strategies such as believable email lures and convincing phone calls posing as a company's support desk. 

These attacks are extremely effective, have resulted in massive data breaches impacting millions of individuals, and have resulted in large ransoms paid to make the hackers vanish. By displaying hacking capabilities previously limited to only a few nation states, the threat from idle teenagers has forced numerous companies to confront the reality that they don't know if the personnel on their networks are who they say they are, and not a sneaky hacker. Has the threat posed by idle teens been understated, according to two respected security veterans? 

“Maybe not for much longer,” noted Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues.”

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. “It’s a different motivation than the traditional adversaries that enterprises see.” Gruber has dealt with a few of these threats directly. There was no evidence of access to client systems or databases, however an intrusion at the end of 2023 in MongoDB resulted in the theft of certain metadata, such as customer contact information. 

According to Gruber, the attack mirrored Scattered Spider's strategies, and the vulnerability was reportedly minimal. "The attackers posed to be employees and used a phishing lure to get into MongoDB's internal network," he claimed.
Read more »
Threat Landscape
Linux malware Misconfiguration Security flaw Threat Landscape

Stealthy Malware Has Infected Thousands of Linux Systems Since 2021

 

Aqua Security researchers have raised concerns about a newly identified malware family that targets Linux-based machines in order to get persistent access and control resources for crypto mining. The malware, known as perfctl, purports to exploit over 20,000 different types of misconfigurations and known vulnerabilities and has been active for over three years. 

Aqua Security uncovered that perfctl uses a rootkit to hide itself on compromised systems, runs as a service in the background, is only active when the machine is idle, communicates via a Unix socket and Tor, installs a backdoor on the infected server, and attempts to escalate privileges. The malware's handlers have been detected deploying more reconnaissance tools, proxy-jacking software, and a cryptocurrency miner. 

The attack chain begins with the exploitation of a vulnerability or misconfiguration, followed by the deployment and execution of the payload from a remote HTTP server. Next, it copies itself to the temporary directory, terminates the old process, deletes the initial binary, and runs from the new location. 

The payload contains an attack for CVE-2021-4043, a medium-severity Null pointer dereference vulnerability in the open source multimedia framework Gpac, which it uses to get root access. The flaw was recently uploaded to CISA's Known Exploited Vulnerabilities database. 

In addition to the cryptominer, the malware was observed copying itself to numerous additional locations on the computers, dropping a rootkit and popular Linux applications modified to function as userland rootkits. It uses a Unix socket to handle local communications and the Tor anonymity network for external command-and-control (C&C). 

"All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defence mechanisms and hinder reverse engineering attempts," the company said. 

Furthermore, the malware monitors specific files and, if a user logs in, it suspends activities to conceal its presence. It also ensures that user-specific configurations are executed in Bash contexts, allowing the server to run normally. 

For persistence, perfctl alters a script such that it is executed before the server's legitimate workload. It also attempts to terminate the processes of any additional malware it detects on the infected PC. 

The deployed rootkit hooks into various functions and modifies their functionality, including changes that allow "unauthorised actions during the authentication process, such as bypassing password checks, logging credentials, or modifying the behaviour of authentication mechanisms," according to Aqua Security. 

The cybersecurity firm found three download servers linked to the attacks, as well as other websites that were likely hacked by the threat actors, resulting in the finding of artefacts used in the exploitation of vulnerable or misconfigured Linux servers. 

“We identified a very long list of almost 20K directory traversal fuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up files (such as the XML) the attacker can run to exploit the misconfiguration,” the company added.
Read more »
User Security
Cyber Security Healthcare Industry Patient Data Threat Landscape User Security

Healthcare Cybersecurity: Taking a Proactive Route

 

Cyberattacks in healthcare are growing more common and can disrupt an organization's operations. Healthcare organisations handle a lot of sensitive data, including financial information, patient health records, and identifying data, making them prime targets for cybercriminals. 

This vulnerability is exacerbated by the sector's sophisticated systems and the widespread dissemination of electronic health records across networks. Healthcare's economic model, with large volumes and poor margins, makes it particularly susceptible to attacks. 

Furthermore, the stakes are especially high in healthcare, where a breach or hack can have serious ramifications ranging from compromising patient privacy to life-threatening disruptions in medical services. Cybercriminals can shut down a whole healthcare system for weeks or even months, delaying critical patient treatment. They're also employing new tools like generative AI to develop sophisticated and difficult-to-detect cyberattacks. 

In 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received a record 725 reports of large healthcare security breaches. Healthcare security breaches are twice as common as they were seven years ago, with two major breaches recorded each day on average in 2023. Cybercrime expenses (estimated by some to reach $8 trillion by 2025) are anticipated to rise, highlighting the growing financial risks. 

According to Accenture research, leaders across industries recognise the importance of cybersecurity, yet only a tiny minority believe they are adequately equipped to deal with cyberattacks. Healthcare organisations are acutely aware of the changing cyberthreat landscape and are concerned about their ability to prevent or mitigate harm from a cyberattack. 

Changing nature of cyber attacks 

Patient identity theft has long been a common target of hackers in healthcare. However, recent trends indicate a shift towards more complex techniques in which attackers attempt to paralyse operations in order to extract ransoms. Protecting patient data remains critical, and organisations must continue to improve data security and network segmentation to mitigate the risk. However, ensuring the continuity of operations is as critical. 

Online criminals are increasingly targeting healthcare organisations with hacks that encrypt critical operating data and systems, rendering them inaccessible to medical professionals. Interestingly, not all breaches result in instant attacks. Once cybercriminals have gained access to a healthcare system, they can choose when to launch an assault. 

Researchers believe traditional cybersecurity techniques, which mainly focus on perimeter defence, are no longer sufficient given the sophistication of attacks. The healthcare industry requires a more robust strategy. In addition to continuing to work to prevent breaches and secure data, researchers advise healthcare businesses to shift focus to continuity initiatives so that when an assault inevitably occurs, they can restore operations promptly to minimize downtime and disruption.
Read more »
Threat Landscape
Cyber Security Cybersecurity Agencies Iran hackers Spear Phishing Threat Landscape

UK and US Warn of Rising Iranian Spear Phishing Threat

 

The UK’s National Cyber Security Centre (NCSC) collaborated with government agencies across the Atlantic to issue a new alert regarding Iranian cyber-threats last week. 

The security advice, issued in collaboration with the FBI, US Cyber Command - Cyber National Mission Force (CNMF), and the Department of the Treasury (Treasury), claimed that Iran's Islamic Revolutionary Guard Corps (IRGC) was behind the spear phishing attack. 

The campaign is aimed at individuals "with a nexus to Iranian and Middle Eastern affairs," but it is also focused on US political campaigns, with the ultimate goal of expanding its information operations, the advice stated. Current or former top government officials, think tank personnel, journalists, activists, and lobbyists seem to be potential targets. 

Threat actors change their strategies according to the specific target, which could involve impersonating family members, professional contacts, prominent journalists, and/or email providers. The lure may be an interview, an invitation to a conference or embassy event, a speaking engagement, or another political or foreign policy dialogue. 

“The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials,” the report reads. 

“Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors. Victims sometimes gain access to the document but may receive a login error.” 

Prevention tips

The advisory advised readers to be suspicious of unsolicited contact, attempts to send links or files via social media and other online services, email messages flagging alerts for online accounts, emails purporting to be from legitimate services and shortened links. It also recommended enterprises to:

  • Implement a user training program for phishing awareness.
  • Recommend users only use work emails for official business, always keep software updated, switch on multi-factor authentication, and never click on links or open attachments in unsolicited emails.
  • Users are recommended to use advanced protection services and hardware security keys. 
  • Switch on anti-phishing and spoofing security features. 
  • Block automatic email forwarding to external addresses.
  • Monitor email servers for changes to configuration and custom rules.
Read more »
Threat Landscape
DcRAT HTML smuggling malware Microsoft Russian Users Threat Landscape

DCRat Malware Propagates via HTML Smuggling

 

Russian-speaking customers have been targeted in a new campaign aimed at distributing a commodity trojan known as DCRat (aka DarkCrystal RAT) using HTML smuggling. 

This is the first time the malware has been propagated via this technique, which differs from past delivery channels such as hijacked or bogus websites, phishing emails with PDF attachments, or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde stated in an analysis published last week. "The payload can be embedded within the HTML itself or retrieved from a remote resource.” 

The HTML file, in turn, can be distributed through fraudulent websites or malspam operations. When the file is launched from the victim's web browser, the hidden payload is decrypted and downloaded to the system. The assault subsequently relies on some form of social engineering to persuade the victim to open the malicious payload. 

Netskope claims to have identified HTML pages in Russian that, when opened in a web browser, automatically download a password-protected ZIP bundle to disc in an attempt to avoid discovery. The ZIP payload contains a nested RarSFX package, which eventually leads to the DCRat malware deployment. 

DCRat, which was first launched in 2018, can be used as a full-fledged backdoor and can be used with various plugins to expand its capabilities. It can run shell commands, record keystrokes, and exfiltrate data and credentials, among other things. Organisations should check HTTP and HTTPS traffic to verify that systems do not communicate with malicious domains. 

The development comes as Russian businesses have been targeted by a threat cluster known as Stone Wolf, which tried to infect them with Meduza Stealer by sending phishing emails posing as legitimate providers of industrial automation systems. 

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE noted. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments.” 

It also comes after the rise of malicious campaigns that most likely used generative artificial intelligence (GenAI) to write VBScript and JavaScript code used to propagate AsyncRAT via HTML smuggling. 

"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security stated. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints.”
Read more »
UNC2970
Cyber Attacks Cyber-Espionage North Korean Hackers Threat Landscape UNC2970

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."
Read more »
Threat Landscape
Business Security Cyber Security Decryptor Ransomware Attackers Threat Landscape

Ransomware Actors Refused to Provide Decryptor Even After Recieving Ransom Payment

 

For C-suite executives and security leaders, learning that your organisation has been infiltrated by network attackers, critical systems have been locked down, and data has been compromised, followed by a ransom demand, could be the worst day of their professional life. 

But, as some executives recently discovered who had contracted the Hazard ransomware, things can go far worse. The decryptor that was provided in exchange for paying the ransom to unlock the encrypted files did not function. 

Security researchers did not talk to the victim organization in this case – its executives declined to be interviewed about their experience – hence the specifics remain unknown. 

Still, researchers believe that deciding that paying the criminals was the best way out of the scenario - for concerns regarding customer and employee data privacy, to bring business operations back online, to minimise reputational damage, or simply because there were no backups (oops) - was a painful decision in and of itself. But what if you pay the extortionists and still are unable to recover the files? That's excruciating. 

"Ransomware as a whole is extremely stressful for the victim," stated Mark Lance, ransomware negotiator with GuidePoint Security. "Now in this circumstance, specifically, where they've made the payment and the decryption tools don't work," the stress levels ratcheted up several notches. 

"In this, and in a lot of situations like this one, they're relying heavily on those decryption capabilities working on certain systems so that they can recover operations," Lance added. "So the stress substantially increases because they're like, 'Hey, we made this large ransom payment amount with established terms that said if we paid we're going to get access.'” 

Following their initial failure to decrypt their files, the compromised organisation acquired a new decryptor version from the hackers; however, this was also not functioning. Following a call from a third party participating in the ransomware discussions, GuidePoint attempted to contact the perpetrators' "technical support" desk but was informed that a new version of the decryptor was required on behalf of the victim. 

Whatever the reason, the organisation was unable to access the encrypted files, and the Hazard ransomware gang vanished. Eventually, GuidePoint was able to patch the decryptor binary and then brute-force 16,777,216 potential values until some critical missing bytes in the cryptographic process were discovered, resulting in a functional tool for decrypting the files. It's a good reminder, though, that paying a ransom does not ensure data recovery.
Read more »
Threat Landscape
Chinese Actors Cyber Attacks Drone Makers Taiwan Threat Landscape

'TIDrone' Cybercriminals Target Taiwan's Drone Makers

 

A previously unknown threat actor with possible ties to Chinese-speaking groups has primarily targeted drone makers in Taiwan as part of a cyber attack operation that started in 2024. Trend Micro is tracking the adversary under the codename TIDRONE, claiming that the activity is espionage-driven due to the emphasis on military-related company chains. 

The specific initial access vector used to penetrate targets is currently unknown, although Trend Micro's study revealed the spread of unique malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC. An interesting feature identified across multiple victims is the use of the same enterprise resource planning (ERP) software, increasing the likelihood of a supply chain attack. 

After that, the attack chains move through three distinct phases that are intended to make it easier to escalate privileges through the use of credential dumping, security evasion by turning off antivirus software that is installed on the hosts, and User Account Control (UAC) bypass. 

Both backdoors are activated by sideloading a rogue DLL using the Microsoft Word application, allowing attackers to collect a wide range of confidential data. CXCLNT includes basic upload and download file capabilities, as well as facilities for removing traces, acquiring victim data such as file listings and device names, and downloading next-stage portable executable (PE) and DLL files for execution. 

CLNTEND, detected in April 2024, is a remote access tool (RAT) that supports a broader range of network communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su stated.
Read more »
Threat Landscape
Cyber Security CyberVolk Ransomware group Threat Landscape

CyberVolk Ransomware: A Rising Threat to Global Cybersecurity

 

The Indian hacker outfit CyberVolk, which is a relatively new player in the cybercrime arena, has made headlines with its sophisticated ransomware. CyberVolk Ransomware, discovered in July 2024, has quickly gained attention for its sophisticated features and quick progress. 

The group's most concerning weapon, ‘CyberVolk Ransomware,’ was recently analysed by ThreatMon and is gaining attention from cybersecurity experts due to its sophisticated capabilities and expanding nature. 

CyberVolk debuted in the shadows of the dark web, where it soon established a reputation through a series of successful attacks. The gang, which specialises in a wide range of cybercrimes such as DDoS assaults, data breaches, and website defacements, is known for its aggressive nature, with official accounts on platforms such as Telegram and X. 

Initially, CyberVolk Ransomware encrypted victims' files using the AES method. However, a VirusTotal leak exposed the ransomware's internal workings, leading the attackers to create a far more sophisticated version. This enhanced variant included better cryptographic algorithms like ChaCha20-Poly1305, AES, and even quantum-resistant technology. The changes make it nearly impossible to decrypt without paying the ransom, even for individuals who have quantum computing resources. 

ThreatMon's technical review of CyberVolk Ransomware uncovers numerous unique and concerning features. For example, when executed, the ransomware disables access to vital system utilities such as Task Manager, preventing users from terminating the encryption process. The ransomware encrypts entire data in minutes before approaching the victim with a $1,000 ransom demand. Victims are also given a strict deadline: failure to pay within five hours would result in the permanent loss of their data. 

Previous reports said that CyberVolk Ransomware only brought in $2,632, but in the last few months, their earnings have increased dramatically. According to ThreatMon, the group has made over $20,000 through ransomware assaults, indicating an alarming rise in the financial impact of its operations. 

The ransomware outfit poses a serious threat to both individuals and enterprises. It is an imminent threat because of its capacity to proliferate like a worm and its advanced evasion and encryption methods. However, the presence of vulnerabilities in its structure offers hope for effective countermeasures. 

To mitigate the threat of ransomware attacks, cybersecurity specialists suggest regular software updates, robust backup strategies, and cybersecurity hygiene education for employees.
Read more »
Threat Landscape
AI Risks Artificial Intelligence MIT Technology Threat Landscape

MIT Database Lists Hundreds of AI Dangers Impacting Human Lives

 

Artificial intelligence is present everywhere. If it isn't powering your online search results, it's just a click away with your AI-enabled mouse. If it's not helping you enhance your LinkedIn profile, it's benefiting you at work. As AIs become more intelligent, outspoken voices warn of the technology's potential risks. 

These range from literally replacing you at your job to even more terrifying end-of-the-world circumstances. The Massachusetts Institute of Technology is aware of these competing currents and has compiled a list of the ways it believes AI might pose challenges. 

AI threats

In an article supporting the research, MIT summarised the several ways AI could endanger society. Humans outperform artificial intelligence. Kind of. While 51% of the threats were attributed directly to AIs, 34% originated with humans using AI technology--there are some evil individuals out there, remember. 

However, approximately two thirds of the risks were identified after an AI had been trained and deployed, compared to 10% before that point. This provides significant support to AI regulatory initiatives, as it coincides with the announcement that OpenAI and Anthropic would submit their new, smartest AIs to the US AI Safety Institute for testing before releasing them to the public. 

So, what are the AI risks? A quick search of the database reveals some alarming category types. One scenario involves AI harm emerging as a "side effect of a primary goal like profit or influence," in which AI makers "wilfully allow it to cause widespread social damage like pollution, resource depletion, mental illness, misinformation, or injustice." Similarly, additional side effects occur when "one or more criminal entities" construct an AI to "intentionally inflict harm, such as for terrorism or combating law enforcement.” 

Other threats that MIT has identified feel more in line with current news reports, especially with regard to election misinformation, even though these seem more suited for science fiction dystopias: AIs could be harmful when "extensive data collection" in the models "brings toxic content and stereotypical bias into the training data." 

One of the other concerns is that AI systems have the potential to become "very invasive of people's privacy, controlling, for instance, the length of someone's last romantic relationship." This is a type of soft power control where society is steered by small adjustments; it is similar to some of the concerns raised by US authorities on the possible impact of TikTok's algorithm.
Read more »
Threat Landscape
Cyber crimes Cyber Extortion Sextortion Threat Landscape

Three Cyber Extortion Schemes Attackers Can Employ Against You

 

Cybercriminals appear to have an infinite repertoire of strategies at their disposal when it comes to forcefully extracting financial information from victims. They prefer specific methods over others, and extortion is one of them. 

Keep in mind that blackmailers will not just use one trick, but will use various types of extortion to force their victims to do their bidding, whether it is paying them a significant sum of money or performing tasks on their behalf.

Hack and extort

The term is rather self-explanatory, but to be sure, the extortionist will access your device or online accounts, search your files for any sensitive or valuable data, and steal it. Although it may resemble ransomware in some ways, the breaking and entering of your system is done manually, and the cybercriminal has to dedicate time and resources in doing so.

Unless your password was compromised in a large-scale data breach, in which case the job required is negligible. The successfully targeted individual is then sent an email in which the criminal attempts to force the intended victim into paying by threatening to expose this data and listing examples for added effect. To safeguard yourself, try encrypting your data and adequately protecting all of your accounts with a strong passphrase, as well as enabling two-factor authentication whenever possible. 

Sextortion

Sextortion is precisely what it sounds like: extortion carried out with the threat of exposing sexual material about the target. Sextortionists might approach the practice in a variety of ways. Until the criminal gains the victim's trust and persuades them to switch from the dating platform to a regular messaging service, it may begin as an apparent romantic dalliance through a dating platform. 

This is done in order to prevent setting off the security measures that dating apps employ to identify possible con artists. After the victim leaves the dating site, they will attempt to persuade them to share some explicit or risqué images or videos, which they will then use as leverage in a blackmail campaign. As an alternative, hackers can opt to break into a victim's computer and take control of their webcam in order to secretly monitor and even record explicit images or videos of them; American model and previous Miss Teen USA Cassidy Wolf was a victim of such sextortion. 

Sending risqué images to anyone is not advisable. Even if you trust someone, you can't rule out the possibility that their devices or accounts have been compromised, sensitive images have been exposed, or that your current level of trust in them has changed or is otherwise wrong. To mitigate your risks of getting hacked, keep your gadgets patched and updated, and utilise a respected security solution.

DDoS extortion 

Cybercriminals frequently use distributed denial of service (DDoS) attacks on enterprises in an attempt to completely disable their target's capacity to offer services. They frequently post their services on DDoS-for-hire marketplaces in an effort to increase their illicit revenue. Threat actors use a large number of machines arranged into a botnet to bombard a target with requests during these attacks. 

The goal is to overwhelm the target's systems to the point where they fail, so taking them offline. Attacker scans can cause this to continue for days at a time, costing some businesses hundreds of thousands of dollars in lost sales. For instance, a cybercrime collective recently threatened to use DDoS assaults against multiple organisations unless they paid ransoms ranging from US$57,000 to US$227,000 by adopting the garb of well-known shacking groups. 

Setting up a firewall to deny access to all unauthorised IP addresses and enrolling with a DDoS mitigation provider are just a few steps you can take to defend yourself from DDoS extortion attempts.
Read more »
Threat Landscape
Cyber Crime Data Leak Extortion Ransomware Threat Landscape

BlackByte Ransomware Outfit is Targeting More Orgs Than Previously Known

 

Researchers from Cisco have discovered that the BlackByte ransomware group is only disclosing a small portion of its successful attacks on its leak site this year. Talos, the company's cybersecurity department, believes the gang is creating extortion posts for only 20% to 30% of its successful attacks. 

The study of the ransomware outfit's leak site shows it posted 41 victims in 2023 but only three so far in 2024. BlackByte has been extremely active this year, but it's unclear why the group hasn't posted any further leaks. 

BlackByte has carried out high-profile assaults on local governments in Newburgh, New York, and Augusta, Georgia, as well as organisations such as the San Francisco 49ers and Yamaha. 

Researchers from Cisco Talos claimed that their involvement in a number of recent incident response investigations showed how quickly the organisation is evolving and how often it leads the way in exploiting vulnerabilities such as CVE-2024-37085, an ESXi software problem that Microsoft brought to light last month.

“Talos IR observed the threat actor leveraging this vulnerability, which initially received limited attention from the security community, within days of its publication,” the researchers stated. “This highlights the speed with which ransomware groups like BlackByte can adapt their [tactics, techniques and procedures] to incorporate newly disclosed vulnerabilities, and the level of time and effort put into identifying potential avenues for advancing an attack.” 

The analysts believe the ransomware-as-a-service (RaaS) gang is an offshoot of the now-defunct Conti operation, which appeared in late 2021. According to Cisco Talos, BlackByte has a history of searching for and exploiting public-facing vulnerabilities. However, the RaaS model's flexibility "allows threat actors to quickly counter new defensive strategies developed by cybersecurity experts by iterating and updating its tooling.” 

Callie Guenther, a Critical Start cyberthreat researcher, stated that the exploitation of CVE-2024-37085 was notable since it targeted VMware ESXi hypervisors, which allow servers to operate many virtual machines and efficiently distribute computing resources. The focus on ESXi hypervisors by Ransomware outfits such as BlackByte is especially troubling because the technology is often vital for firms' IT infrastructure and critical business applications.

“The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts,” she added.
Read more »
Threat Landscape
Australia Cyber Security Energy sector IT Management Threat Landscape

Cyber Security: A Rising Threat to Australia’s Renewable Energy Campaign

 

Australia is striving to become a more energy-efficient nation. The Australian Renewable Energy Agency recently announced a $100 million effort to research and develop solar energy technologies. Further investments in energy storage, pumped hydro, and low-carbon systems may be equally substantial. 

However, the nation must also address an underlying issue: the integration of solid IT and software foundations into the OT systems that power the grids. Without these, Australia may struggle to fully meet its renewable energy goals.

Combination of IT and OT

OT refers to software and hardware that identifies or creates changes in the enterprise by directly monitoring and controlling physical devices, processes, and events. IT refers to the use of systems, particularly computers and telecommunications, to store, retrieve, and transmit information. 

Traditionally, these two types of technology have been kept segregated and controlled separately. However, the combination of OT and IT is critical for the modernisation of energy networks. According to IBM, the integration must be effective in four areas: 

Smart meters: It detects energy usage in real time at the consumer's end, delivering comprehensive consumption patterns to both the consumer and the energy provider. 

Sensors and automation devices: These are used across the grid to monitor voltage, current, and load capacity, among other metrics. They can automatically alter parameters to avoid overloads and long-term, large-scale outages.

Communication networks: As the backbone of any smart grid, communication networks enable data transmission between diverse components such as sensors, automated devices, and control centres. Transmission systems can be wired or wireless, and can use a variety of protocols and communication technologies, including Wi-Fi, Z-Wave, Zigbee, and 4G/5G. 

Software and analytics: Smart grids generate vast volumes of data. Utility companies use complex software and analytics technologies to handle, analyse, and interpret this data. This software, and the data it gives, can assist providers in predicting demand patterns, identifying potential concerns, and optimising the distribution network. 

Cyber threats 

Australia is at serious risk of facing cyber threats via OT technology, which will have an impact on the country's renewable energy aspirations. With 82% of organisations suffering cyber attacks via OT systems, there is an increasing risk being brought into Australia's electricity grid as it digitalises.

The country is also becoming more reliant on a highly decentralised energy approach, which increases the attack surface significantly. Rooftop solar, for example, consists of solar panels installed on individual homes and businesses that are then connected to the grid via IoT devices, software, and digital technologies. This has contributed to 40% of Australia's energy being supplied by renewable sources. 

Need to increase investment 

For Australia to sustainably harness renewable energy, it must lay solid IT foundations. The Australian Energy Sector Cyber Security Framework is a positive regulatory step that builds on successful frameworks like the U.S. Department of Energy's Electricity Subsector Cybersecurity Capability Maturing Model and aligns it with Australian-specific control references like the ACSC Essential 8. 

However, the IT channel, which includes IT professionals and service providers, as well as IT experts, must bring the skills and expertise required to manage and protect integrated energy systems. This includes knowing the particular issues of OT environments as well as how to effectively implement IT solutions. This strategy can help Australia achieve a renewable energy transition that is both successful and secure against an increasing number of cyber threats.
Read more »
Subscribe to: Posts (Atom)