Exploring Information Security

View Original

November 2024 Cybersecurity Awareness Newsletter

Timothy De Block

This is a newsletter I share internally as part of our internal security awareness program. Feel free to take and use in your organization. Created with help from ChatGPT

Fake Job Applications Deliver Dangerous Malware 

Summary: A spear-phishing campaign has been targeting HR professionals with malicious job applications. Attackers use fake resumes containing More_eggs malware, a backdoor designed to steal credentials. This malware, part of a Malware-as-a-Service (MaaS) platform operated by the Golden Chickens group, can be used by multiple threat actors. The attack chain involves malicious Windows shortcut (LNK) files that initiate the infection upon execution, allowing attackers to perform reconnaissance and drop additional payloads. 

Key Insight: Be cautious when handling job applications, especially those involving downloadable files from unknown sources. 

For further details, read the full article on The Hacker News

 

 

Data Privacy Risks in Connected Cars 

Modern connected vehicles collect vast amounts of data, including driving habits, location, and even biometric information like voice commands. A recent analysis by CHOICE reveals that many popular car brands share this data with third-party companies, raising privacy concerns. Brands like Kia, Hyundai, and Tesla collect and share voice and video data, while others gather driving behaviors. This highlights the importance of understanding your car’s data collection practices and opting out where possible. 

Further reading: CHOICE - Connected Cars Tracking Your Data

 

 

North Korean Hackers Targeting Job Seekers 

A new campaign by North Korean hackers is targeting job seekers, particularly in the tech industry, according to a recent report. Hackers impersonate recruiters on platforms like LinkedIn, luring individuals into downloading malware disguised as video conferencing tools. The malware is designed to steal cryptocurrency and sensitive corporate data, posing risks to both individuals and organizations. Job seekers should remain cautious when interacting with unsolicited offers and recruiters. 

Further reading: KnowBe4 - North Korean Hackers

 

 

Election Season and Cybersecurity Concerns 

As the 2024 election season progresses, a recent Malwarebytes survey reveals that 74% of respondents consider it a risky time for personal information. Fears of scams, privacy breaches, and cyber interference are high, with 52% of people expressing concern about falling prey to scams through political ads. Many are taking precautions, such as using two-factor authentication and password managers, to secure their data. 

Key Insights: 

  • 74% view election season as risky for personal data. 

  • 52% fear scams via political ads. 

  • Increased adoption of security practices like two-factor authentication. 

Further reading: Malwarebytes - Election Season Raises Fears

 

 

North Korean IT Worker Incident Highlights Hiring Risks 

A recent cyberattack on a company underscores the dangers of unknowingly hiring North Korean operatives. The organization accidentally hired a North Korean IT worker who accessed sensitive data and demanded a ransom. This highlights the need for stringent vetting in remote hiring practices, especially as North Korea increasingly infiltrates global companies. 

Recommended Protections: 

  • Implement strict identity verification for remote workers. 

  • Conduct thorough background checks with global databases. 

  • Regularly monitor employee network activity for unusual behavior. 

Further reading: GBHackers - North Korean IT Worker Incident

 

 

Mobile-First Cyber Attacks on the Rise 

Cyber attackers are increasingly adopting a "mobile-first" strategy, as highlighted by a new report from Zimperium. With 83% of phishing sites now targeting mobile devices and a 13% rise in mobile malware, employees’ personal devices pose a growing risk to organizations. As more employees use their smartphones for work-related tasks, organizations need to bolster mobile security and educate employees on safe practices through security awareness training. 

Further reading: KnowBe4 - Mobile-First Attack Strategy

 

 

 

Microsoft Spoofing Threats on the Rise 

A recent report from Harmony Email & Collaboration highlights over 5,000 fake Microsoft emails targeting organizations within a single month. These emails, often impersonating legitimate administrators, use sophisticated obfuscation techniques, making it difficult for users to detect. The risks include account takeovers, ransomware, and data theft.  

Further reading: Check Point Blog

 

 

New VPN Credential Attack Uses Sophisticated Social Engineering 

A recent attack uncovered by security researchers targets organizations using VPNs through a combination of social engineering, fake login sites, and phone calls. Attackers impersonate a helpdesk, direct users to a spoofed VPN login page, and steal credentials. They also prompt users for multi-factor authentication (MFA) codes to gain access to corporate networks. This attack highlights the importance of user vigilance and strong security training. 

Attack Chain: 

  • Impersonation of helpdesk. 

  • Directs victim to fake VPN login page. 

  • Steals credentials and MFA codes. 

Further reading: KnowBe4 - New VPN Credential Attack

 

 

Operation Kaerb Takedown 

Operation Kaerb successfully dismantled iServer, a Phishing-as-a-Service platform responsible for facilitating mobile credential theft targeting nearly half a million victims. iServer enabled low-skilled criminals to unlock stolen phones by phishing for user credentials. This takedown is a reminder of the evolving tactics cybercriminals use and underscores the importance of staying vigilant against mobile-focused phishing attacks. 

Further Reading: Operation Kaerb on KnowBe4 

 

 

Sextortion Scams on the Rise 

Our team has recently been targeted by sextortion scams, where attackers use publicly available information to create threatening messages designed to elicit fear and urgency. These scams often appear more credible by including personal details. If you receive such a message, avoid engagement or payment—report it to our security team immediately by using the suspicious email button in Outlook. 

Further Reading: KnowBe4 Article on Sextortion Scams

 

 

Update: Q3 2024 Brand Phishing Trends 

Check Point Research’s Q3 2024 report reveals that Microsoft continues as the most impersonated brand in phishing attacks, accounting for 61% of brand phishing attempts. Apple (12%) and Google (7%) follow, with new additions Alibaba and Adobe rounding out the top 10. These attacks commonly target the technology, social media, and banking sectors, as cybercriminals exploit brand familiarity to deceive users and capture credentials or payment information. Notably, new phishing sites targeting WhatsApp and Alibaba highlight the evolving strategies of threat actors seeking to exploit user trust. 

Key Insights: 

  • Microsoft Dominance: Microsoft phishing attempts made up 61% of brand impersonation attacks, with Apple and Google also highly targeted. 

  • Sector Focus: Technology and social networks were the most impersonated sectors, followed by banking. 

  • Evolving Phishing Tactics: Phishing websites like whatsapp-io.com and alibabashopvip.com show attackers adapting to impersonate new brands. 

Further Reading: Check Point’s Q3 2024 Brand Phishing Report. 

 

 

North Korean Cybercriminal Infiltrates UK Company 

A UK-based organization recently suffered a breach after inadvertently hiring a North Korean cybercriminal posing as a remote IT worker. Once hired, the attacker used insider access to extract sensitive information and eventually demanded a ransom for its non-disclosure. This case highlights the importance of strict hiring processes for remote roles and enhanced security practices. 

Key Insights: 

  • Vetting Remote Employees: Conduct rigorous background checks to confirm credentials. 

  • Data Security: Monitor access and behavior for early threat detection. 

  • Remote Work Risks: Be mindful of cyber threats exploiting virtual roles. 

Further Reading: KnowBe4 Article; KnowBe4 10 Hiring Updates 

 

 

North Korean Threat Actors Pose as Recruiters to Target Job Seekers 

Palo Alto Networks' Unit 42 recently uncovered a campaign in which North Korean threat actors pose as recruiters to lure tech job seekers into downloading malware disguised as legitimate communication tools. Known as the "Contagious Interview" campaign, this operation involves malware variants like BeaverTail and InvisibleFerret, which are capable of stealing credentials, exfiltrating sensitive files, and targeting cryptocurrency wallets. Victims are approached on professional platforms like LinkedIn, and then directed to install fake interview applications that serve as a conduit for malware. 

Key Insights: 

  • Sophisticated Impersonation Tactics: Attackers convincingly impersonate recruiters and use realistic job offers to build trust with targets. 

  • Multifunctional Malware: The malware used can harvest browser passwords, access cryptocurrency wallets, and install backdoors, enhancing its threat potential. 

  • Organizational Risk: Beyond individual targets, successful infections on company devices can lead to broader data breaches within organizations. 

As remote work and digital hiring continue to rise, it’s critical to validate the legitimacy of recruiters and avoid downloading unverified software for job interviews. 

Further Reading: Unit 42 Report on North Korean Recruitment Tactics 

 

 

Pig Butchering Scams Target Job Seekers 

Proofpoint has identified a new twist in cryptocurrency fraud, known as "Pig Butchering," targeting job seekers. Scammers posing as recruiters lure victims into fake job roles, eventually guiding them to invest in fraudulent cryptocurrency platforms. Victims see initial "profits" to build trust, but ultimately lose their entire investment. These scams often begin on social media, moving to platforms like WhatsApp or Telegram for further manipulation. 

Further Reading: Proofpoint Article

 

 

Foreign Disinformation on U.S. Hurricanes 

Recent intelligence shows that operatives from Russia, China, and Cuba have spread false information about U.S. hurricanes to deepen political divides. AI-generated images and misleading posts claimed federal relief was denied or funds were diverted to foreign conflicts, aiming to erode trust in U.S. disaster response. Be cautious of divisive narratives or unverified disaster images on social media, as they may be part of coordinated disinformation efforts. 

Further Reading: NBC News Article

 

 

Social Engineering Exploits Valid Accounts 

Recent incidents highlight how threat actors are compromising legitimate accounts through social engineering tactics. By manipulating individuals into divulging sensitive information or performing specific actions, attackers gain unauthorized access to systems and data. This method often involves impersonating trusted entities or creating convincing scenarios to deceive targets. 

Key Insights: 

  • Impersonation Tactics: Attackers frequently pose as IT support or company executives to extract credentials. 

  • Phishing Campaigns: Sophisticated emails and messages are crafted to appear authentic, luring recipients into providing access details. 

  • Insider Threats: Compromised accounts can be used to launch further attacks within an organization, making detection challenging. 

Further Reading: KnowBe4 Article on Social Engineering Exploits

 

 

Major Data Breach at Change Healthcare Affects 100 Million Americans 

In February 2024, Change Healthcare, a leading U.S. healthcare technology company, experienced a significant ransomware attack that compromised the personal, financial, and medical information of approximately 100 million individuals. The breach disrupted healthcare services nationwide, highlighting vulnerabilities in the sector's cybersecurity defenses. 

Key Insights: 

  • Scope of Breach: The attack exposed sensitive data, including medical records, billing information, and personal identifiers such as Social Security numbers and driver's license details. 

  • Financial Impact: UnitedHealth Group, Change Healthcare's parent company, reported direct breach response costs of $1.521 billion and total cyberattack impacts of $2.457 billion. 

  • Ransom Payment: The company paid a $22 million ransom to the BlackCat ransomware group in an attempt to secure the stolen data. 

Further Reading: Change Healthcare Breach Hits 100M Americans – Krebs on Security 

 

 

Student Loan Phishing Scams Targeting Millions 

Cybercriminals are exploiting confusion around student loan forgiveness with a surge in phishing emails targeting millions of Americans. These emails use advanced techniques to look legitimate and bypass email filters, making them harder to detect. 

What You Can Do to Stay Safe: 

  • Watch for Red Flags: Be cautious with emails related to student loans, especially those asking for immediate action or personal information. Verify any claims by contacting your loan service provider directly. 

  • Check the Source: Always look closely at the sender’s email address. Official communication will come from verified addresses, not random or suspicious-looking senders. 

  • Enable Multi-Factor Authentication (MFA): Use MFA on your financial accounts for extra security, making it harder for attackers to gain access if they obtain your credentials. 

  • Be Prepared: Know how to report a suspicious email in your email system, and don’t hesitate to delete anything that seems off. 

Further Reading: Check Point Blog