Exploring TEMPEST: Hacking the Future of Space Security

February 19, 2025

This blog post is based on a podcast I recorded with Tim Fowler back in January. I’ve used ChatGPT to take the episode transcript and turn it into a blog that I have reviewed and edited. Check out the episode: https://www.exploresec.com/eis/219

The Rise of Space Cybersecurity

Cybersecurity has long been a critical focus in terrestrial technology, but as the space industry continues to expand, the need for security in orbit has never been more urgent. One person leading this charge is Tim Fowler, the creator of TEMPEST, a 1U CubeSat educational project designed to bring hands-on security training into the realm of space systems.

In a recent Exploring Information Security podcast episode, I sat down with Fowler to discuss TEMPEST, its impact on cybersecurity education, and why space security needs a shift in focus.

Why Space Security Matters

The rapid expansion of satellite technology means that more devices than ever before are being launched into space—often without robust security measures. Fowler highlighted that traditional approaches to securing IT systems don’t always translate well to space-based infrastructure.

Some of the key concerns include:

Unsecured Communication Links – Space systems often rely on unencrypted signals, making them susceptible to interception.
Satellite Hijacking – Attackers could take control of a satellite’s operations and disrupt services or use it for malicious activities.
Supply Chain Vulnerabilities – Many CubeSats are built from commercial off-the-shelf components, which can introduce security risks.

TEMPEST allows students and professionals to experience these risks firsthand in a controlled environment, making it an essential tool for training the next generation of space cybersecurity experts.

What is TEMPEST?

TEMPEST—an acronym for Tim’s Endeavor into Manically Producing Educational Space Technologies—is a modular, intentionally vulnerable CubeSat that provides cybersecurity professionals, students, and researchers with a hands-on way to test and hack satellite systems.

Fowler, an expert in space cybersecurity, launched the project to address a major gap in the industry: most CubeSat kits focus on functionality, but none include security as a fundamental component. TEMPEST is designed to fill that void by allowing users to simulate attacks, build defenses, and understand real-world space security challenges.

A Hands-On Approach to Learning

TEMPEST was designed to be modular and hackable. Fowler structured the CubeSat with intentionally built-in security flaws to simulate real-world attack scenarios. Users can explore:

Radio frequency (RF) security and satellite communications.
Embedded system vulnerabilities within the CubeSat’s flight computer.
Software-defined radios (SDRs) for signal interception and manipulation.
Security hardening techniques to counteract common attack vectors.

The first generation of TEMPEST hardware debuted at Wild West Hacking Fest in 2024, where attendees were able to test, break, and improve upon the system in real time. Fowler also runs training sessions where participants assemble and experiment with the CubeSat, learning about space security hands-on.

The Accidental Broadcast Storm

One of the most entertaining moments Fowler shared was an unexpected security lesson during a training session. When a room full of students powered up their TEMPEST CubeSats simultaneously, the devices inadvertently started talking to each other, creating a self-replicating “broadcast storm.”

This unintentional experiment highlighted a crucial lesson in satellite security: small design choices can have major consequences. Even unintended interactions between satellites can create denial-of-service conditions or unexpected network behaviors, reinforcing the importance of secure communication protocols in space systems.

What’s Next for TEMPEST?

While TEMPEST is currently only available through Fowler’s space cybersecurity training courses, plans are underway to release a public version that allows more people to engage with the project.

Upcoming developments include:

A new defensive security course focused on satellite protection strategies.
Open-source release of older TEMPEST versions, allowing users to build their own CubeSats.
Expanded training opportunities at major security conferences in 2025.

Where to Learn More

If you’re interested in learning about space cybersecurity and hacking CubeSats, TEMPEST offers a unique and invaluable resource. Keep an eye out for future training sessions and updates by following:

🌐 EthosLabs.space – Fowler’s main site for TEMPEST training and updates.
🎙️ Exploring Information Security Podcast – Listen to the full episode for an in-depth discussion on TEMPEST.

Final Thoughts

Space cybersecurity is one of the most exciting frontiers in infosec, and projects like TEMPEST are helping shape the future. By providing a hands-on, educational platform for space security, TEMPEST ensures that the next generation of security professionals is ready to defend our critical space infrastructure. 🚀

What are your thoughts on space cybersecurity? Let’s discuss in the comments!

Inside ShowMeCon: Community, Education, and Security with Dave Chronister

February 18, 2025

Blog post generated by ChatGPT and reviewed and edited by me.

Cybersecurity conferences have become essential hubs for professionals looking to expand their knowledge, connect with industry leaders, and gain hands-on experience in emerging security trends. Among these, ShowMeCon stands out as a premier security event that blends corporate professionalism with hacker culture. Recently, on the Exploring Information Security podcast, I sat down with ShowMeCon founder Dave Chronister and organizer Brooke Deneen to discuss what makes this conference unique and what attendees can expect in 2025.

The Origin and Vision of ShowMeCon

ShowMeCon was founded with a clear mission: to provide high-quality security education in an engaging, community-driven environment. Unlike traditional conferences that often feel like corporate networking events, ShowMeCon fosters an atmosphere where security researchers, IT professionals, and ethical hackers can exchange knowledge in a collaborative setting.

During the podcast, Dave Chronister shared the story behind ShowMeCon’s inception, emphasizing the importance of bridging the gap between technical expertise and real-world security applications. By creating a space where attendees can both learn and engage with top security minds, the conference has grown into a must-attend event for security professionals.

What Sets ShowMeCon Apart?

One of the defining aspects of ShowMeCon is its ability to strike a balance between corporate and hacker culture. As Brooke Deneen explained, the conference offers a professional yet welcoming environment that caters to both seasoned professionals and newcomers to the field.

Key Features That Make ShowMeCon Unique:

Immersive Venue: Hosted at the Ameristar Casino in St. Louis, the setting provides a comfortable yet dynamic backdrop for networking and learning.
Engaging Speakers: The event prioritizes bringing in experts who are not only knowledgeable but also passionate and approachable.
Hands-On Learning: ShowMeCon features training sessions, Capture The Flag (CTF) competitions, and lockpicking villages, offering attendees the chance to apply their skills in real-world scenarios.
Expanding Reach: The ShowMeCon team is exploring ways to expand the conference to new cities like Nashville, ensuring more professionals have access to top-tier security education.

Highlights of ShowMeCon 2025

The upcoming 2025 edition of ShowMeCon is set to be bigger and better, with new elements designed to enhance the attendee experience. Some of the highlights include:

The Return of Pre-Conference Training: Attendees can participate in deep-dive workshops led by industry experts.
Exciting Themed Experiences: This year’s event will feature a Fallout-theme, adding a creative twist to the conference experience.
Stronger Community Building: Encouraging new speakers and first-time attendees to engage and contribute to the security conversation.

Why You Should Attend ShowMeCon

If you're looking for a conference that goes beyond lectures and sales pitches, ShowMeCon is for you. Whether you're an IT administrator, security analyst, penetration tester, or student, this event offers valuable insights and opportunities to:

✔️ Learn from industry experts in a practical and engaging environment.
✔️ Network with peers and leaders who share a passion for security.
✔️ Gain hands-on experience through CTFs, training sessions, and interactive villages.
✔️ Explore new security trends that will shape the industry in the coming years.

Final Thoughts

ShowMeCon continues to grow as a hub for cybersecurity professionals. With its community-driven approach, diverse speaker lineup, and immersive experiences, it’s clear why this event has become a staple in the cybersecurity world.

🚀 Want to attend? Visit showmecon.com to learn more and register for the 2025 event.

🎙️ Listen to the full conversation on the Exploring Information Security podcast and you may just hear the discount code to save $50 on tickets or training: Podcast Website

See you at ShowMeCon 2025! 🔐🔥

Understanding the 2025 HIPAA Security Rule Proposal: Key Changes and Implications

February 17, 2025

In January 2025 I put together a presentation on the proposed changes to the HIPAA Security Rule. You can view the live recording on the ExplorSec YouTube channel. With Valentines Day recently passing I though this would be a good time for a blog post on the proposals for the HIPAA Security Rule. Below is a ChatGPT generated blog post using the transcript from that session that I’ve reviewed and edited .

The U.S. Department of Health and Human Services (HHS) recently proposed updates to the HIPAA Security Rule, aiming to enhance the cybersecurity resilience of healthcare organizations. These changes are in response to the evolving threat landscape, rising breach costs, and the need for stronger regulatory oversight. Let’s explore the proposal, its timeline, and the most significant updates impacting the healthcare industry. The proposal can be viewed at this link: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

Why the Change?

HIPAA, originally enacted in 1996, has undergone several updates, with the most recent in 2013. However, with data breaches in healthcare rising sharply, the government is taking action. The cost of healthcare breaches has surged by 50% since 2020, with an average breach costing $10.1 million per organization. Additionally, cybercriminals continue to target healthcare organizations despite previous claims that they would avoid them. In 2023 alone, the FBI received 250 ransomware reports from healthcare organizations—the most of any industry.

Proposed Timeline

January 6, 2024: Proposal released
March 7, 2024: Public comment period closes
Spring 2025: HHS reviews comments and finalizes the rule
2026: Full compliance expected for specific requirements

Organizations have an opportunity to provide feedback before implementation, making this a crucial period for healthcare entities to review the proposed changes and assess their impact.

Key Changes in the HIPAA Security Rule Proposal

Revised Terminology and Definitions

Several terms are being modified or newly defined to eliminate ambiguity and prevent misinterpretations that have historically allowed organizations to circumvent security requirements. Notable changes include:

Security Measures: Clarified to apply to both systems and information.
Technical Controls & Safeguards: Expanded definitions to include firmware and hardware components.
User Definitions: Adjusted to remove ambiguity between human users and system entities.
Addressable and Reasonable & Appropriate Requirements: Refined to ensure organizations do not misinterpret them as optional.

Asset Inventory and Risk Analysis

One of the most critical updates is the requirement for a comprehensive asset inventory of all technical assets that create, receive, maintain, or transmit electronic protected health information (ePHI). Organizations must:

Maintain a written inventory including device IDs, software versions, responsible personnel, and locations.
Conduct annual risk analyses aligned with NIST cybersecurity standards.
Update network maps to track ePHI movement and access points.

Patch Management Requirements

For the first time, HIPAA is setting explicit timelines for patch management:

Critical vulnerabilities must be patched within 15 days.
High vulnerabilities must be patched within 30 days.
Organizations must document any exceptions and review them annually.

Workforce Security and Training Enhancements

Organizations must establish stronger internal security measures, including:

Mandatory security training for new hires within 30 days.
Job description reviews to align role-based access controls with actual job functions.
Regular cybersecurity performance goals for employees, focusing on increasing phishing report rates and improving security awareness.
Security training on new technology implementations, such as new systems that handle electronic health records (EHRs).

Strengthened Physical and Technical Safeguards

The proposal mandates that organizations demonstrate operational enforcement of security policies rather than relying solely on documentation. This includes:

Mandatory encryption of ePHI at rest and in transit.
Elimination of default passwords for all devices.
Multi-Factor Authentication (MFA) requirements (with exceptions for FDA-approved medical devices).
Stricter controls for legacy systems, including the requirement that manufacturers must still provide security updates; otherwise, organizations must replace outdated systems.

Business Associate Agreements (BAA)

Healthcare organizations rely on third-party vendors to handle sensitive patient data, and the proposal introduces stricter rules around vendor agreements:

Vendors must report security incidents within 24 hours of detection.
Organizations will have up to one year to update contracts.
New requirements will apply to healthcare plan sponsors, who previously were not subject to the same security obligations.

Addressing Emerging Technologies

The proposal acknowledges the impact of new technologies in healthcare, requiring organizations to assess and prepare for:

Quantum Computing: Organizations must develop a roadmap for quantum-resistant encryption.
Artificial Intelligence (AI): Organizations must inventory AI use cases and assess associated security risks.
Virtual Reality (VR) in Healthcare: VR devices must comply with access management, patch management, and risk management protocols.

Financial Impact and Justification

The estimated cost for implementing these new security controls across all healthcare organizations is $6.8 billion annually. However, HHS argues that if these measures will reduce healthcare breaches by 7-16% and will effectively pay for itself. For individual organizations, first-year compliance costs are estimated at $4.65 million, but with healthcare breaches averaging $10.95 million in damages per incident, the investment is likely to yield significant long-term savings.

What’s Next?

The proposed HIPAA Security Rule updates aim to close loopholes, modernize security requirements, and enforce stricter compliance. Healthcare organizations should begin:

Reviewing their current security policies, training programs, and technical safeguards.
Assessing their vendor contracts and business associate agreements.
Engaging with industry groups or submitting public comments before the March 7 deadline.

For additional details on the HIPAA Security Rule proposal and how to submit public comments, visit the official HHS website.

What are your thoughts on the proposed changes? Let us know in the comments below!

February 2025 - ExploreSec Cybersecurity Awareness newsletter

February 4, 2025

This is a security awareness focused newsletter that I share internally. Feel free to grab and use for your own internal security awareness program. Created with help from ChatGPT.

How HIPAA Security Rule Updates Could Impact Healthcare Employees

The U.S. Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule, aiming to enhance the protection of electronic protected health information (ePHI). These changes, the first major revision since 2013, will have implications for individuals working in healthcare organizations.

What You Need to Know:

New Security Measures: Employees will be required to use multifactor authentication (MFA) for accessing systems containing ePHI. This adds an extra layer of security by requiring a second verification step, such as a code sent to your phone or email.

Improved Data Encryption: All ePHI must be encrypted, meaning employees may encounter updated tools or workflows for handling sensitive information securely.

Annual Audits: Organizations will perform regular audits to ensure compliance with the updated rules. Employees may be asked to participate in training or assessments to demonstrate understanding of security policies.

Why It Matters to You:

These updates are designed to strengthen defenses against data breaches and ensure the safety of patient information. As healthcare professionals, compliance with these measures not only protects patient data but also safeguards the organization from potential penalties and operational disruptions.

The proposed rule will be open for public comment starting January 6, 2025. Employees should stay informed about the changes and prepare for any updates to internal policies and procedures.

Further Reading: Dark Reading

Phishing Campaign Delivers ConnectWise RAT via Spoofed Social Security Emails

A recent phishing campaign has been identified wherein attackers impersonate the U.S. Social Security Administration to distribute the ConnectWise Remote Access Trojan (RAT).

Key Developments:

Spoofed Emails: Beginning in September 2024, fraudulent emails masquerading as official communications from the Social Security Administration were disseminated, claiming to provide updated benefits statements. These emails contained links designed to deceive recipients into downloading malicious software.

Malware Delivery Mechanism: The embedded links directed users to a ConnectWise RAT installer. Initially, the campaign utilized ConnectWise infrastructure for command and control (C2) operations but later transitioned to dynamic DNS services and domains controlled by the threat actors.

One-Time Use Links: The malicious links employed a one-time-use mechanism, redirecting users to the malware installer upon first access and subsequently to the legitimate Social Security Administration website on further attempts. This tactic complicates detection and analysis efforts.

Timing and Volume: The campaign's activity surged in early to mid-November, peaking around Election Day, suggesting a potential link to the political climate during that period.

Further Reading: GBHackers

Phishing Campaign Targets Gamers with Fake Video Game Testing Offers

Cybercriminals are employing deceptive emails that promise opportunities to test new video games, aiming to steal personal information and credentials from unsuspecting gamers.

Key Details:

Deceptive Invitations: Victims receive emails inviting them to participate in exclusive game testing, often for highly anticipated titles.

Malicious Links: These emails contain links to counterfeit websites designed to mimic legitimate gaming platforms, prompting users to enter sensitive information.

Data Theft: Information entered on these fake sites is harvested by attackers for malicious purposes, including identity theft and unauthorized account access.

Further Reading: KnowBe4 Blog

New 'US Cyber Trust Mark' Labels to Identify Secure Smart Devices

The U.S. government has introduced the 'US Cyber Trust Mark,' a voluntary labeling initiative to help consumers identify smart devices that meet federal cybersecurity standards.

Key Details:

Purpose: The label aims to guide consumers in selecting internet-connected devices—such as baby monitors, home security cameras, and fitness trackers—that are less susceptible to hacking.

Label Features: Devices meeting the standards will display a distinctive shield logo and include QR codes. Scanning the QR code provides detailed security information about the product.

Availability: Products bearing the 'US Cyber Trust Mark' are expected to be available later this year, as manufacturers begin submitting devices for approval.

Industry Participation: Companies including Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung have expressed support for the initiative.

Implications for Consumers:

With the average American household containing numerous internet-connected devices, each potentially serving as an entry point for cybercriminals, this labeling system offers a straightforward method to assess the cybersecurity of products before purchase.

Further Reading: SecurityWeek

PowerSchool Software Cyberattack Potentially Affects 45 Million U.S. Students

A recent cyberattack targeting PowerSchool, a widely used student information system in K-12 schools across the United States, has led to a significant data breach. This incident may impact over 45 million students and educational staff nationwide.

Key Details:

Compromised Data: The breach has exposed sensitive information, including grades, attendance records, medical histories, Social Security numbers, student profiles, and communications between parents and educators.

Potential Risks: The stolen data could be exploited for malicious activities such as phishing attempts, identity theft, and unauthorized access to personal and financial information.

Regional Impact: Schools in North Dakota, including West Fargo Public Schools, have notified parents about the breach, indicating that the incident may have far-reaching implications across various educational districts.

Further Reading: Cybersecurity Insiders

Data Breach at Leading U.S. Addiction Treatment Provider

BayMark Health Services, the largest provider of substance use disorder treatment in North America, has reported a data breach potentially compromising patient personal and health information.

Key Details:

Incident Timeline: Unauthorized access to BayMark's systems occurred between September 24 and October 14, 2024. The breach was discovered on October 11, leading to immediate actions to secure systems and involve third-party forensic experts.

Compromised Information: While the exact data types accessed have not been publicly detailed, such breaches typically involve personal identifiers and health-related information.

Patient Notification: BayMark is in the process of notifying affected individuals and has stated that it will offer complimentary credit monitoring and identity protection services to those impacted.

Further Reading: BleepingComputer

Sophisticated Voice Phishing Scams Exploit Apple and Google Services

Recent investigations have uncovered that cybercriminals are leveraging legitimate Apple and Google services to execute advanced voice phishing (vishing) attacks, deceiving users into divulging sensitive information.

Key Details:

Exploiting Legitimate Services: Attackers initiate contact through genuine Apple and Google communication channels, such as Google Assistant and Apple's support lines, making the interactions appear authentic.

Manipulating System Notifications: By abusing these services, scammers can trigger legitimate system-level messages, emails, and automated phone calls, adding credibility to their fraudulent schemes.

Case Example: In one instance, a cryptocurrency investor was deceived into transferring over $4.7 million after receiving what seemed to be legitimate communications from Google and Apple, orchestrated by the attackers.

Recommendations:

Verify Contacts: Be cautious of unsolicited communications claiming to be from Apple or Google. Always verify the authenticity of such interactions by contacting the company directly through official channels.

Protect Personal Information: Never share sensitive information, such as passwords or financial details, over the phone or through unsolicited messages.

Stay Informed: Familiarize yourself with common phishing tactics and remain vigilant for signs of fraudulent activity.

Further Reading: Krebs on Security

OneBlood Confirms Data Breach Following Ransomware Attack

OneBlood, a prominent not-for-profit blood donation organization serving over 250 hospitals across the United States, has confirmed that personal information of donors was compromised during a ransomware attack in July 2024.

Key Details:

Incident Timeline: Unauthorized access to OneBlood's network occurred between July 14 and July 29, 2024. The breach was discovered on July 28, prompting immediate containment measures.

Compromised Information: The attackers accessed and copied files containing personal data, including names and Social Security numbers. OneBlood has begun notifying affected individuals and is offering complimentary credit monitoring services.

Operational Impact: The ransomware attack led to the encryption of virtual machines, forcing OneBlood to revert to manual processes for blood collection, testing, and distribution. This disruption resulted in delays and shortages, prompting urgent calls for donations, particularly of O Positive, O Negative, and Platelet blood types.

Further Reading: BleepingComputer

Phishing Campaigns Exploit YouTube Links and Microsoft 365 Themes

Cybercriminals are deploying sophisticated phishing attacks targeting Microsoft 365 users by utilizing deceptive URLs that closely resemble legitimate Office 365 domains. These attacks often involve claims of imminent password expiration to create urgency, prompting users to click on malicious links.

Key Developments:

Deceptive URLs: Attackers craft URLs that appear to be legitimate, incorporating prefixes like "youtube.com" followed by obfuscation characters or using the "@" symbol to redirect users to malicious domains while maintaining a facade of legitimacy.

Social Engineering Tactics: Phishing emails are designed to induce panic by falsely claiming that the recipient's password has expired, urging immediate action. The emails contain malicious buttons labeled to appear as legitimate account maintenance actions.

Obfuscation Techniques: The use of "%20" for HTML space encoding and the "@" symbol in URLs helps attackers conceal the true destination of the links, making it challenging for users to identify the threat.

Further Reading: GBHackers

Phishing Texts Target Apple iMessage Users by Disabling Link Protections

Cybercriminals are employing a new tactic to deceive Apple iMessage users into disabling built-in phishing protections, thereby exposing them to potential scams.

Key Details:

Disabled Links for Unknown Senders: Apple's iMessage automatically disables links in messages received from unknown senders to protect users from potential phishing attacks.

Deceptive Tactics: Recent smishing (SMS phishing) attacks have been observed where attackers send messages prompting users to reply with "Y" or another response. This action re-enables the disabled links, making users susceptible to malicious websites.

Common Scenarios: Examples include fake shipping issue notifications or unpaid toll alerts, urging immediate action and instructing users to reply to the message to resolve the fabricated issue.

Recommendations:

Avoid Responding to Unknown Messages: Do not reply to messages from unknown senders, especially those prompting you to take specific actions.

Verify Sender Authenticity: If a message claims to be from a legitimate organization, contact the entity directly using official channels to confirm the message's legitimacy.

Maintain Built-in Protections: Refrain from actions that disable iMessage's security features, such as replying to suspicious messages or adding unknown contacts without verification.

Stay Vigilant: Always exercise caution when receiving unsolicited messages, and be aware of tactics that attempt to bypass security measures designed to protect your personal information.

Further Reading: BleepingComputer

Surge in Phishing Scams Exploiting California Wildfires

As California confronts devastating wildfires, cybercriminals are exploiting the crisis by launching phishing scams targeting affected individuals and those seeking to assist.

Key Insights:

Emergence of Suspicious Domains: Within a 72-hour period, multiple domains mimicking official services related to the wildfires have been registered. Examples include malibu-fire[.]com and fire-relief[.]com. These domains are likely intended for phishing attacks, fake donation requests, and malicious downloads.

Tactics Employed by Scammers: Attackers are creating domains that resemble legitimate services or agencies, distributing phishing emails urging recipients to click on fraudulent links, and using social engineering techniques to create a sense of urgency, such as fake donation drives or critical safety alerts.

Recommendations:

Verify Authenticity: Before engaging with any disaster-related communications or websites, confirm their legitimacy through official channels.

Be Cautious with Donations: When donating to relief efforts, use established and reputable organizations. Avoid unsolicited requests for donations, especially those asking for unusual payment methods.

Stay Informed: Keep abreast of common phishing tactics and remain vigilant for signs of fraudulent activity, particularly during disaster situations.

Further Reading: Veriti Blog

U.S. Sanctions Target North Korean IT Worker Network

The U.S. Treasury Department has imposed sanctions on a network of individuals and front companies associated with North Korea's Ministry of National Defense, aiming to disrupt revenue streams generated through illicit remote IT work schemes.

Key Insights:

Entities Sanctioned: The Office of Foreign Assets Control (OFAC) has designated North Korean front companies Korea Osong Shipping Co. (Osong) and Chonsurim Trading Corporation (Chonsurim), along with their presidents, Jong In Chol and Son Kyong Sik. Additionally, Chinese firm Liaoning China Trade has been sanctioned for supplying electronics equipment to North Korea's Department 53, a weapons-trading entity that also operates IT and software development front companies.

Revenue Generation Tactics: North Korea employs thousands of IT workers who conceal their identities to secure employment with companies abroad. The earnings from these positions are funneled back to the regime, supporting its illegal weapons programs and contributing to destabilizing activities, including support for Russia's war in Ukraine.

Legal Implications: As a result of these sanctions, U.S. individuals and organizations are prohibited from engaging in transactions with the designated entities and individuals. Furthermore, any assets linked to them within U.S. jurisdiction are subject to freezing.

Further Reading: BleepingComputer

Cybercriminals Exploit Fake Google Ads to Hijack Advertiser Accounts

Cybercriminals are conducting a sophisticated malvertising campaign targeting Google Ads users by deploying fraudulent advertisements that impersonate legitimate Google Ads services. This tactic aims to steal advertiser account credentials, leading to unauthorized access and potential misuse of advertising budgets.

Key Insights:

Impersonation of Google Ads: Attackers create deceptive ads that appear to be official Google Ads promotions. When clicked, these ads redirect users to counterfeit login pages designed to harvest Google account credentials.

Use of Google Sites for Phishing: The fraudulent ads often lead to phishing pages hosted on Google Sites, lending an air of legitimacy and making detection more challenging. These pages are crafted to closely mimic authentic Google login interfaces.

Credential Theft and Account Compromise: Once users enter their credentials on these fake pages, attackers gain unauthorized access to their Google Ads accounts. This access can be exploited to run malicious ad campaigns, deplete advertising budgets, or sell the compromised accounts on blackhat forums.

Recommendations:

Verify Ad URLs: Before clicking on any Google Ads-related advertisements, hover over the link to inspect the URL. Ensure it directs to an official Google domain.

Enable Multi-Factor Authentication (MFA): Implement MFA on your Google accounts to add an extra layer of security, making unauthorized access more difficult even if credentials are compromised.

Further Reading: Malwarebytes

Ransomware Gangs Exploit Microsoft Teams by Impersonating IT Support

Cybersecurity researchers have identified ransomware groups, including Black Basta, using Microsoft Teams to impersonate IT support and gain unauthorized access to corporate networks.

Key Insights:

Email Bombardment: Attackers flood employee inboxes with non-malicious emails to create confusion and urgency.

Fake IT Support: Posing as help desk personnel, attackers use Teams to contact employees and build trust.

Remote Access: Victims are tricked into installing remote tools, enabling ransomware deployment and network access.

Further Reading: BleepingComputer

Introducing 'Identity Check'

Google has recently unveiled a new security feature for Android devices called "Identity Check," designed to bolster protection against unauthorized access, especially in the event of device theft. This feature mandates biometric authentication—such as fingerprint or facial recognition—to access sensitive settings when the device is outside of trusted locations like home or work.

Key Highlights:

Biometric Verification: Critical actions, including changing the device's PIN, disabling theft protection, turning off 'Find My Device,' performing a factory reset, and modifying biometric data, now require biometric authentication when the device is in untrusted locations.

Trusted Locations: Users can designate specific areas, such as home or workplace, as trusted locations. Outside these zones, the enhanced security measures are activated to prevent unauthorized access.

Device Compatibility: Initially, 'Identity Check' is available on Google Pixel devices running Android 15 and Samsung Galaxy devices with One UI 7. Plans are underway to extend this feature to other manufacturers' devices later this year.

Further Reading: BleepingComputer

Banshee Stealer Targets macOS Users

A sophisticated malware known as "Banshee Stealer" is actively targeting macOS users, posing significant risks to personal and financial data.

Key Details:

Stealthy Operation: Banshee operates undetected, blending seamlessly with normal system processes while stealing browser credentials, cryptocurrency wallets, user passwords, and sensitive file data.

Distribution Methods: The malware is distributed through phishing websites and malicious GitHub repositories, posing as popular software tools such as Chrome, Telegram, and TradingView.

Protective Measures:

Verify Software Sources: Only download software from official and reputable sources. Be cautious of unsolicited links or prompts to install applications.

Update Security Systems: Ensure your macOS and security software are up-to-date to detect and prevent the latest threats.

Monitor for Suspicious Activity: Regularly check for unusual system behavior or unauthorized access to accounts.

Further Reading: Check Point Research

Texas Investigates Automakers Over Consumer Data Practices

Texas has broadened its investigation into how automakers collect, use, and share consumer data from modern connected vehicles. The focus is on whether manufacturers are obtaining proper consent, how data is shared with third parties, and whether it is being sold without transparency. This follows growing concerns over privacy risks associated with the data generated by advanced vehicle technologies.

Key Insights:

Automakers Under Scrutiny: Texas is investigating Ford, Hyundai, Toyota, and Fiat Chrysler over data collection, sharing, and sales practices.

Data Concerns: The focus includes how consumer data is collected, shared with third parties, and whether consumer consent is obtained.

Legal Background: This expands on previous investigations and lawsuits, including action against General Motors for alleged unauthorized data sales.

Further Reading: Malwarebytes News

Phishing Campaign Exploits Legitimate Services to Send Fraudulent PayPal Requests

A recent phishing campaign has been identified that abuses legitimate services to send fraudulent PayPal payment requests, aiming to deceive recipients into compromising their accounts.

Key Insights:

Methodology: Attackers register free Microsoft 365 test domains and create distribution lists containing target email addresses. They then use these lists to send payment requests via PayPal's web portal.

Deceptive Tactics: Recipients receive a legitimate-looking PayPal payment request. Clicking the link directs them to a PayPal login page displaying the payment request. If the recipient logs in, their PayPal account becomes linked to the scammer's account, potentially granting the attacker unauthorized access.

Further Reading: KnowBe4 Security Awareness Training Blog

Malicious WordPress Plugin Assists in Phishing Attacks

A newly identified malicious WordPress plugin is being exploited by attackers to conduct phishing campaigns. This plugin allows cybercriminals to send phishing emails from compromised WordPress sites, emphasizing the need for vigilance in securing web platforms and carefully managing plugins.

Key Insights:

The malicious plugin facilitates phishing attacks by using compromised websites to send emails to targets.

Regular audits of WordPress sites and plugin installations are essential for mitigating such threats.

Ensuring plugins are sourced from trusted providers can help reduce the risk of exploitation.

Further Reading: Malicious WordPress Plugin Assists in Phishing Attacks

Insurance Company Accused of Using Secret Software to Illegally Collect and Sell Location Data

A prominent insurance company is under scrutiny for using secret software to collect and sell location data on millions of Americans without their knowledge or consent. This case raises serious concerns about privacy violations and the unethical use of personal data for profit. It serves as a reminder of the importance of transparency and consent in handling personal information, particularly when it comes to sensitive data like location tracking.

Key Insights:

The insurance company allegedly used secret software to gather location data from individuals without their consent.

The collected data was sold, violating privacy laws and raising ethical concerns about data exploitation.

Organizations must prioritize transparency and user consent when collecting and using personal data to avoid legal and reputational risks.

Further Reading: Malwarebytes

Google Chrome AI Extensions Deliver Info-Stealing Malware in Broad Attack

A new wave of cyberattacks is targeting Google Chrome users through AI-powered extensions that deliver information-stealing malware. These malicious extensions are designed to steal sensitive data, including login credentials and financial information, from unsuspecting victims. The attack highlights the growing threat posed by browser extensions and the need for users to exercise caution when installing third-party software.

Key Insights:

AI-powered Chrome extensions are being used to deliver info-stealing malware, potentially compromising users' personal and financial information.

The use of AI in these extensions makes them more difficult to detect and mitigate.

Users should carefully vet any browser extensions they install and prioritize security practices such as using trusted sources and multi-factor authentication.

Further Reading: Malwarebytes

Phishing Campaign Targets Mobile Banking Users with Sophisticated Techniques

A new phishing campaign is targeting mobile banking users with increasingly sophisticated techniques. The attackers are using fake mobile apps and messages that appear to come from trusted financial institutions, convincing victims to provide sensitive information such as account credentials and personal identification details. This attack highlights the growing threat to mobile banking and the importance of user vigilance in identifying fraudulent communications.

Key Insights:

The phishing campaign uses fake mobile apps and messages that mimic legitimate banking services to deceive users.

Attackers are focusing on mobile platforms, where users may be less cautious about security risks.

Financial institutions and mobile users should remain vigilant, employing multi-factor authentication and other security measures to protect sensitive information.

Further Reading: Infosecurity Magazine

Phishing Attack Protection for Teams Chat

Phishing attacks targeting communication platforms like Microsoft Teams are becoming more prevalent. These attacks often involve malicious links, fake login prompts, or social engineering tactics aimed at stealing sensitive information. Microsoft is introducing a feature that flags external messages, helping users identify and avoid potentially harmful communications. Organizations should also reinforce security measures and provide ongoing training to users to strengthen defenses against these threats.

Key Insights:

Phishing attacks are increasingly targeting platforms such as Microsoft Teams, using malicious links and social engineering techniques.

Microsoft is rolling out a feature that flags external messages, which helps users spot potential phishing attempts.

Ongoing user education and security best practices remain essential to defending against evolving phishing tactics.

Further Reading: GBHackers

These Are the 10 Worst PIN Codes

A new report highlights the 10 worst PIN codes that are most commonly used, making accounts highly vulnerable to unauthorized access. Cybersecurity experts have long warned against using simple, predictable PINs, but many users still rely on easily guessable codes. This report serves as a reminder to always choose strong, unique PINs to safeguard sensitive accounts.

Key Insights:

Many users still rely on simple, predictable PIN codes, which increases the risk of unauthorized access.

The 10 worst PIN codes are some of the most common and easiest to guess, highlighting the importance of stronger security practices.

Users should choose complex, unique PIN codes for their accounts to protect personal and financial information from attackers.

Further Reading: Malwarebytes

Chinese Innovations Spawn Wave of Toll Phishing via SMS

A new wave of phishing attacks is emerging, primarily driven by Chinese technological innovations. Cybercriminals are using SMS-based toll phishing to trick users into paying for services or accessing malicious websites. This surge in attacks highlights the growing sophistication of phishing tactics and the need for stronger protections against mobile-based threats.

Key Insights:

Toll phishing attacks via SMS are on the rise, with cybercriminals using Chinese innovations to make the attacks more convincing and widespread.

Victims are tricked into paying for non-existent services or clicking on malicious links.

Organizations and individuals should implement mobile security practices and be cautious when receiving unsolicited SMS messages.

Further Reading: Krebs on Security

Your Location or Browsing Habits Could Lead to Price Increases When Buying Online

A recent study reveals that online retailers may use your location and browsing habits to adjust prices, leading to potential price increases for certain customers. This practice, known as dynamic pricing, raises privacy concerns and the need for transparency in how personal data is used for commercial purposes. Consumers are advised to be aware of these tactics and consider using privacy tools to protect their online behavior.

Key Insights:

Retailers may adjust prices based on location and browsing behavior, potentially leading to higher costs for some users.

Dynamic pricing practices raise concerns about privacy and the ethical use of personal data.

Consumers can protect themselves by using privacy tools and being mindful of how their data is shared with online retailers.

Further Reading: Malwarebytes

New Syncjacking Attack Hijacks Devices Using Chrome Extensions

A new form of attack called "Syncjacking" is targeting users by exploiting Chrome extensions to hijack their devices. This attack allows cybercriminals to gain access to users' synchronized data across multiple devices, including passwords, browsing history, and other sensitive information. This highlights the need for users to be cautious when installing browser extensions and to regularly review their sync settings.

Key Insights:

Syncjacking attacks exploit vulnerabilities in Chrome extensions to hijack synced data across multiple devices.

The attack compromises sensitive information, such as passwords and browsing history, by gaining access to synchronized accounts.

Users should be cautious when installing extensions and ensure they review their sync settings regularly to prevent unauthorized access.

Further Reading: BleepingComputer

States Get Failing Grades for Privacy Laws, but Tide May Be Turning

A new report from the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund reveals that nearly half of U.S. states with consumer privacy laws received failing grades for protecting citizens' data. Of the 19 states with laws, eight received an F, and none earned an A. While many of these laws are seen as weak and influenced by major tech companies, some states like Maryland are starting to adopt stronger privacy protections, offering hope for a more secure future.

Key Insights:

Many states with consumer privacy laws received failing grades due to weak protections for personal data.

Big Tech companies have influenced state privacy laws, leading to minimal consumer protection.

Maryland’s recent privacy law is one of the strongest in the U.S., limiting data collection and banning targeted ads to minors.

States like Vermont, Massachusetts, and Maine are moving toward stronger privacy laws this year.

Further Reading: EPIC

February 2025 - ExploreSec Cybersecurity Threat Intelligence Newsletter

January 31, 2025

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

ModeLeak Vulnerabilities in Google's Vertex AI Platform

Palo Alto Networks' Unit 42 team has uncovered two critical vulnerabilities, collectively termed "ModeLeak," within Google's Vertex AI platform. These flaws could enable attackers to escalate privileges and exfiltrate sensitive machine learning (ML) models, including fine-tuned large language model (LLM) adapters.

Key Insights:

Privilege Escalation via Custom Jobs: Attackers can exploit custom job permissions to gain unauthorized access to data services within a project, leading to potential exposure of sensitive information.

Model Exfiltration through Malicious Models: By deploying a poisoned model, adversaries can exfiltrate other fine-tuned models in the environment, risking proprietary data and custom optimizations.

Google has addressed these vulnerabilities by implementing fixes in the Vertex AI platform. Organizations utilizing Vertex AI should review their security protocols to ensure protection against similar threats.

Further Reading: Unit 42 Blog

Black Basta Ransomware Adopts Advanced Social Engineering Tactics

The Black Basta ransomware group has recently enhanced its attack strategies by incorporating sophisticated social engineering techniques, including email bombing, QR code phishing, and the deployment of custom malware payloads.

Key Developments:

Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications.

Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools.

QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware.

Custom Malware Deployment: The group utilizes bespoke tools such as KNOTWRAP (a memory-only dropper) and KNOTROCK (a .NET-based utility) to execute ransomware payloads stealthily.

Further Reading: The Hacker News

North Korean IT Workers Infiltrating Global Companies

Recent investigations have uncovered that operatives from the Democratic People's Republic of Korea (DPRK) are securing remote IT positions in international companies under false identities. These individuals channel their earnings to fund North Korea's weapons programs, posing significant security and compliance risks to employers.

Key Insights:

Use of False Identities: North Korean IT workers often utilize stolen or fabricated identities to obtain employment, making detection challenging.

Revenue Generation for DPRK: Earnings from these positions are funneled back to North Korea, supporting its sanctioned weapons development initiatives.

Potential for Insider Threats: Beyond financial implications, these operatives may have access to sensitive company data, increasing the risk of intellectual property theft and cyber espionage.

Further Reading: Unit 42 Blog

North Korean IT Workers Linked to Phishing Attacks via Malicious Video Conferencing Apps

Unit 42 researchers have identified a cluster of North Korean IT operatives, designated as CL-STA-0237, involved in phishing attacks that deploy malware through counterfeit video conferencing applications. Operating primarily from Laos, these individuals have secured positions in various companies, leveraging their roles to further malicious activities.

Key Insights:

Malware Distribution: The group utilizes fraudulent video conferencing platforms to disseminate malware, notably the BeaverTail and InvisibleFerret remote access trojans, compromising systems during supposed job interview processes.

Global Reach: By infiltrating organizations worldwide, these operatives support North Korea's illicit endeavors, including its weapons of mass destruction and ballistic missile programs.

Evolving Tactics: The shift from merely seeking income to engaging in aggressive malware campaigns indicates a significant escalation in their operational strategies.

Further Reading: Unit 42 Blog

Surge in 'ClickFix' Social Engineering Attacks

Cybersecurity researchers have identified a significant increase in the use of a social engineering tactic known as "ClickFix." This method deceives users into copying and pasting malicious commands into their systems, leading to malware infections.

Key Developments:

Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues.

Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT.

Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates.

Further Reading: Proofpoint Blog

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware.

Key Developments:

Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information.

Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update.

SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions.

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware.

Further Reading: Malwarebytes Blog

DarkGate Malware Leveraging Vishing via Microsoft Teams

Recent analyses have identified a concerning trend in which cybercriminals are deploying DarkGate malware through vishing (voice phishing) attacks conducted via Microsoft Teams.

Key Developments:

Social Engineering Tactics: Attackers impersonate employees from known client organizations during Microsoft Teams calls, convincing victims to download remote desktop applications like AnyDesk.

Malware Deployment: Once remote access is established, DarkGate malware is installed, enabling threat actors to execute malicious commands, gather system information, and maintain persistent access.

Operational Impact: Although some attacks have been thwarted before data exfiltration, the initial breach underscores vulnerabilities in user awareness and the potential for significant security incidents.

Further Reading: Trend Micro Research

Sophisticated Phishing Campaigns Exploit Trusted Platforms

Recent analyses have uncovered advanced phishing campaigns targeting employees across multiple industries and jurisdictions. These operations employ sophisticated techniques to bypass Secure Email Gateways (SEGs) and exploit trusted platforms, creating highly convincing schemes to deceive victims and steal their credentials.

Key Developments:

Exploitation of Trusted Platforms: Attackers leverage familiar platforms and services to enhance the credibility of their phishing attempts, making it more challenging for victims to identify fraudulent communications.

Bypassing Secure Email Gateways (SEGs): The campaigns utilize advanced methods to evade detection by SEGs, allowing malicious emails to reach employees' inboxes undetected.

Wide-Ranging Targets: Over 30 companies across 12 industries and 15 jurisdictions have been affected, indicating a broad and indiscriminate approach by the threat actors.

Further Reading: Group-IB Blog

Top Cyber Attacker Techniques (August–October 2024)

Recent analyses have identified key cyber attacker tactics, techniques, and procedures (TTPs) observed between August 1 and October 31, 2024.

Key Developments:

Phishing Incidents: Phishing accounted for 46% of all customer incidents during this period, indicating a significant rise likely due to high employee turnover and the accessibility of phishing kits.

Prevalent Malware: "SocGholish" and "LummaC2" emerged as the most frequently observed malware in customer environments, highlighting their widespread use in recent attacks.

Cloud Services Alerts: There was a 20% increase in cloud services alerts, correlating with the rising adoption of cloud accounts and associated security challenges.

Ransomware Activity: Despite a slowdown in "LockBit" ransomware activity due to law enforcement actions and a loss of affiliate trust, it remains a key player. Meanwhile, "RansomHub" is rising rapidly due to its attractive ransomware-as-a-service (RaaS) model. The U.S., manufacturing sector, and professional, scientific, and technical services (PSTS) sector are primary targets amidst an overall increase in ransomware attacks.

Initial Access Broker (IAB) Activity: IAB activity increased by 16%, heavily targeting U.S.-based organizations, possibly due to perceived financial capabilities stemming from cyber insurance.

Insider Threat Content: A 7% rise in insider threat discussions on cybercrime forums was noted, driven by significant financial incentives, underscoring the growing complexity of cybersecurity challenges.

Impersonating Domain Alerts: There was a 6% increase in alerts related to impersonating domains, indicating ongoing reliance on simple techniques to capture credentials and data.

Further Reading: ReliaQuest Blog

Phishing Attacks Double in 2024

Recent analyses reveal a significant surge in phishing activities throughout 2024, with overall phishing messages increasing by 202% in the latter half of the year. Notably, credential phishing attacks have escalated by 703% during the same period.

Key Developments:

Prevalence of Zero-Day URLs: Approximately 80% of malicious links identified are zero-day threats—newly created URLs designed to evade traditional detection methods.

Diversification of Attack Vectors: While link-based phishing remains predominant, there is a notable increase in text-based threats, such as business email compromise (BEC) and invoice scams, as well as file-based threats employing techniques like HTML smuggling.

Expansion Beyond Email: Phishing attacks are increasingly targeting multiple platforms, including SMS, LinkedIn, and Microsoft Teams, indicating a shift towards multichannel approaches.

Further Reading: Infosecurity Magazine

Surge in Phishing Attacks via New Top-Level Domains

Recent analyses reveal a significant increase in phishing attacks, with a 40% rise observed in the year ending August 2024. A substantial portion of this growth is attributed to the exploitation of new generic top-level domains (gTLDs) such as .shop, .top, and .xyz, which are favored by cybercriminals due to their low registration costs and minimal verification requirements.

Key Developments:

Disproportionate Use in Cybercrime: Although new gTLDs constitute only 11% of the market for new domains, they account for approximately 37% of reported cybercrime domains between September 2023 and August 2024.

Attraction to Low-Cost Registrations: Registrars offering domain registrations for less than $1, with little to no identity verification, are particularly appealing to spammers and scammers seeking to conduct malicious activities anonymously.

ICANN's Expansion Plans: Despite the misuse of these new gTLDs, the Internet Corporation for Assigned Names and Numbers (ICANN) is proceeding with plans to introduce additional gTLDs, potentially broadening the landscape for cybercriminal activities.

Further Reading: Krebs on Security

Surge in Suspicious Domain Registrations Exploiting High-Profile Events

Recent analyses have identified a significant increase in suspicious domain registration campaigns exploiting high-profile events, such as the 2024 Summer Olympics in Paris.

Key Developments:

Event-Driven Domain Registrations: Threat actors register deceptive domains containing event-specific keywords to mimic official websites, aiming to deceive users seeking legitimate information.

Exploitation of Public Interest: Cybercriminals leverage global events to attract large audiences, using fraudulent domains to distribute malware, conduct phishing attacks, or sell counterfeit merchandise.

Indicators of Malicious Activity: Monitoring domain registrations, DNS traffic, URL patterns, and textual characteristics can help identify and mitigate these threats.

Further Reading: Unit 42 Blog

Zloader Malware Adopts DNS Tunneling for Stealthier C2 Communications

Recent analyses have identified that the Zloader malware, a modular Trojan based on the leaked Zeus source code, has incorporated DNS tunneling into its command-and-control (C2) communication methods.

Key Developments:

DNS Tunneling Implementation: Zloader now employs a custom protocol over DNS, utilizing IPv4 to tunnel encrypted TLS network traffic. This technique enables the malware to conceal its C2 communications within standard DNS queries and responses, making detection more challenging.

Enhanced Anti-Analysis Features: The latest version of Zloader includes improved anti-analysis capabilities, such as environment checks and API import resolution algorithms, to evade malware sandboxes and static detection methods.

Interactive Shell Capability: Zloader has introduced an interactive shell that supports over a dozen commands, potentially facilitating hands-on keyboard activity by threat actors during attacks.

Further Reading: Zscaler Blog

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems.

Key Developments:

Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare.

Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt.

Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems.

Further Reading: ReliaQuest Blog

Threat Actors Exploit LDAP for Network Enumeration

Recent analyses have identified that both nation-state and cybercriminal threat actors are leveraging the Lightweight Directory Access Protocol (LDAP) to perform network enumeration within Active Directory environments.

Key Developments:

Abuse of LDAP Attributes: Attackers utilize LDAP queries to extract sensitive information, such as user accounts, group memberships, and permissions, facilitating lateral movement and privilege escalation within compromised networks.

Use of Enumeration Tools: Tools like BloodHound and its data collector, SharpHound, are commonly employed to map Active Directory structures, identifying potential attack paths and high-value targets.

Detection Challenges: Distinguishing between legitimate and malicious LDAP activity is difficult due to the high volume of benign LDAP traffic in typical network environments, complicating efforts to detect and mitigate these attacks.

Further Reading: Unit 42 Blog

'Araneida' Web Hacking Service Linked to Turkish IT Firm

Recent investigations have uncovered that 'Araneida,' a cloud-based web hacking service, is utilizing a cracked version of Acunetix—a commercial web application vulnerability scanner—to facilitate cyberattacks. Notably, this service has been traced back to a Turkish information technology firm.

Key Developments:

Exploitation of Cracked Software: Araneida employs an unauthorized version of Acunetix, enabling users to perform offensive reconnaissance, extract user data, and identify exploitable vulnerabilities on target websites.

Proxy Integration for Anonymity: The service incorporates a robust proxy network, allowing scans to originate from a diverse pool of IP addresses, thereby concealing the true source of the activity.

Cybercriminal Promotion: Advertised on multiple cybercrime forums and boasting a Telegram channel with nearly 500 subscribers, Araneida has been linked to the compromise of over 30,000 websites within six months. One user claimed to have purchased a luxury vehicle using proceeds from payment card data obtained through the service.

Connection to Turkish IT Firm: Investigations reveal that the domain araneida[.]co, operational since February 2023, is associated with an individual employed as a senior software developer at Bilitro Yazilim, an IT firm based in Ankara, Turkey.

Further Reading: Krebs on Security

LLMs Employed to Obfuscate Malicious JavaScript

Recent analyses have revealed that adversaries are leveraging large language models (LLMs) to obfuscate malicious JavaScript code, enhancing its ability to evade detection mechanisms.

Key Developments:

Automated Code Obfuscation: Attackers utilize LLMs to iteratively transform malicious JavaScript through techniques such as variable renaming, dead code insertion, and whitespace removal, without altering the code's functionality.

Evasion of Detection Tools: These LLM-generated variants can bypass traditional detection tools, including static analysis models, by producing natural-looking code that is harder to identify as malicious.

Scalability of Attacks: The use of LLMs enables the creation of numerous unique malware variants at scale, increasing the difficulty for security systems to detect and mitigate these threats effectively.

Further Reading: Unit 42 Blog

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures

Recent analyses have identified a novel social engineering tactic targeting mobile banking users. Attackers are leveraging Progressive Web Apps (PWAs) and WebAPKs to distribute phishing websites disguised as legitimate applications, effectively bypassing traditional security warnings and app store vetting processes.

Key Insights:

Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging.

Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts.

Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.

Further Reading: KnowBe4 Blog

Tax Fraud: How to Avoid Criminals Filing Fraudulent Returns

January 30, 2025

This is a post I put together for my own internal security awareness program. Feel free to grab and use within your own organization. Created with help from ChatGPT.

Tax season is a time when individuals and businesses focus on filing their returns and securing their refunds. However, it is also a prime opportunity for fraudsters looking to exploit the system. One particularly alarming form of fraud is when criminals file tax returns on behalf of individuals without their knowledge, stealing valuable refunds in the process. This type of fraud, known as tax-related identity theft, can have serious financial consequences for the victim. In this post, we'll dive into how this scheme works, its impact, and the steps you can take to protect yourself.

How the Scheme Operates

Data Acquisition Criminals obtain personal information through a variety of methods, such as data breaches, phishing attacks, or purchasing stolen data from underground markets. This personal information—such as your Social Security number and other identifying details—becomes their key to committing fraud.
Filing False Returns Once they have the necessary information, criminals file tax returns on behalf of individuals without their consent, typically early in the tax season to get ahead of the legitimate filer.
Refund Diversion The fraudsters request that the refund be deposited into bank accounts they control, bypassing the rightful taxpayer entirely. By the time the legitimate taxpayer files their return, the criminals have already claimed the refund.

Consequences for Victims

Delayed Refunds The IRS will flag the duplicate filings, resulting in significant delays for the legitimate taxpayer's refund. This can cause frustration and financial strain, especially if the refund was anticipated to cover expenses.
Tax Liabilities Victims may find themselves liable for taxes owed on fraudulent returns filed by the criminals. This unexpected liability can lead to a tax debt that wasn’t part of the original financial planning.
Identity Theft Beyond the immediate tax consequences, the stolen personal information can be used in other fraudulent activities, such as opening new credit accounts or applying for loans in the victim’s name.

How to Protect Yourself

File Early One of the best ways to prevent criminals from filing fraudulent returns is to file your taxes early. The sooner your return is filed, the less likely criminals are to file a fake return using your information. Early filing reduces the opportunity for fraudsters to get to your refund first.
Use a Reputable Tax Service Ensure that the tax preparer you use is legitimate and has a good reputation. If you're using a tax professional, verify their credentials, such as their IRS Preparer Tax Identification Number (PTIN). Check online reviews or ask for referrals from trusted sources to avoid working with fraudulent tax preparers who might exploit your information.
Consider an Identity Protection PIN (IP PIN) The IRS offers an Identity Protection PIN program, which provides an added layer of security for taxpayers. This PIN is used when filing taxes and helps prevent unauthorized returns from being filed in your name.

Conclusion

Tax fraud in the form of criminals filing fraudulent returns can cause significant stress and financial loss. By understanding how the scheme works and taking proactive measures, you can better protect yourself from becoming a victim. Filing early, using a reputable tax service, monitoring your personal information, and using additional security measures like an IP PIN are all critical steps in preventing and mitigating the effects of tax-related identity theft.

Beware of Fake Job Offers in the 2025 job market

January 17, 2025

In today's job market, the allure of remote work has become increasingly enticing. However, companies have started to shift away from remote work post-pandemic and are requiring more in-person or hybrid for employees. Combine that with the downsizing companies are going through at this time and job scams are going to pop up on a more regular basis. Recently, I got the above text from a “recruiter.”

While this might seem like a great opportunity it’s a scam. A job offer does not typically come over text nor does it happen without an interview. This is a path to getting personal information, financial, or drawn into the scam ecosystem as a money mule.

The Scam: Too Good to Be True

The scam typically begins with an unsolicited message from an individual claiming to be "Emily," a customer service agent at Bonanza. The message outlines an attractive remote position with the following promises:

High Earnings: Potential to earn between $50 to $500 per day, with a base salary of $1,000 for every four days worked.
Flexible Hours: Commitment of just 60 to 90 minutes per day.
Comprehensive Benefits: Offers include paid annual leave, maternity and paternity leave, and other legal holidays.
Minimal Effort: Assurances of free training and a guaranteed paid probation period.

Recipients are encouraged to respond to a provided phone number to seize this "opportunity."

Red Flags in the Offer

While the proposition may appear appealing, several indicators suggest it's a scam:

Unsolicited Contact: Legitimate companies seldom extend job offers without prior interaction or application. Receiving such a message without prior engagement is suspicious.
Free Email Account: This text was sent with a Gmail account that anyone that is available to anyone for free.
Exaggerated Earnings and Benefits: Promises of substantial income for minimal work are classic red flags. Genuine employers provide realistic compensation aligned with industry standards.
Vague Job Description: The lack of specific details about job responsibilities, using ambiguous phrases like "helping merchants update data," is a common tactic to obscure the scam's true nature.
Urgency to Respond: Scammers often create a sense of urgency to prevent thorough consideration. Pressuring immediate action is a tactic to catch victims off-guard.
Unprofessional Communication: Errors in grammar, informal language, or inconsistencies in the message are telltale signs of fraudulent communication.
Request for Contact via Personal Number: Legitimate companies typically use official communication channels. Requests to contact personal numbers are uncommon and suspicious.

What Happens If You Respond?

Engaging with the scammer can lead to several detrimental outcomes:

Phishing for Personal Information: Scammers may request sensitive data, such as Social Security numbers or banking details, under the guise of processing employment paperwork.
Upfront Payments: Requests for fees covering "training" or "equipment," with promises of reimbursement, are common. Once paid, these funds are unrecoverable.
Identity Theft: Shared personal information can be exploited for identity theft, leading to financial and legal complications.
No Real Job: After extracting money or information, the scammer disappears, leaving the victim without employment and at a loss.
Become a Money Mule: A money mule is someone who transfers or moves illegally acquired money on behalf of others, often unknowingly.

Protecting Yourself from Job Scams

To shield yourself from such fraudulent schemes, consider the following precautions:

Research the Company: Visit the official website and verify job postings. Authentic opportunities are listed on company websites or reputable job boards.
Verify the Contact: Ensure that communications come from official company channels. Be wary of contacts using personal email addresses or phone numbers.
Be Skeptical of Extravagant Claims: If an offer seems too good to be true, it warrants skepticism. Legitimate jobs have clear expectations and reasonable compensation.
Never Pay to Work: Authentic employers do not require upfront payments for any reason.
Report Suspicious Offers: Report potential scams to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov and to the platform where the offer was encountered.

Conclusion

Scammers continually adapt their tactics to exploit the evolving job market and technological landscape. By staying informed and vigilant, you can protect yourself from falling victim to such schemes. Always verify the legitimacy of job offers and remain cautious of unsolicited communications. Remember, if something feels amiss, it's worth investigating further. Stay safe and informed in your job search and digital interactions.

Nzyme: Your Wi-Fi Watchdog Against Wireless Woes

January 14, 2025

This was originally posted on LinkedIn by Kyle Goode. In effort to get the blog section more populated I’ve reached out to some authors and asked if they’d be okay having their content put on this site. Kyle was gracious enough to let me grab his posts and highlight them here. Make sure to give him a follow on LinkedIn.

Nzyme is a unique open-source Wi-Fi security solution. I have been a user since its 1.0 version, and to this day, I haven’t come across another platform that focuses as effectively on Wi-Fi security. While most access points can detect rogue access points, few offer the same level of capability as Nzyme.

Nzyme introduces the concept of "bandits," which scan and alert on common Wi-Fi penetration testing tools such as the Pwnagotchi, Wi-Fi Pineapple, and Flipper Zero ESP32. These tools are uniquely fingerprinted by the platform. Owning any of these "bandits" makes it easy and efficient to develop and test alert rules in real time.

Currently, alerts are limited to SMTP and can be categorized into two types:

System-based alerts: Triggered if parts of the platform, such as taps, start failing.
Security-based alerts: Triggered when a bandit is detected in the environment, malicious deauthentication packets are transmitted, or rogue access points are detected.

The Nzyme platform consists of a PostgreSQL database, the core Nzyme platform (called the Nzyme node), and a Wi-Fi dongle (called a Nzyme tap). These components are primarily run on Debian- or Ubuntu-based systems. While Raspbian is often recommended, regular Debian works just as well. Taps are Ubuntu-only but are also compatible with Debian systems.

Evolution from 1.0 to 2.0

In the 1.0 version, Nzyme was fully integrated, running as a single service. With the 2.0 alpha versions, the architecture has evolved to support a multi-node setup. You can now run a single Nzyme node and deploy as many Nzyme taps as needed for comprehensive network coverage. These components are distributed as separate packages.

One exciting feature introduced in 2.0 is trilateration, which requires at least three taps on the same floor of a building. Trilateration allows you to pinpoint the location of rogue devices, such as bandits. This is particularly useful if a threat actor gains physical access to your building and places a malicious device in an inconspicuous location, a common technique used by penetration testers. The 1.0 version even provided guidance on building a handheld tracking device for bandits, though I wasn’t brave enough to attempt it at the time.

The 2.0 version also adds support for Ethernet monitoring. By using a span/mirror/tap port on a switch, you can monitor network activity, such as DNS tunneling, beaconing, and remote connections like SSH. While I typically rely on Suricata with Snort rules and Zeek with RITA for comprehensive network monitoring, Nzyme’s Ethernet capability provides a simpler configuration and adds redundancy. Additionally, ARP analysis appears to be a planned feature in future versions.

System Monitoring and API Integration

Nzyme allows you to create monitored networks for your environment. As I’ve mentioned in a previous article, I’m a big fan of Prometheus for system monitoring and metric gathering. Nzyme offers a native exporter for Prometheus, making it easy to integrate into existing monitoring solutions.

Nzyme has also introduced Nzyme Connect, an API for obtaining GeoIP, MAC address OUI, and vendor information. Additionally, it offers Bluetooth device discovery. Although this feature is still in its early stages, I’m excited to connect it with my Ubertooth to explore its capabilities further. Nzyme Connect also serves as a SaaS platform for monitoring your Nzyme nodes and taps, with enterprise support now available. For added convenience, prebuilt Wi-Fi kits are offered, eliminating the need for manual configuration.

Future Features and Wishlist

I am eagerly anticipating the stable release of Nzyme 2.0 and the additional features that will come with it. One feature I hope to see in the future is webhook integrations with popular messaging apps like Slack and Teams. This would streamline alerting and incident response for security teams.

Nzyme continues to solidify its position as a versatile and powerful Wi-Fi security solution. Whether you're a security professional, penetration tester, or simply someone concerned about wireless security, Nzyme offers tools to protect your environment against rogue devices and malicious activities. I’m excited to see where this platform goes next.

Resources:

Nzyme

Nzyme Bandits

Nzyme Network Monitoring

Nzyme Trilateration

Nzyme Connect

Nzyme Wifi Kit

January 2025 - Cybersecurity Threat Intelligence Newsletter

January 9, 2025

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

ModeLeak Vulnerabilities in Google's Vertex AI Platform

Key Insights:

Privilege Escalation via Custom Jobs: Attackers can exploit custom job permissions to gain unauthorized access to data services within a project, leading to potential exposure of sensitive information.

Model Exfiltration through Malicious Models: By deploying a poisoned model, adversaries can exfiltrate other fine-tuned models in the environment, risking proprietary data and custom optimizations.

Further Reading: Unit 42 Blog

Black Basta Ransomware Adopts Advanced Social Engineering Tactics

Key Developments:

Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications.

Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools.

QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware.

Custom Malware Deployment: The group utilizes bespoke tools such as KNOTWRAP (a memory-only dropper) and KNOTROCK (a .NET-based utility) to execute ransomware payloads stealthily.

Further Reading: The Hacker News

North Korean IT Workers Infiltrating Global Companies

Key Insights:

Use of False Identities: North Korean IT workers often utilize stolen or fabricated identities to obtain employment, making detection challenging.

Revenue Generation for DPRK: Earnings from these positions are funneled back to North Korea, supporting its sanctioned weapons development initiatives.

Potential for Insider Threats: Beyond financial implications, these operatives may have access to sensitive company data, increasing the risk of intellectual property theft and cyber espionage.

Further Reading: Unit 42 Blog

North Korean IT Workers Linked to Phishing Attacks via Malicious Video Conferencing Apps

Key Insights:

Malware Distribution: The group utilizes fraudulent video conferencing platforms to disseminate malware, notably the BeaverTail and InvisibleFerret remote access trojans, compromising systems during supposed job interview processes.

Global Reach: By infiltrating organizations worldwide, these operatives support North Korea's illicit endeavors, including its weapons of mass destruction and ballistic missile programs.

Evolving Tactics: The shift from merely seeking income to engaging in aggressive malware campaigns indicates a significant escalation in their operational strategies.

Further Reading: Unit 42 Blog

Surge in 'ClickFix' Social Engineering Attacks

Key Developments:

Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues.

Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT.

Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates.

Further Reading: Proofpoint Blog

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware.

Key Developments:

Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information.

Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update.

SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions.

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware.

Further Reading: Malwarebytes Blog

DarkGate Malware Leveraging Vishing via Microsoft Teams

Recent analyses have identified a concerning trend in which cybercriminals are deploying DarkGate malware through vishing (voice phishing) attacks conducted via Microsoft Teams.

Key Developments:

Social Engineering Tactics: Attackers impersonate employees from known client organizations during Microsoft Teams calls, convincing victims to download remote desktop applications like AnyDesk.

Malware Deployment: Once remote access is established, DarkGate malware is installed, enabling threat actors to execute malicious commands, gather system information, and maintain persistent access.

Operational Impact: Although some attacks have been thwarted before data exfiltration, the initial breach underscores vulnerabilities in user awareness and the potential for significant security incidents.

Further Reading: Trend Micro Research

Sophisticated Phishing Campaigns Exploit Trusted Platforms

Key Developments:

Exploitation of Trusted Platforms: Attackers leverage familiar platforms and services to enhance the credibility of their phishing attempts, making it more challenging for victims to identify fraudulent communications.

Bypassing Secure Email Gateways (SEGs): The campaigns utilize advanced methods to evade detection by SEGs, allowing malicious emails to reach employees' inboxes undetected.

Wide-Ranging Targets: Over 30 companies across 12 industries and 15 jurisdictions have been affected, indicating a broad and indiscriminate approach by the threat actors.

Further Reading: Group-IB Blog

Top Cyber Attacker Techniques (August–October 2024)

Recent analyses have identified key cyber attacker tactics, techniques, and procedures (TTPs) observed between August 1 and October 31, 2024.

Key Developments:

Phishing Incidents: Phishing accounted for 46% of all customer incidents during this period, indicating a significant rise likely due to high employee turnover and the accessibility of phishing kits.

Prevalent Malware: "SocGholish" and "LummaC2" emerged as the most frequently observed malware in customer environments, highlighting their widespread use in recent attacks.

Cloud Services Alerts: There was a 20% increase in cloud services alerts, correlating with the rising adoption of cloud accounts and associated security challenges.

Ransomware Activity: Despite a slowdown in "LockBit" ransomware activity due to law enforcement actions and a loss of affiliate trust, it remains a key player. Meanwhile, "RansomHub" is rising rapidly due to its attractive ransomware-as-a-service (RaaS) model. The U.S., manufacturing sector, and professional, scientific, and technical services (PSTS) sector are primary targets amidst an overall increase in ransomware attacks.

Initial Access Broker (IAB) Activity: IAB activity increased by 16%, heavily targeting U.S.-based organizations, possibly due to perceived financial capabilities stemming from cyber insurance.

Insider Threat Content: A 7% rise in insider threat discussions on cybercrime forums was noted, driven by significant financial incentives, underscoring the growing complexity of cybersecurity challenges.

Impersonating Domain Alerts: There was a 6% increase in alerts related to impersonating domains, indicating ongoing reliance on simple techniques to capture credentials and data.

Further Reading: ReliaQuest Blog

Phishing Attacks Double in 2024

Key Developments:

Prevalence of Zero-Day URLs: Approximately 80% of malicious links identified are zero-day threats—newly created URLs designed to evade traditional detection methods.

Diversification of Attack Vectors: While link-based phishing remains predominant, there is a notable increase in text-based threats, such as business email compromise (BEC) and invoice scams, as well as file-based threats employing techniques like HTML smuggling.

Expansion Beyond Email: Phishing attacks are increasingly targeting multiple platforms, including SMS, LinkedIn, and Microsoft Teams, indicating a shift towards multichannel approaches.

Further Reading: Infosecurity Magazine

Surge in Phishing Attacks via New Top-Level Domains

Key Developments:

Disproportionate Use in Cybercrime: Although new gTLDs constitute only 11% of the market for new domains, they account for approximately 37% of reported cybercrime domains between September 2023 and August 2024.

Attraction to Low-Cost Registrations: Registrars offering domain registrations for less than $1, with little to no identity verification, are particularly appealing to spammers and scammers seeking to conduct malicious activities anonymously.

ICANN's Expansion Plans: Despite the misuse of these new gTLDs, the Internet Corporation for Assigned Names and Numbers (ICANN) is proceeding with plans to introduce additional gTLDs, potentially broadening the landscape for cybercriminal activities.

Further Reading: Krebs on Security

Surge in Suspicious Domain Registrations Exploiting High-Profile Events

Recent analyses have identified a significant increase in suspicious domain registration campaigns exploiting high-profile events, such as the 2024 Summer Olympics in Paris.

Key Developments:

Event-Driven Domain Registrations: Threat actors register deceptive domains containing event-specific keywords to mimic official websites, aiming to deceive users seeking legitimate information.

Exploitation of Public Interest: Cybercriminals leverage global events to attract large audiences, using fraudulent domains to distribute malware, conduct phishing attacks, or sell counterfeit merchandise.

Indicators of Malicious Activity: Monitoring domain registrations, DNS traffic, URL patterns, and textual characteristics can help identify and mitigate these threats.

Further Reading: Unit 42 Blog

Zloader Malware Adopts DNS Tunneling for Stealthier C2 Communications

Key Developments:

DNS Tunneling Implementation: Zloader now employs a custom protocol over DNS, utilizing IPv4 to tunnel encrypted TLS network traffic. This technique enables the malware to conceal its C2 communications within standard DNS queries and responses, making detection more challenging.

Enhanced Anti-Analysis Features: The latest version of Zloader includes improved anti-analysis capabilities, such as environment checks and API import resolution algorithms, to evade malware sandboxes and static detection methods.

Interactive Shell Capability: Zloader has introduced an interactive shell that supports over a dozen commands, potentially facilitating hands-on keyboard activity by threat actors during attacks.

Further Reading: Zscaler Blog

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems.

Key Developments:

Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare.

Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt.

Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems.

Further Reading: ReliaQuest Blog

Threat Actors Exploit LDAP for Network Enumeration

Key Developments:

Abuse of LDAP Attributes: Attackers utilize LDAP queries to extract sensitive information, such as user accounts, group memberships, and permissions, facilitating lateral movement and privilege escalation within compromised networks.

Use of Enumeration Tools: Tools like BloodHound and its data collector, SharpHound, are commonly employed to map Active Directory structures, identifying potential attack paths and high-value targets.

Detection Challenges: Distinguishing between legitimate and malicious LDAP activity is difficult due to the high volume of benign LDAP traffic in typical network environments, complicating efforts to detect and mitigate these attacks.

Further Reading: Unit 42 Blog

'Araneida' Web Hacking Service Linked to Turkish IT Firm

Key Developments:

Exploitation of Cracked Software: Araneida employs an unauthorized version of Acunetix, enabling users to perform offensive reconnaissance, extract user data, and identify exploitable vulnerabilities on target websites.

Proxy Integration for Anonymity: The service incorporates a robust proxy network, allowing scans to originate from a diverse pool of IP addresses, thereby concealing the true source of the activity.

Cybercriminal Promotion: Advertised on multiple cybercrime forums and boasting a Telegram channel with nearly 500 subscribers, Araneida has been linked to the compromise of over 30,000 websites within six months. One user claimed to have purchased a luxury vehicle using proceeds from payment card data obtained through the service.

Connection to Turkish IT Firm: Investigations reveal that the domain araneida[.]co, operational since February 2023, is associated with an individual employed as a senior software developer at Bilitro Yazilim, an IT firm based in Ankara, Turkey.

Further Reading: Krebs on Security

LLMs Employed to Obfuscate Malicious JavaScript

Recent analyses have revealed that adversaries are leveraging large language models (LLMs) to obfuscate malicious JavaScript code, enhancing its ability to evade detection mechanisms.

Key Developments:

Further Reading: Unit 42 Blog

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures

Key Insights:

Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging.

Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts.

Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.

Further Reading: KnowBe4 Blog

January 2025 - Security Awareness Newsletter

January 8, 2025

This is a security awareness focused newsletter that I share internally. Feel free to grab and use for your own internal security awareness program. Created with help from ChatGPT.

FBI Shares Strategies to Combat AI-Driven Fraud Schemes

The Federal Bureau of Investigation (FBI) has issued a public service announcement highlighting the increasing use of generative artificial intelligence (AI) by cybercriminals to enhance the sophistication and believability of fraud schemes. These AI-powered tactics are being employed across various fraudulent activities, including romance scams, investment fraud, and job recruitment cons.

Internet Crime Complaint Center

Key Insights:

Enhanced Deception: Generative AI enables criminals to produce highly convincing text, images, audio, and video content, making fraudulent communications appear legitimate and more persuasive.

Voice Cloning: Advanced AI techniques allow for the cloning of voices, which can be used in schemes such as impersonating family members in distress to solicit money or sensitive information.

Synthetic Identities: AI-generated images and profiles are utilized to create fake identities on social media platforms, facilitating social engineering attacks and spear-phishing campaigns.

Recommendations:

Verify Communications: Be cautious of unsolicited messages, especially those requesting personal information or financial transactions. Confirm the authenticity of such communications through direct and reliable channels.

Establish Verification Protocols: Develop secret codes or phrases with family members and trusted contacts to authenticate identities during unexpected or urgent requests.

Limit Personal Information Sharing: Be mindful of the personal data shared on social media and other public platforms, as it can be exploited to craft personalized and convincing scams.

Staying informed about the evolving tactics of AI-driven fraud is crucial in safeguarding personal and financial information.

Further Reading: BleepingComputer Article

Black Basta Ransomware Adopts Advanced Social Engineering Tactics

Key Developments:

Email Bombing: Attackers inundate targets with excessive emails by subscribing their addresses to numerous mailing lists. This tactic overwhelms victims and increases the likelihood of interaction with subsequent malicious communications.

Impersonation via Microsoft Teams: Threat actors pose as IT support personnel, contacting victims through Microsoft Teams to establish trust and facilitate the installation of remote access tools.

QR Code Phishing: Malicious QR codes are sent to victims, directing them to phishing sites designed to harvest credentials or deploy additional malware.

Further Reading: The Hacker News

Phishing Attacks Target Employee Payroll Accounts

Cybercriminals are increasingly launching phishing attacks aimed at hijacking employee payroll accounts. These schemes often involve fraudulent emails that appear to originate from Human Resources or payroll departments, requesting employees to update or verify their direct deposit information. Unsuspecting employees who comply may inadvertently provide attackers with access to their payroll accounts, leading to unauthorized changes and financial theft.

Key Insights:

Impersonation of Internal Departments: Attackers craft emails that convincingly mimic internal communications from HR or payroll, exploiting employees' trust in these departments.

Urgency and Deception: Messages often convey a sense of urgency, such as impending payroll issues, to prompt quick action without thorough scrutiny.

Credential Harvesting: Links within these emails direct employees to counterfeit login pages designed to capture their credentials, granting attackers unauthorized access.

Further Reading: KnowBe4 Blog

Surge in 'ClickFix' Social Engineering Attacks

Key Developments:

Deceptive Error Messages: Attackers present fake error dialogs, prompting users to execute provided commands to resolve non-existent issues.

Malware Delivery: By following these instructions, users inadvertently run scripts that download and install malware such as Lumma Stealer and AsyncRAT.

Global Impact: Campaigns employing ClickFix techniques have targeted organizations worldwide, with notable incidents involving fake GitHub security notifications and counterfeit software updates.

Further Reading: Proofpoint Blog

AI-Driven Investment Scams Proliferate via Social Media

Cybercriminals are increasingly leveraging artificial intelligence (AI) and social media platforms to perpetrate sophisticated investment scams, leading to significant financial and data losses among victims worldwide.

Key Insights:

AI-Generated Deception: Scammers utilize AI to create convincing video testimonials featuring fabricated endorsements from celebrities and financial experts, enhancing the credibility of fraudulent investment schemes.

Social Media Malvertising: Fraudulent advertisements are disseminated through social media channels, often mimicking legitimate company posts or news outlets, to lure potential investors into the scam.

Phishing Tactics: Victims are directed to counterfeit websites designed to harvest personal information under the guise of investment opportunities, leading to identity theft and unauthorized financial transactions.

Recommendations:

Verify Authenticity: Scrutinize investment opportunities, especially those encountered through social media, by researching the offering entity and seeking independent financial advice.

Be Skeptical of High Returns: Exercise caution with schemes promising unusually high or guaranteed returns, as these are common indicators of fraudulent activity.

Protect Personal Information: Avoid sharing sensitive data through unsolicited links or forms; ensure websites are legitimate and secure before providing any personal details.

Staying informed and exercising due diligence are crucial in safeguarding against these evolving AI-driven investment scams.

Further Reading: The Hacker News

Security Alert: Fake Brand Collaboration Scams Targeting YouTube Creators

Cybercriminals are increasingly targeting YouTube content creators by impersonating reputable brands and offering fraudulent collaboration opportunities. These sophisticated phishing campaigns aim to distribute malware, leading to the theft of sensitive information and unauthorized access to creators' systems.

Key Insights:

Impersonation of Trusted Brands: Attackers craft convincing emails that appear to originate from well-known companies, proposing enticing partnership deals to lure creators into their scheme.

Malware Delivery via Documents: The fraudulent offers include attachments, such as contracts or promotional materials, often delivered through password-protected files hosted on platforms like OneDrive to evade detection.

Theft of Sensitive Information: Once the malware is installed, it can steal login credentials, financial data, and grant attackers remote access to the victim's system, compromising both personal and channel security.

Further Reading: CloudSEK Blog

Malicious Ads Deliver SocGholish Malware to Kaiser Permanente Employees

A recent cyberattack has targeted Kaiser Permanente employees through malicious advertisements on Google Search, leading to the distribution of SocGholish malware.

Key Developments:

Malicious Advertisements: Threat actors placed deceptive ads mimicking Kaiser Permanente's HR portal to lure employees searching for benefits and payroll information.

Compromised Website Redirects: Clicking the fraudulent ad redirected users to a compromised website, bellonasoftware[.]com, which briefly displayed a phishing page before prompting a fake browser update.

SocGholish Malware Deployment: The fake browser update led to the download of "Update.js," a malicious script associated with the SocGholish malware campaign, designed to collect system information and potentially allow human operators to execute further malicious actions.

This incident highlights the evolving tactics of cybercriminals in exploiting trusted platforms like Google Ads to distribute malware.

Further Reading: Malwarebytes Blog

Threat Actors Exploit LinkedIn to Target Job Seekers

Cybercriminals are increasingly leveraging LinkedIn to deceive job seekers through sophisticated employment scams. By creating fake recruiter profiles, often enhanced with AI-generated images, these threat actors craft personalized messages that appear to offer legitimate job opportunities. The objective is to lure victims into clicking on malicious links that lead to phishing sites designed to harvest personal information or deploy malware.

Key Insights:

Personalized Deception: Scammers tailor messages based on the victim's professional background, making the fraudulent offers appear credible and enticing.

Advanced Phishing Techniques: The use of AI-generated recruiter profiles and convincing communication strategies increases the likelihood of victims engaging with malicious content.

Exploitation of LinkedIn Features: By abusing LinkedIn's InMail feature, attackers can reach users outside their immediate network, broadening the scope of potential targets.

Further Reading: KnowBe4 Blog

Cybercriminals Impersonate KnowBe4 in Phishing Attacks

Cybercriminals are impersonating KnowBe4 by sending fraudulent emails that closely mimic legitimate "Please Complete Assigned Training" notifications. These deceptive emails aim to trick recipients into clicking malicious links or downloading harmful attachments, potentially compromising personal and organizational security.

Key Insights:

Sophisticated Mimicry: The phishing emails are designed to closely resemble authentic KnowBe4 training notifications, making it challenging for recipients to distinguish between legitimate and fraudulent communications.

Malicious Intent: Interacting with the links or attachments in these emails can lead to malware infections, unauthorized access to sensitive information, or other security breaches.

Targeted Deception: By exploiting the trust associated with KnowBe4's brand, attackers increase the likelihood of recipients falling victim to the scam.

Further Reading: KnowBe4 Blog

Malicious Advertisements Pose Growing Threat to Internet Users

Cybercriminals are increasingly utilizing malicious advertisements, or "malvertising," to distribute malware and conduct phishing attacks. These deceptive ads often appear as legitimate sponsored content on search engine results pages, making it challenging for users to distinguish between safe and harmful links.

Key Insights:

Prevalence of Malvertising: Malicious actors pay search engines to display their harmful URLs as sponsored ads, which are prominently positioned above legitimate search results. This tactic increases the likelihood of user engagement with malicious content.

Deceptive Appearances: These ads are crafted to closely mimic legitimate websites or services, often using familiar branding and language to deceive users into clicking on them.

Potential Consequences: Interacting with malvertising can lead to malware infections, unauthorized access to personal information, and financial loss.

Further Reading: KnowBe4 Blog

Mobile Phishing Campaign Targets Job Seekers

Cybercriminals are impersonating recruiters to target job seekers with phony employment offers. Researchers at Zimperium warn that a phishing campaign is targeting Android phones to deliver the Antidot banking trojan.

Key Insights:

Sophisticated Social Engineering: Attackers masquerade as job recruiters or HR representatives from well-known organizations, sending well-crafted phishing emails that purport to come from real companies, informing recipients that they’ve been selected to advance in the hiring process.

Malware Delivery: Victims are enticed to download a malicious application, leading to the installation of the Antidot banking trojan on their Android devices.

Credential Theft: Once installed, the malware enables a broad set of malicious actions, including credential theft of banking, cryptocurrency, and other critical applications.

Further Reading: KnowBe4 Blog

Phishing Scam Mimics Employment Termination Notices

Cybercriminals are deploying phishing attacks that impersonate employment termination notices to exploit individuals' fear of job loss. These deceptive emails appear to be official communications from human resources departments, complete with authentic-looking logos and case numbers, urging immediate action to avoid "serious legal consequences."

Key Insights:

Deceptive Emails: The phishing emails are designed to closely resemble legitimate employment termination notices, making it challenging for recipients to distinguish between authentic and fraudulent communications.

Malware Distribution: Clicking on the provided link directs victims to a fake Microsoft webpage that prompts the download of malicious software. This malware can steal sensitive information, including banking credentials, leading to significant financial and personal repercussions.

Exploiting Emotional Triggers: By preying on the fear of job loss, attackers increase the likelihood of recipients reacting hastily and clicking on malicious links without proper scrutiny.

Further Reading: KnowBe4 Blog

Malicious Google Ads Exploit Printer Troubleshooting Searches

Cybercriminals are exploiting Google Ads to target users seeking solutions for printer issues, particularly those involving HP and Canon devices.

Key Insights:

Deceptive Advertisements: Scammers purchase Google Ads that appear as legitimate tech support for printer drivers, luring users into clicking on malicious links.

Fake Installation Processes: Upon visiting these fraudulent sites, users encounter a simulated driver installation that culminates in a fabricated error message, warning that further attempts may damage the printer and void its warranty.

Phony Tech Support: The error message prompts users to initiate a live chat, connecting them with scammers posing as tech support representatives, who may then attempt to extract personal information or payments.

Further Reading: KnowBe4 Blog

Phishing Attack Exploits Google Calendar to Bypass Spam Filters

Cybercriminals are leveraging Google Calendar invites to conduct phishing attacks that evade spam filters. By sending fraudulent meeting invitations, they prompt recipients to click on malicious links embedded within the event details.

Key Insights:

Exploitation of Trusted Services: Attackers utilize legitimate Google services, such as Calendar and Forms, to enhance the credibility of their phishing attempts, making detection more challenging.

Evasion of Security Measures: By originating from trusted platforms, these phishing messages can bypass traditional email security filters, increasing the likelihood of reaching potential victims.

Deceptive Tactics: The fraudulent invitations often include links disguised as legitimate actions, such as viewing event details or confirming attendance, which redirect to malicious sites designed to harvest user credentials.

Further Reading: BleepingComputer

Smart Devices in Homes Pose Privacy and Security Risks

Recent analyses have highlighted the potential privacy and security vulnerabilities associated with the increasing presence of smart devices in households. These devices, while offering convenience, can be exploited by malicious actors to compromise personal information and security.

Checkpoint Blog

Key Insights:

Unauthorized Access: Smart devices, such as cameras and voice assistants, can be manipulated to monitor activities within homes without the owner's consent.

Data Exploitation: Information collected by these devices may be accessed or intercepted by unauthorized parties, leading to potential misuse of personal data.

Regulatory Challenges: The rapid adoption of smart technology has outpaced the development of comprehensive regulations, leaving consumers vulnerable to emerging threats.

Further Reading: Check Point Blog

Cybercriminals Exploit Fake CAPTCHAs to Distribute Malware

Recent analyses have identified a deceptive tactic where cybercriminals use fake CAPTCHA pages to distribute malware, exploiting users' trust in these verification systems.

Key Developments:

Malicious Redirects: Users visiting compromised websites are redirected to fraudulent CAPTCHA pages that closely mimic legitimate services like Google and CloudFlare.

Clipboard Hijacking: These fake CAPTCHAs silently copy malicious commands to the user's clipboard via JavaScript, prompting them to execute these commands unknowingly through the Windows Run prompt.

Malware Installation: Executing the copied commands leads to the installation of malware, including information stealers and remote-access trojans (RATs), which can extract sensitive data and provide persistent access to compromised systems.

Further Reading: ReliaQuest Blog

Data Breach at American Addiction Centers Affects Over 422,000 Individuals

American Addiction Centers (AAC), a leading provider of substance abuse treatment services, has reported a data breach impacting more than 422,000 individuals.

Key Details:

Incident Timeline: The breach was detected on September 26, 2024, with unauthorized access occurring several days prior.

Compromised Information: Exfiltrated data includes names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance details, and medical record identifiers. Notably, treatment information and payment card data were not affected.

Threat Actor Involvement: The Rhysida ransomware group has claimed responsibility, alleging the theft of approximately 2.8 terabytes of data.

Notification and Support: AAC has begun notifying affected individuals and is offering 12 months of free credit monitoring services.

Further Reading: SecurityWeek

Sophisticated Phishing Scams Lead to Significant Cryptocurrency Losses

Recent incidents have highlighted advanced phishing attacks where cybercriminals impersonate legitimate services to gain unauthorized access to individuals' cryptocurrency wallets, resulting in substantial financial losses.

Key Insights:

Impersonation of Trusted Entities: Attackers pose as representatives from reputable organizations, such as Google or cryptocurrency platforms, to deceive victims into believing their accounts are compromised.

Manipulation of Security Features: Victims receive seemingly legitimate security alerts and prompts, which are actually orchestrated by the attackers to facilitate unauthorized account access.

Exploitation of Stored Sensitive Information: Once access is obtained, cybercriminals search for stored sensitive data, such as cryptocurrency wallet seed phrases, enabling them to transfer funds without detection.

Further Reading: Krebs on Security

Mobile Phishing Attacks Employ New Tactics to Evade Security Measures

Key Insights:

Exploitation of PWAs and WebAPKs: Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications. This means they do not exhibit the typical behaviors or characteristics associated with malware, making detection more challenging.

Bypassing Security Measures: Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes, is particularly concerning. This allows attackers to distribute malicious content without triggering standard security alerts.

Anticipated Increase in Sophistication: It is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.

Further Reading: KnowBe4 Blog

'James Bond-Style' Scams Lead to Significant Financial Losses

Recent reports have highlighted a surge in sophisticated scams where fraudsters impersonate trusted entities, such as law enforcement or intelligence agencies, to deceive victims into believing they are involved in international criminal activities.

Key Insights:

Deceptive Communication: Scammers contact individuals, claiming to be from reputable organizations like Amazon, the U.S. Post Office, or law enforcement agencies, alleging the victim's involvement in global criminal schemes.

Manipulative Tactics: Victims are coerced into withdrawing large sums of money from personal accounts under the guise of protecting their funds from criminal misuse. They are instructed to hand over cash to individuals posing as law enforcement agents, who then abscond with the money.

Significant Financial Impact: These scams have led to substantial financial losses for victims, with little to no chance of recovery once the funds are handed over.

Further Reading: KnowBe4 Blog

DHHS Angry Translator: Breaking Down the Latest HIPAA Security Rule Proposal

January 7, 2025

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.

Top 10 Exploring Information Security Podcasts

December 31, 2024

As we wrap up an incredible year, we're thrilled to reflect on the top podcasts of 2024 that captured the attention of listeners across the cybersecurity community. These episodes brought forward thought-provoking discussions, practical insights, and exciting guests, making this a standout year for Exploring Information Security. Below are the top 10 episodes that ChatGPT thought were the best of 2024. As I analyzed the analytics I couldn’t decide which stats to focus in on. Here’s what the podcasts look like based on plays from Apple Podcast Analytics.

Screenshot of the analytics from Apple Podcasts analytics

I thought about going by average consumption but I noticed that we have lower percentage than in the past. That’s due to the longer episodes I’m putting out. When I’m putting out 20-30 min episodes I get closer to a 70-80% consumption rate. Do unique listeners and engagement say more? At this point I decided to just let ChatGPT do the analysis of all the analytics and provide me with the Top 10 list. It also, wrote the first draft of this blog post. I’m okay with the Top 10 list. I believe it represents the podcast well and some of the interest I’ve seen in other places regarding individual episodes.

The numbers are just from Apple Podcast. There are listeners on other platforms such as Spotify, Amazon, and other podcast platforms that grab the feed. I also expanded into YouTube in the middle of the year and hope to get that tuned better. I may try to consolidate the stats all into one platform at some point but I’m not there yet. Apple Podcast is the most popular platform so I think it provides the best sample size.

Without further ado let’s get into the Top 10 list for 2024.

2024 Top 10 Exploring Information Security Podcast

1. Exploring Information Security 2024 Relaunch

Release Date: January 2, 2024
Guest: Solo Episode

Key Highlights:
Our relaunch episode kicked off the year by outlining an exciting new direction for Exploring Information Security. I’m shocked that this came out on top but there seemed to be some excitement at the return of the podcast. Which I’m very appreciative of and makes me want to kick myself for not bringing the podcast back sooner.
Listen Here: Exploring Information Security 2024 Relaunch

2. What Cybersecurity Tools Every Organization Should Have

Release Date: February 27, 2024
Guest: Rob Fuller

Key Highlights:
Rub Fuller shared insights into the essential tools that every organization should have to secure their digital infrastructure. The episode covered endpoint protection, threat intelligence platforms, and emerging technologies that simplify security operations. This was the result of a discussion we had during another podcast recording. I thought it was a great discussion to turn into it’s own topic.
Listen Here: What Cybersecurity Tools Every Organization Should Have

3. How to Hack a Satellite

Release Date: January 23, 2024
Guest: Tim Fowler

Key Highlights:
Tim Fowler took listeners on a deep dive into the vulnerabilities and challenges of securing space technology. From real-world case studies of satellite hacks to strategies for defense, this episode offered a unique and fascinating perspective on the intersection of cybersecurity and aerospace. This will continue to grow as a new field for cybersecurity very similar to how cloud security, identity access management, and AI have become their own fields. And as usual we’re already behind on securtiy…
Listen Here: How to Hack a Satellite

4. What Are the Hiring Trends in Cybersecurity for 2024?

Release Date: January 16, 2024
Guest: Erin Barry

Key Highlights:
In this insightful episode, Erin Barry analyzed the latest hiring trends in cybersecurity heading into 2024. The conversation touched on the growing demand for professionals with cloud and AI expertise, the importance of soft skills, and tips for breaking into the field. A must-listen for job seekers and industry leaders. This is a podcast I’d like to make a staple for the new year because it did seem to be a popular topic.
Listen Here: What Are the Hiring Trends in Cybersecurity for 2024?

5. How to Navigate a Career in Cybersecurity

Release Date: August 13, 2024
Guest: Ralph Collum

Key Highlights:
Ralph Collum shared his journey from entry-level roles to executive leadership in cybersecurity. The discussion covered mentorship, certifications, and strategies for navigating career plateaus. I always enjoy talking to Ralph. He’s very passionate about developing careers in Cybersecurity. It makes sense that this one would follow the hiring trends for 2024. I expect that with the current hiring market job seeking and career podcast episodes will remain popular.
Listen Here: How to Navigate a Career in Cybersecurity

6. How AI Is Impacting Cybersecurity

Release Date: July 30, 2024
Guest: Steve Orrin

Key Highlights:
Steve Orrin explored the dual role of artificial intelligence in cybersecurity, highlighting its use in threat detection and the ethical concerns it raises. The episode featured real-world examples of AI-driven security solutions and debated the future of automation in the industry. I really enjoyed this conversation with Steve because he’s not only an executive but someone who also attends DEFCON on a regular basis. He traverses both worlds well and has a very intelligence take on key topics in Cybersecurity.
Listen Here: How AI Is Impacting Cybersecurity

7. How Responding to Phishing Has Changed in the Last 5 Years

Release Date: January 30, 2024
Guest: Kyle Andrus

Key Highlights:
Kyle Andrus and I discussed how phishing has changed since I last had him on the podcast. I always enjoy have Kyle on because we always have a good conversation. In fact he and I have had a couple recording sessions at this point on other topics because we always end up talking about something else. I’ve got another recording sessions scheduled with him for early 2025 to talk about ransomware gangs.
Listen Here: How Responding to Phishing Has Changed in the Last 5 Years

8. How to Automate Information Security with Python

Release Date: July 23, 2024
Guest: Mark Baggett

Key Highlights:
Mark Baggett broke down the ways Python is revolutionizing cybersecurity automation. From simplifying vulnerability scanning to streamlining log analysis, this episode was packed with actionable insights for security professionals looking to enhance their workflows. Mark is the Python guru for Cybersecurity. He’s written an entire SANS class on it and he’s been talking about Python ever since I’ve been in the industry.
Listen Here: How to Automate Information Security with Python

9. What Is Mimikatz?

Release Date: February 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller delivered an in-depth look at Mimikatz, a powerful tool often used in penetration testing and malicious attacks. He explained its functionality, provided examples of its use, and discussed the countermeasures security teams can implement to defend against it. I’ve dubbed Rob the Hacker Historian because of his wealth of knowledge in hacking. He made the Top 10 list three times this year and was also in the RERELEASE of the episode on the MS08-067 vulnerability.
Listen Here: What Is Mimikatz?

10. How Worrying Is SIM Swapping in 2024?

Release Date: August 6, 2024
Guest: Rob Fuller

Key Highlights:
Rob Fuller returned to discuss the NOT SO alarming rise of SIM swapping attacks in 2024. This was based on a LinkedIn post he made on SIM Swapping that got quite a bit of commentary. I thought it was a great discussion and would make for an interesting episode. Surprise! It was a great conversation and people seemed to engage with the podcast episode. These are the kind of episodes I want to have that challenge some of the norms within Cybersecurity.
Listen Here: How Worrying Is SIM Swapping in 2024?

Honorable Mentions

Two of the people I always wanted to have on the podcast but I was to scared to ask prior to shutting down the podcast was Troy Hunt and Patrick Gray. Both people have helped me navigate and shape my career in cybersecurity and I was happy that both agreed to come on. Both were absolutely amazing people to have a conversation with.

What is Have I Been Pwned?

The Origins of Risky Business with Patrick Gray

Finally, Dave Chronister has been a huge supporter of the show and a wonderful friend. He also runs a phenomenal conference called ShowMeCon (early-bird tickets available now!)! He’s always a joy to have on the show but this past year he sponsored several episodes and I had a lot of great conversations with presenters from the conference. I have probably never laughed more than I did talking to Kevin Johnson about whatever was on his mind. Also, I really enjoyed the panel we did at ShowMeCon. Unfortunately, I forgot to hit the record button and thus entered the mythical status as a podcast that only those present got to enjoy.

ShowMeCon: Kevin Johnson and whatever he wants to talk about

Final Thoughts

As always, I’m grateful to the listeners of the show. I don’t hear from a lot of them but based on the numbers and engagement they’re out there. I’m also super grateful to all the guests that have come on the show to share their insights and knowledge. I am looking forward to another great year of conversations with amazing guests!

What were your favorite episodes in 2024?

Introducing the CISA Angry Translator Series

December 23, 2024

Today, we’re launching something new: the CISA Angry Translator Series. This idea came from a blog post by Brian Dye over at Corelight. CISA has been releasing more and more advisories and directives. There are certain themes from these releases that just aren’t hitting home. Enter the Angry Translator whom I’ve dubbed Frank. He’s here to say what CISA really wants to say but can’t.

This idea is a parody off the very funny Key and Peel skit where Obama get’s an Angry Translator called Luther. It was so popular that Keegan-Michael Key got up with President Obama for the 2015 White House Correspondents’ Dinner.

Below is what you can expect from the series. I’ve used ChatGPT to create the initial draft and made edits where necessary. Make sure to check out Brian’s post and Corelight. I’ve got an upcoming podcast with Brian talking about Corelight and I really like what they’re doing.

CISA's Angry Translator: Cloud Security Directive

CISA Directive: https://www.cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services

CISA Says:
"Federal agencies must implement secure practices for cloud services to safeguard federal information and information systems."

Frank:
"Hey, government folks! Your cloud setups are a hacker's playground right now. Lock them down before you hand over our data on a silver platter!"

CISA Says:
"Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls."

Frank:
"Translation: Your sloppy setups are like leaving your front door wide open with a 'Welcome Hackers' sign. Fix it before we all pay the price!"

CISA Says:
"Agencies are required to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines."

Frank:
"Step 1: Know what cloud stuff you have. Step 2: Use the tools we've given you to check them. Step 3: Follow the dang security guidelines! It's not rocket science, people!"

CISA Says:
"Implement all mandatory SCuBA policies effective as of this Directive’s issuance no later than June 20, 2025."

Frank:
"You've got until June 20, 2025, to get your act together. That's more than enough time to stop being a cybersecurity dumpster fire!"

CISA Says:
"Maintaining secure configuration baselines is critical in the dynamic cybersecurity landscape."

Frank:
"The cyber threats are evolving, and your security should too. Keep up, or get left behind—and hacked!"

CISA Says:
"This Directive will further reduce the attack surface of the federal government networks."

Frank:
"We're trying to make it harder for the bad guys to mess with us. Help us help you, help us help you, help us help you!"

Final Note from Frank:
"Look, securing your cloud services isn't optional—it's your job. Stop dragging your feet, follow the directive, and let's not end up on the front page for a massive data breach. Get it together, now!"

Breakdown of Events: Salt Typhoon Hacking Group Targets U.S. Telecommunications

December 17, 2024

Introduction: The Growing Threat of Salt Typhoon

The Chinese cyber espionage group known as Salt Typhoon has successfully breached several major U.S. telecommunications companies. This breach has raised alarms across government agencies, resulting in calls for the sector to bolster its cybersecurity measures. It’s also become big enough news that I have my family talking to me about it. As I prepare for a holiday get together with the family I decided to put together this breakdown of the events surrounding this discovery and the subsequent response from U.S. authorities and the federal government. Hopefully, this will help others get up to speed and join the family conversation around Salt Typhoon.

The Salt Typhoon Cyberattack: What We Know So Far

Salt Typhoon has infiltrated at least eight prominent U.S. telecom companies, including AT&T, Verizon, and T-Mobile. The group has targeted not just corporate entities but also high-profile government and political figures, potentially compromising metadata and, in some cases, the content of sensitive communications. The scope of this breach is vast, and experts are concerned about the broader implications for national security.

What Did Salt Typhoon Specifically Access?

The hackers accessed critical infrastructure within these companies, focusing on:

Metadata: They collected data on who was communicating with whom, when, and where.
Communication Content: In some cases, they accessed the actual content of communications, including emails and messages.
Internal Systems: Salt Typhoon exploited vulnerabilities to infiltrate internal company networks, potentially compromising systems used to manage communication between telecommunications providers and government agencies.

The scope of this breach is vast, and experts are concerned about the broader implications for national security.

Source: Salt Typhoon Hackers Infiltrate U.S. Telecoms - AP News

What are the ramifications of the access?

National Security Threats

Since telecommunications systems are integral to the functioning of government communications and defense operations, unauthorized access by a foreign state-sponsored group could compromise national security. The breach could lead to:

Espionage: Sensitive government communications, including classified information, could be intercepted, analyzed, and used for strategic advantage by foreign actors.
- Informant Identification: The threat actors could identify who the US government has identified as a Chinese or other nation state spy. This information is invaluable as it allows incorrect information or complete removal of the spy from the U.S.
Undermining Military Operations: If Salt Typhoon gained access to military communication channels, it could disrupt or manipulate defense strategies, communications, and troop movements, potentially weakening national defense readiness.
Supply Chain Vulnerabilities: The telecom infrastructure is tied to critical sectors like defense, finance, and healthcare. By compromising telecom networks, the attackers could infiltrate other critical industries, creating cascading vulnerabilities.

Corporate Espionage

Telecommunications companies manage massive amounts of sensitive corporate data, including contracts, communication, and internal systems used by businesses across industries. Salt Typhoon's access to telecom infrastructure could enable:

Exfiltration of Trade Secrets: By obtaining private communications and proprietary data, the hackers could gain valuable insight into corporate strategies, product development, and future business decisions.
Targeting High-Profile Executives and Clients: The hacking group could gather intelligence on key executives and high-profile clients, leading to targeted phishing campaigns, blackmail, or leveraging this information for financial gain or competitive advantage.

Personal Privacy Concerns

Telecommunications companies manage vast amounts of personal data, including call records, text messages, location data, and internet usage patterns. The implications for personal privacy are significant:

Identity Theft: With access to sensitive personal information, Salt Typhoon could facilitate identity theft by harvesting personally identifiable information (PII) or leveraging it for future cybercrimes.
Surveillance: The hackers could track individuals of interest, monitoring their communications or movements, potentially leading to political repression, blackmail, or surveillance of dissidents.
Erosion of Trust: If customers' private data were exposed, it could result in a loss of trust in telecom providers, eroding the public's confidence in their ability to protect sensitive personal information.

Disruption to Communication Networks

Given that telecommunications are critical to day-to-day operations in both the private and public sectors, the breach could lead to:

Service Interruptions: Salt Typhoon could potentially manipulate telecom networks to disrupt services or cause widespread outages, impacting businesses, emergency services, and government operations.
Manipulation of Communications: The group could inject false information into the communication system, manipulate messages, or redirect communications to unauthorized entities, undermining the integrity of telecom networks.

Escalation of Cybersecurity Threats

This breach highlights vulnerabilities within the telecommunications infrastructure, which could inspire further cyberattacks. Other threat actors might exploit similar weaknesses, leading to:

Copycat Attacks: Other state-sponsored groups or cybercriminals may attempt to replicate or build upon Salt Typhoon's methods, targeting the same or other telecom providers with different attack vectors.
Increased Cybercrime: Hackers might use access to telecom networks to launch further cyberattacks, such as distributed denial-of-service (DDoS) attacks, ransomware campaigns, or data exfiltration operations.

Diplomatic and Geopolitical Fallout

If it is conclusively proven that Salt Typhoon is backed by the Chinese government, this breach could have far-reaching diplomatic consequences:

Strained Relations: The U.S. government could take retaliatory actions, including sanctions or other diplomatic measures, further exacerbating tensions between the U.S. and China.
International Repercussions: Other countries, particularly U.S. allies, may also reconsider their engagement with Chinese telecom equipment providers, leading to a shift in global trade and technology alliances.

Government Response: A Wake-up Call for Telecoms

In response to this alarming breach, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued joint guidance urging telecom companies to enhance their security measures. Their recommendations include adopting stronger data encryption, centralizing security systems, and establishing continuous threat monitoring to prevent future attacks.

Source: FBI and DHS Issue Cybersecurity Alert on Telecom Sector - CISA

The FCC’s Role: Proposing New Rules to Strengthen Telecom Security

To address the growing cybersecurity risks, the Federal Communications Commission (FCC) has proposed new rules requiring telecom companies to submit annual certifications attesting to their compliance with updated security protocols. The FCC’s proposals aim to ensure telecom firms take proactive steps to defend against cyber threats. Penalties for non-compliance could follow, emphasizing the importance of safeguarding communication channels.

Sources: FCC Proposes New Cybersecurity Rules for Telecoms - DarkReading; FCC to Demand Telcos Improve Security - Seriously Risky Business

Federal Government Calls for Immediate Action

U.S. Senators have expressed grave concern over the scale of the Salt Typhoon attack. Senator Ben Ray Lujan described the breach as "possibly the largest telecommunications hack in American history," calling for swift government action to improve security within the telecom sector.

Source: Senators Warn the Pentagon: Get a Handle on China's Telecom Hacking - Wired

Encrypted Communication Platforms: A Safer Alternative for Users

As an additional safeguard, individuals are encouraged to use encrypted messaging platforms such as WhatsApp or Signal. These platforms offer a higher level of security compared to traditional SMS, providing a more secure means of communication in the wake of these breaches.

Source: FBI Warns iPhone and Android Users: Stop Sending Texts - Forbes

The Response from China: Denial of Involvement

Despite mounting evidence of Salt Typhoon’s activities, the Chinese government has denied any involvement in the cyberattacks. They label the allegations as disinformation, rejecting any claims of their participation in the hacking group’s operations.

Source: White House says at least 8 US telecom firms, dozens of nations impacted by China hacking campaign - AP News

Conclusion: The Urgency for Change

The Salt Typhoon cyberattack has exposed critical vulnerabilities in U.S. telecommunications infrastructure. With federal agencies and lawmakers calling for immediate action, it is essential that telecom providers take comprehensive measures to protect sensitive communications and prevent future breaches. As the government and telecom companies work toward stronger security practices, it’s clear that the stakes have never been higher.

What Individuals Can Do

While the breach highlights systemic issues within telecom security, individuals can also take steps to protect their personal information and mitigate the impact of such cyberattacks. Using encrypted communication platforms like Signal or WhatsApp for sensitive conversations can provide an added layer of protection against potential surveillance or interception. Additionally, individuals should move away from SMS or text based authentication into accounts. This isn’t always possible but more and more services are offering app based authentication such as Google Authenticator, DUO, or a similar mobile application. By taking these precautions, individuals can reduce their personal exposure to cyber threats and enhance their overall online security.

Sources:

Created with help from ChatGPT

Avoiding Legal Landmines in Incident Response: A Practical Guide for Security Teams

December 10, 2024

The information provided in this blog post does not, and is not intended to, constitute legal advice; rather, the ensuing conversation is for general informational purposes only.

In today’s cybersecurity landscape, responding swiftly and effectively to security incidents is critical. However, navigating the legal implications during an incident is equally vital to protect an organization from further liabilities. This guide covers essential strategies for avoiding the most common legal pitfalls in incident response (IR), based on insights from my recent podcast episode with cybersecurity attorney Thomas Ritter Exploring Legal Landmines in Incident Response.

Use Careful Terminology: “Incident” vs. “Breach”

When a security event occurs, the language you use to describe it can have significant legal implications. Terms like “breach” have specific legal definitions that can trigger mandatory notification requirements or other regulatory obligations. As a best practice, use neutral terms like “incident” until the situation is fully assessed by legal counsel.

Tip: Train your teams on preferred terminology and involve legal early in the process to make sure everyone understands when and how to escalate terms like “breach.”

Establish Attorney-Client Privilege Early

Engaging external counsel immediately after a security incident helps protect sensitive communications and investigative findings under attorney-client privilege. This protection is crucial should your organization face litigation, as it limits the exposure of certain communications during the discovery process.

Tip: Collaborate with your legal team to establish protocols for involving external counsel, even for minor incidents, to ensure privilege is in place if needed.

Refine Your Communication Strategy

Transparency is key during incident response, but be cautious with internal and external communications, especially in the early stages. Avoid speculative statements and keep communications brief until forensic findings provide a clearer picture.

Tip: Work with your legal and PR teams to develop standardized communications templates for different scenarios, ensuring clarity and consistency without compromising on accuracy.

Define Roles and Responsibilities in Your IR Plan

Many incident response plans (IRPs) lack a clear delineation of responsibilities, particularly regarding who determines when an incident becomes a breach. Ideally, legal counsel—preferably external—should make this determination to preserve objectivity and privilege.

Tip: Review your IRP to ensure that roles and escalation points are well defined, with legal counsel involved at key decision points.

Handle Ransomware Negotiations Carefully

Ransomware incidents often involve complex decisions about whether to engage with or pay threat actors. Professional negotiators can play a valuable role here, as they are well-versed in handling threat actor communications and negotiating terms without compromising your organization’s legal standing.

Tip: Always hire professionals for ransomware negotiations. Amateur negotiators risk mishandling sensitive communications, which can exacerbate both financial and reputational damage.

Prepare for Possible Class Action Litigation

In the event of a data breach, it’s increasingly common for affected parties to file class action lawsuits. Many legal teams recommend proactive measures to limit liability, such as documented protocols that show your team acted swiftly and responsibly during the incident.

Tip: Ensure your IR documentation is thorough and compliant with industry standards, as this can provide valuable evidence should litigation arise.

Use Tabletop Exercises to Strengthen Incident Preparedness

Incident response tabletop exercises, especially those involving executive teams, help prepare your organization to navigate both operational and legal complexities in a crisis. In addition to familiarizing staff with the IRP, tabletop exercises offer an opportunity to practice coordination with legal counsel, PR, and executive stakeholders.

Tip: Schedule annual or biannual tabletop exercises that simulate high-stakes incidents, like ransomware attacks, to ensure all teams are familiar with legal protocols.

Conclusion: A Proactive Legal Strategy in Incident Response

Responding to a security incident without considering legal implications can expose your organization to additional risks. By carefully navigating language, establishing attorney-client privilege, and preparing staff with tabletop exercises, your organization can avoid many of the legal pitfalls associated with incident response. Whether preparing for regulatory inquiries or class action lawsuits, these best practices can help your organization respond to incidents effectively and with minimized legal exposure.

December 2024 - Healthcare Executive Leadership Cybersecurity Newsletter

December 9, 2024

These are the stories I shared internally with my leadership. Feel free to take and use for your own leadership. Created with help from ChatGPT.

New Professional Liability Insurance for CISOs

In response to the increasing legal scrutiny faced by Chief Information Security Officers (CISOs), Crum & Forster has introduced a professional liability insurance policy tailored specifically for these executives. Traditionally, directors and officers (D&O) liability policies have not encompassed CISOs, leaving them vulnerable to personal financial risks in the event of cybersecurity incidents.

Key Features of the Policy:

Comprehensive Coverage: Protects against claims of negligence or inadequate work arising from cybersecurity services.

Flexible Acquisition: Available for purchase by organizations on behalf of their CISOs or directly by the CISOs themselves.

Extended Protection: Covers consulting activities for the organization and its subsidiaries, as well as external engagements, including pro bono IT security work.

Further Reading: CyberScoop Article

Bipartisan Effort to Enhance Healthcare Cybersecurity

On November 22, 2024, Senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) introduced the Health Care Cybersecurity and Resiliency Act of 2024. This bipartisan legislation aims to bolster cybersecurity measures within the healthcare sector, addressing the increasing threats to patient data and healthcare operations.

Help Center

Key Provisions:

Grant Funding: Allocates resources to healthcare entities for enhancing cyberattack prevention and response capabilities.

Training Initiatives: Provides cybersecurity best practices training to healthcare institutions.

Support for Rural Providers: Offers tailored guidance to rural health clinics on breach prevention and resilience strategies.

Interagency Coordination: Improves collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for effective cyberattack responses.

Regulatory Modernization: Updates Health Insurance Portability and Accountability Act (HIPAA) regulations to incorporate current cybersecurity best practices.

Incident Response Planning: Mandates the development and implementation of a cybersecurity incident response plan by the HHS Secretary.

Implications for Healthcare Organizations: This legislation underscores the critical need for robust cybersecurity frameworks within healthcare institutions. Executive leaders should proactively assess their organization's cybersecurity posture, ensuring alignment with emerging standards and readiness to leverage potential federal support. Embracing these initiatives will not only protect sensitive patient information but also enhance operational resilience against cyber threats.

Further Reading: Senate HELP Committee Press Release

December 2024 - Security Awareness Newsletter

December 6, 2024

This is a security awareness focused newsletter that I share internally. Feel free to grab and use for your own internal security awareness program.

Copyright Infringement Phishing Scams Targeting Facebook Business Users

Cybercriminals are targeting Facebook business and advertising account users, especially in regions like Taiwan, with phishing emails that falsely claim copyright infringement. These emails urge recipients to download a file (disguised as a PDF), which actually installs information-stealing malware on the victim’s device. This tactic aims to harvest sensitive information from users who trust the email’s legal-sounding message.

Key Points:

Target Audience: Facebook business and advertising account users.

Phishing Tactic: Emails posing as copyright infringement notices.

Malware Delivery: Malicious files masquerading as PDFs that contain infostealers.

Further Reading: Cisco Talos Report on Copyright Infringement Phishing Lure

Beware of 'Phish 'n' Ships': Fake Online Stores Stealing Your Money and Data

Cybercriminals are increasingly creating fraudulent online shops that mimic legitimate retailers to deceive consumers into providing payment information and personal data. These fake websites often offer enticing deals on popular products, luring unsuspecting shoppers into making purchases. Once payment details are entered, the scammers steal the information, leading to financial loss and potential identity theft.

How to Protect Yourself:

Verify Website Authenticity: Before making a purchase, ensure the website is legitimate by checking the URL for misspellings or unusual domain extensions.

Look for Secure Connections: Ensure the website uses HTTPS, indicating a secure connection.

Research the Seller: Look for reviews and ratings from other customers to confirm the retailer's credibility.

Be Cautious of Unrealistic Deals: If an offer seems too good to be true, it likely is.

Further Reading: Human Security

Beware of DocuSign-Inspired Invoice Scams

Cybercriminals are leveraging DocuSign’s Envelopes API to distribute highly realistic fake invoices impersonating trusted brands like Norton and PayPal. These malicious emails come from legitimate DocuSign domains, bypassing security filters and appearing authentic. Attackers aim to have recipients e-sign the document, which can authorize unauthorized payments.

What You Can Do:

Always verify invoice details directly with the company rather than clicking links within emails.

Look out for unexpected requests, even from trusted services.

Educate your team about this tactic and report suspicious invoices immediately.

Further Reading: Bleeping Computer

Mobile Ad Data Enables Widespread Surveillance

Recent investigations reveal that commercial services are exploiting mobile advertising data to track individuals' daily movements without their consent. By collecting data from widely-used mobile apps and websites, these services can monitor personal locations, posing significant privacy risks.

Protect Your Privacy:

Limit App Permissions: Only grant apps the permissions they genuinely need.

Review Privacy Settings: Regularly check and adjust your device's privacy settings to control data sharing.

Stay Informed: Be aware of how your data is collected and used by the apps and services you utilize.

Further Reading: Krebs on Security

Phishing Scams Targeting Booking.com Users

Recent reports highlight a surge in phishing attacks exploiting Booking.com accounts. Cybercriminals are compromising hotel partner accounts to access customer booking details, subsequently sending fraudulent messages that appear legitimate. These messages often request additional information or payments, aiming to deceive users into providing sensitive data or transferring funds.

Protect Yourself:

Verify Communications: Always confirm the authenticity of messages by contacting the hotel or Booking.com directly through official channels.

Avoid Unsolicited Links: Do not click on links or download attachments from unexpected emails or messages.

Enable Two-Factor Authentication (2FA): Activate 2FA on your Booking.com account to add an extra layer of security.

Further Reading: Krebs on Security

North Korean IT Workers Infiltrating Western Companies

Recent investigations have uncovered a concerning trend: North Korean IT professionals are securing remote positions in Western companies, including those in the United States, by using stolen identities and sophisticated social engineering tactics. This strategy enables them to bypass international sanctions and funnel earnings back to North Korea, potentially funding illicit activities.

Key Insights:

Identity Theft: These individuals often use stolen or fabricated identities to pose as qualified candidates from various countries.

Advanced Techniques: They employ generative AI tools to craft convincing resumes and perform well in interviews, making detection challenging.

Financial Implications: Earnings from these positions are redirected to support North Korea's sanctioned programs, including its weapons development initiatives.

Further Reading: Zscaler Security Research

Surge in Eventbrite-Based Phishing Attacks

Recent analyses by Perception Point have identified a significant increase in phishing campaigns exploiting Eventbrite's scheduling platform. Between July and October 2024, these attacks escalated by 900%, with cybercriminals sending deceptive emails from 'noreply[@]events[.]eventbrite[.]com' to distribute malicious content.

Key Insights:

Legitimate Appearance: Utilizing Eventbrite's legitimate email domain allows attackers to bypass standard security filters, making the phishing emails appear authentic to recipients.

Malicious Payloads: The emails often contain links or attachments designed to harvest credentials or deploy malware upon interaction.

Targeted Entities: While the attacks are widespread, they predominantly focus on organizations that frequently use event management platforms, increasing the likelihood of successful exploitation.

Further Reading: KnowBe4 Blog

Phishing Campaign Impersonates OpenAI to Steal Financial Information

Cybercriminals are currently conducting a phishing campaign that impersonates OpenAI to deceive users into providing their financial details. The fraudulent emails inform recipients that their ChatGPT subscription payment has been declined, prompting them to click a link to update their payment method.

Key Insights:

Deceptive Tactics: The emails are designed to appear legitimate, leveraging OpenAI's branding to gain user trust.

Malicious Links: Clicking the provided link directs users to a fake payment page intended to capture sensitive financial information.

Widespread Targeting: This campaign is part of a broader trend where attackers exploit the popularity of AI tools to launch phishing attacks.

Further Reading: KnowBe4 Blog

Corrupted Word Documents in Novel Phishing Campaign

A newly identified phishing campaign exploits Microsoft's Word file recovery feature by using intentionally corrupted Word documents as email attachments. These documents evade detection by security solutions due to their damaged state, but Word can still recover and open them.

Key Insights:

The Lure: Emails impersonate payroll and HR departments, with themes like employee bonuses and benefits. The attachments appear as corrupted files but can be repaired by Word.

Malicious QR Codes: Upon recovery, the documents prompt users to scan a QR code branded with company logos. Scanning leads to phishing sites designed to steal Microsoft login credentials.

Detection Challenges: Most attachments used in this campaign avoid detection on platforms like VirusTotal, as they contain no active malicious code, just deceptive QR codes.

Attack Effectiveness: By exploiting overlooked document recovery mechanisms, this method bypasses traditional email security filters, increasing the likelihood of reaching victims.

Further Reading: BleepingComputer Article

Cybercriminals Exploit Search Engine Results to Promote Phishing Pages

Cybercriminals are increasingly employing search engine poisoning to elevate malicious phishing sites in search results, deceiving users into divulging sensitive information. Researchers at Malwarebytes discovered that a search for "KeyBank login" on Bing displayed a counterfeit KeyBank login page above the official site.

Key Insights:

Manipulated Search Results: Attackers optimize malicious sites to appear prominently in search results, making them seem legitimate and increasing the likelihood of user interaction.

Phishing Tactics: These fraudulent pages mimic authentic login portals, aiming to harvest users' credentials and personal data.

Broader Implications: This tactic, known as SEO poisoning, extends beyond banking sites, potentially affecting various sectors and services.

Further Reading: KnowBe4 Blog

Attackers Exploit Corrupted Files to Evade Detection

Cybersecurity researchers have identified a novel phishing campaign that utilizes intentionally corrupted Microsoft Office documents and ZIP archives to bypass email security measures. These corrupted files evade antivirus scans and email filters, yet can be opened by users through built-in recovery features in applications like Microsoft Word and WinRAR.

Key Insights:

Evasion Techniques: The corrupted state of these attachments prevents security tools from properly scanning them, allowing malicious emails to reach users' inboxes undetected.

User Interaction: When users attempt to open these corrupted files, applications prompt them to recover the content, leading to the display of malicious elements such as QR codes.

Malicious Outcomes: Scanning the embedded QR codes can redirect users to phishing websites designed to steal credentials or deploy malware.

This tactic highlights the continuous evolution of phishing strategies aimed at circumventing security defenses and exploiting user trust in application recovery features.

Further Reading: The Hacker News

December 2024 - Threat Intelligence Newsletter

December 5, 2024

This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

Google’s New SAIF Risk Assessment Tool for AI Security

Google has introduced the Secure AI Framework (SAIF) Risk Assessment tool to help organizations proactively identify and mitigate security risks in their AI systems. This interactive tool assesses key areas such as training data integrity, access controls, and defenses against adversarial inputs. Upon completion, organizations receive a tailored report outlining specific vulnerabilities and recommended mitigation strategies, reinforcing the need for robust security measures as AI systems become more prevalent.

Further Reading: Google Blog on SAIF Risk Assessment

Session Cookie Theft Bypasses MFA Protections

The FBI has issued a warning about cybercriminals exploiting stolen session cookies to hijack email accounts, effectively bypassing Multi-Factor Authentication (MFA) safeguards. These "Remember-Me" cookies, typically valid for 30 days, store session IDs that authenticate users without repeated logins. If intercepted, attackers can impersonate users, gaining unauthorized access to email accounts and sensitive information.

Mitigation Strategies:

Monitor Account Activity: Stay vigilant for unfamiliar login attempts or unauthorized changes.

Implement Robust Security Measures: Utilize endpoint protection solutions to detect and prevent malware that could steal session cookies.

Further Reading: Malwarebytes

Sophos Reports Sophisticated China-Based Threats Targeting Network Perimeters

Sophos recently uncovered a five-year cyber espionage campaign by China-based groups, including APT31 and APT41, that targeted network edge devices like firewalls. These attackers used zero-day vulnerabilities and custom malware to infiltrate and persist within critical infrastructure across the Indo-Pacific region, including energy suppliers, government agencies, and telecommunications. Advanced tactics include stealth operations, sabotaging firewall telemetry, and deploying an early version of a UEFI bootkit on firewall devices.

Key Insights:

Critical Infrastructure Targeting: Attackers focused on high-value assets, compromising essential services.

Advanced Persistence Tactics: Use of rootkits and stealth malware for long-term access.

Importance of Edge Device Security: Firewalls and perimeter defenses remain primary entry points for these threats.

Further Reading: Sophos News

Preparing for Emerging AI Risks

The latest Unit 42 Threat Frontier report highlights the evolving risks associated with generative AI (GenAI) in cybersecurity. As threat actors increasingly explore AI tools to enhance attack methods, traditional defenses like Zero Trust architectures remain essential, but additional AI-focused defenses are becoming critical. The report also emphasizes the growing issue of "Shadow AI," or the unauthorized use of AI tools within organizations, which poses unique security challenges.

Key Insights:

Shadow AI Risk: Unauthorized use of AI tools within organizations increases security vulnerabilities.

AI-Specific Defenses: Integrating AI-focused security measures early in development is essential for robust protection.

Continued Importance of Traditional Defenses: Zero Trust and other established architectures are still effective but need AI-specific adaptations.

Further Reading: Unit 42 - Palo Alto Networks

Extortion Actor's EDR Bypass Attempt Unveiled

Unit 42 recently investigated an extortion incident where threat actors attempted to bypass Endpoint Detection and Response (EDR) systems using a tool named "disabler.exe." This tool, derived from the publicly available EDRSandBlast, aimed to unhook EDR hooks in both user-mode libraries and kernel-mode, facilitating unauthorized access. The attackers utilized rogue systems with outdated Cortex XDR agents to test their methods, inadvertently exposing their toolkit and operations. This exposure allowed Unit 42 to trace the tool's sale on cybercrime forums and identify one of the threat actors involved.

Unit 42

Key Insights:

Advanced Evasion Techniques: Attackers are employing sophisticated tools to disable security mechanisms, highlighting the need for robust and up-to-date EDR solutions.

Operational Exposure: Testing malicious tools in uncontrolled environments can inadvertently reveal threat actor methodologies and identities.

Community Vigilance: Monitoring cybercrime forums and sharing intelligence are crucial for preempting and mitigating such threats.

Further Reading: Unit 42 - Palo Alto Networks

Surge in Fake Emergency Data Requests

The FBI has issued a warning to U.S. organizations about a rise in fraudulent emergency data requests (EDRs) by cybercriminals. These malicious actors compromise government email accounts to impersonate law enforcement, exploiting the urgency of EDRs to obtain sensitive user information from service providers without legal oversight.

Key Insights:

Tactics: Cybercriminals gain access to official email accounts, enabling them to submit convincing EDRs to companies, thereby bypassing standard legal procedures.

Motivations: The harvested data is often used for further criminal activities, including identity theft, financial fraud, and targeted cyberattacks.

Indicators of Compromise: Unusual or unexpected data requests, especially those marked as urgent, should be scrutinized for authenticity.

Recommendations:

Verification Protocols: Implement strict verification processes for all data requests, including direct confirmation with the requesting agency through known contact points.

Employee Training: Educate staff on the prevalence of fake EDRs and establish clear procedures for handling such requests.

Monitoring and Reporting: Continuously monitor for suspicious data requests and report any fraudulent attempts to the appropriate authorities.

Staying vigilant against these deceptive tactics is crucial to safeguarding sensitive information and maintaining trust with users.

Further Reading: SecurityWeek

The Credential Abuse Cycle

Recent analyses have highlighted the escalating threat of credential abuse, where cybercriminals exploit stolen usernames and passwords to infiltrate networks and access sensitive data. This cycle comprises three key stages: theft, trade, and exploitation.

Key Insights:

Credential Theft: Attackers acquire credentials through data breaches, malware (notably infostealers), and social engineering.

Underground Trading: Stolen credentials are sold on cybercriminal forums, specialized marketplaces, and messaging platforms like Telegram.

Exploitation: With these credentials, threat actors conduct account takeovers, credential stuffing, and valid account abuse, leading to data breaches and financial losses.

Further Reading: ReliaQuest Blog

Rise in SVG-Based Phishing Attacks

Cybercriminals are increasingly utilizing Scalable Vector Graphics (SVG) files in phishing emails to bypass security filters and deliver malicious content. Unlike traditional image formats, SVG files can contain embedded scripts, allowing attackers to execute malicious code when the file is opened.

Key Insights:

Evasion Techniques: SVG files are often overlooked by email security systems, enabling malicious payloads to reach recipients undetected.

Embedded Malware: Attackers embed JavaScript within SVG files to initiate redirects to phishing sites or to download malware onto the victim's device.

Increased Prevalence: There is a notable uptick in phishing campaigns leveraging SVG attachments, highlighting the need for heightened vigilance.

Further Reading: Bleeping Computer

2024 CWE Top 25 Most Dangerous Software Weaknesses Released

The Common Weakness Enumeration (CWE) has published its 2024 list of the Top 25 Most Dangerous Software Weaknesses. This annual compilation identifies the most prevalent and critical vulnerabilities that can lead to severe security breaches, including system takeovers, data theft, and application disruptions.

Key Highlights:

Top Vulnerabilities: The list features critical weaknesses such as Cross-Site Scripting (CWE-79), Out-of-Bounds Write (CWE-787), and SQL Injection (CWE-89).

Data Insights: The 2024 list is based on an analysis of 31,770 CVE Records, providing a comprehensive overview of current software security challenges.

Resource for Mitigation: The CWE Top 25 serves as a valuable resource for developers and security professionals to prioritize mitigation efforts and enhance software security practices.

Further Reading: CWE Top 25 Most Dangerous Software Weaknesses

Analysis of CISA's 2023 Top Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has released its 2023 report on the most routinely exploited vulnerabilities, providing critical insights into the threat landscape. An in-depth analysis by VulnCheck offers additional perspectives on these vulnerabilities, emphasizing their exploitation patterns and associated threat actors.

Key Insights:

Exploit Availability: Out of the 15 vulnerabilities highlighted, 14 have eight or more publicly available proof-of-concept (POC) exploits, indicating a high risk of exploitation.

Weaponized Exploits: Thirteen vulnerabilities have weaponized exploits, with five being weaponized before any public evidence of exploitation emerged.

Threat Actor Activity: Sixty named threat actors are linked to 13 of these vulnerabilities. Notably, North Korea's Silent Chollima group targeted nine of the listed vulnerabilities.

Detection Coverage: VulnCheck provides Initial Access artifacts for 12 of the 15 vulnerabilities, aiding defenders in identifying and mitigating potential threats.

Further Reading: VulnCheck Blog

Surge in Eventbrite-Based Phishing Attacks

Key Insights:

Legitimate Appearance: Utilizing Eventbrite's legitimate email domain allows attackers to bypass standard security filters, making the phishing emails appear authentic to recipients.

Malicious Payloads: The emails often contain links or attachments designed to harvest credentials or deploy malware upon interaction.

Targeted Entities: While the attacks are widespread, they predominantly focus on organizations that frequently use event management platforms, increasing the likelihood of successful exploitation.

Further Reading: KnowBe4 Blog

Large-Scale Phishing Campaign Deploys Rhadamanthys Stealer v0.7

Check Point Research has identified a significant phishing operation utilizing the latest version of the Rhadamanthys Stealer, known as Rhadamanthys.07. This campaign, dubbed "CopyRh(ight)adamantys," impersonates legitimate companies to distribute malware under the guise of copyright infringement notices.

Checkpoint Blog

Key Insights:

Phishing Tactics: Attackers send emails from Gmail accounts, alleging copyright violations on the recipient's social media pages, prompting them to download a file that initiates the malware infection.

Global Reach: The campaign targets individuals and organizations across multiple continents, with approximately 70% of impersonated companies belonging to the entertainment, media, technology, and software sectors.

Malware Capabilities: Rhadamanthys.07 includes features such as AI-powered optical character recognition (OCR) modules, enhancing its ability to extract data from infected machines.

Further Reading: Check Point Blog

Corrupted Word Documents in Novel Phishing Campaign

Key Insights:

The Lure: Emails impersonate payroll and HR departments, with themes like employee bonuses and benefits. The attachments appear as corrupted files but can be repaired by Word.

Malicious QR Codes: Upon recovery, the documents prompt users to scan a QR code branded with company logos. Scanning leads to phishing sites designed to steal Microsoft login credentials.

Detection Challenges: Most attachments used in this campaign avoid detection on platforms like VirusTotal, as they contain no active malicious code, just deceptive QR codes.

Attack Effectiveness: By exploiting overlooked document recovery mechanisms, this method bypasses traditional email security filters, increasing the likelihood of reaching victims.

Further Reading: BleepingComputer Article

Surge in Infostealer Malware Exploiting Innovative Attack Vectors

In October 2024, Check Point Research identified a significant increase in infostealer malware activity, with cybercriminals employing advanced tactics to infiltrate systems and exfiltrate sensitive data.

Key Insights:

Prevalent Malware Families: The top threats included FakeUpdates, impacting 6% of organizations worldwide, followed by Androxgh0st at 5%, and AgentTesla at 4%.

Innovative Attack Vectors: Threat actors are leveraging sophisticated methods, such as malicious advertisements in search results—a tactic known as "malvertising"—to distribute infostealers. This approach enhances the legitimacy of malicious links, increasing the likelihood of user engagement.

Global Impact: The widespread distribution of these malware families underscores the necessity for organizations to adopt proactive and adaptive security measures to counter evolving cyber threats.

Further Reading: Check Point Blog

Attackers Exploit Corrupted Files to Evade Detection

Key Insights:

Evasion Techniques: The corrupted state of these attachments prevents security tools from properly scanning them, allowing malicious emails to reach users' inboxes undetected.

User Interaction: When users attempt to open these corrupted files, applications prompt them to recover the content, leading to the display of malicious elements such as QR codes.

Malicious Outcomes: Scanning the embedded QR codes can redirect users to phishing websites designed to steal credentials or deploy malware.

This tactic highlights the continuous evolution of phishing strategies aimed at circumventing security defenses and exploiting user trust in application recovery features.

Further Reading: The Hacker News

Key Takeaways from NIST SP 800-50r1 – Building a Cybersecurity and Privacy Learning Program

December 2, 2024

In September 2024, the National Institute of Standards and Technology (NIST) released the updated Special Publication (SP) 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This is an update to the 2003 NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program. I hadn’t realized that there was a NIST publication on building a security awareness program. It’s good to see an update after 21 years! Here's a look at the key insights and recommendations from the updated publication. This was written with the help of ChatGPT.

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

Name Change! The document introduces the Cybersecurity and Privacy Learning Program (CPLP) as an overarching framework that includes awareness campaigns, role-based training, and workforce education initiatives. Aimed at fostering a culture of security and privacy, the CPLP is a strategic effort to manage risks and comply with federal regulations, such as FISMA. With privacy becoming a much bigger topic in the last 10 years, rolling it into an cybersecurity awareness program makes sense. This could cross multiple teams depending on how an organization is setup.

CPLP emphasizes awareness and education, incorporating role-specific training alongside general awareness activities, and focuses on encouraging behavior change to reduce risks and foster a culture of security. Continuous improvement is integral, with metrics and evaluations used to adapt programs to evolving needs.

The CPLP Life Cycle

NIST defines a four-phase life cycle for managing CPLPs: Plan and Strategy; Analysis and Design; Development and Implementation; and Assessment and Improvement. These phases involve developing a strategic vision that aligns learning objectives with organizational goals, identifying learning needs and creating tailored program designs, building or procuring learning materials and deploying the program, and measuring effectiveness while refining strategies based on outcomes. This iterative approach ensures that the CPLP remains dynamic and aligned with organizational needs.

Leadership and Organizational Roles

The success of a CPLP hinges on active involvement across all levels of the organization. Senior leadership plays a crucial role in providing strategic direction and resources, while CPLP managers oversee program design, delivery, and metrics. System users, on the other hand, are responsible for adhering to policies and participating in required training. Leadership participation, such as senior leaders engaging in training themselves, reinforces the importance of the program. Leadership buy-in is the first step to getting any sort of program off the ground. Heavily regulated industries are easier to get buy-in for than others.

Metrics and Measurements

Effective CPLPs rely on a mix of quantitative and qualitative metrics to evaluate success. Quantitative metrics include training completion rates, reductions in incidents, and compliance statistics, while qualitative metrics involve employee feedback, focus group discussions, and behavioral observations. NIST emphasizes using these metrics not just for compliance but to drive meaningful behavior change and demonstrate return on investment.

This section was helpful for thinking about what sort of metrics to have. One of the examples brought up is click rate which is a highly volatile statistic. A better statistic is report rate which is a positive behavior an organization wants to encourage within their population. The document doesn’t define what an organization should have for metrics but instead provides guidance.

Integrating Privacy into Cybersecurity Training

One of the standout updates in SP 800-50r1 is the seamless integration of privacy training into cybersecurity programs. It highlights the interconnected nature of these disciplines and the need for training to address both cybersecurity incidents and privacy risks, such as data re-identification or misuse. Teaching employees about privacy risks enables them to recognize potential problems and implement procedures that minimize such risks.

This is big within healthcare. Reports like the Verizon Data Breach Investigation Report show that the healthcare industry has higher internal threat actors due to mistakes and errors with handling information. This can lead to huge privacy implications for the organization.

Tailored Training for Diverse Audiences

CPLPs should be segmented to address specific needs. General users benefit from training on fundamental security practices, such as phishing awareness, while privileged access holders require advanced training on managing sensitive systems. Those in specialized roles undergo deeper training specific to their risks and responsibilities. Tailoring training ensures that it remains relevant and impactful for all user groups.

Easy to suggest much harder to do. A good starting point is what’s mentioned in the publication: all users; privileged access account holders; new employees; and staff with cybersecurity and privacy responsibilities. Tailored training should be broken down further into departments such as service desk and finance but this is a good starting point.

Focusing on Improvement Without Punishment

One of the critical takeaways from NIST SP 800-50r1 is the emphasis on using cybersecurity exercises, such as phishing tests, as opportunities for learning and improvement rather than punishment. The publication highlights the importance of informing employees that these exercises are conducted randomly and that the results will guide future learning activities. Such exercises should not be punitive, nor should employees be singled out for their responses. By framing these activities as learning opportunities, organizations can gather valuable data on vulnerabilities while fostering a supportive environment that encourages employee growth and engagement with cybersecurity practices.

A Culture of Learning

At its core, SP 800-50r1 promotes a culture of continuous learning and adaptation. From onboarding new employees to advanced training for cybersecurity professionals, the document underscores the importance of embedding cybersecurity and privacy awareness into organizational DNA. By viewing cybersecurity and privacy learning as an evolving process, organizations can be prepared for emerging risks and technologies.

Conclusion

NIST SP 800-50r1 offers a robust roadmap for organizations looking to strengthen their cybersecurity and privacy posture. For organizations aiming to enhance their cybersecurity and privacy programs, reading SP 800-50r1 is a great starting point. A focus on building culture and rewarding people will help change behavior and reduce the human element in incidents.

Explore the full NIST SP 800-50r1 publication here.

The 12 Scams of The Holiday Seasons: How to Stay Safe This Holiday Season

November 26, 2024

I wrote this for a security awareness program with help from ChatGPT. Feel free to grab and share within your own organizations.

The Better Business Bureau (BBB) has long been a trusted resource for protecting consumers and promoting trustworthy business practices. Their mission to provide valuable insights and tools to stay vigilant against fraud is especially critical during the holidays. This year, the BBB has compiled a list of the "12 Scams of Christmas" to help ensure your festive season remains joyful and scam-free.

Here’s a quick overview of these scams and how to protect yourself:

Fake Social Media Ads: Beware of deals that are too good to be true—they may lead to counterfeit or undelivered goods.
Gift Exchange Scams: Pyramid schemes disguised as “fun” gift exchanges often harvest personal information.
Holiday Apps: Some seemingly festive apps collect data or install malware on your device.
Fake Toll Texts: Scammers target holiday travelers with bogus unpaid toll notifications.
“Free” Gift Cards: Phishing emails offering gift cards often aim to steal sensitive data.
Seasonal Job Scams: Fake job listings trick job seekers into providing personal or financial details.
Impostor Scams: Fraudsters pose as customer service reps or mimic legitimate websites.
Fake Charities: Scammers take advantage of the season’s generosity with fraudulent donation appeals.
Phishing Shipping Notifications: Fake alerts about undelivered packages are phishing attempts.
Advent Calendar Scams: Low-quality or nonexistent calendars sold by untrustworthy vendors.
Shady Pop-Up Shops: Temporary retailers that vanish with your money or sell counterfeit goods.
Too-Good-To-Be-True Travel Deals: Unrealistically low offers designed to scam travelers.

How to Stay Safe:

Be skeptical of deals that sound too good to be true.
Verify sellers, charities, and offers through trusted sources.
Avoid clicking on unsolicited links or emails.

The BBB offers a wealth of information to help you navigate the holiday season safely. For the full list of scams and detailed safety tips, visit their 12 Scams of Christmas page.

This holiday season let’s protect our wallets and our personal information while spreading cheer and generosity. A little awareness can go a long way in keeping the holidays merry and bright!