Author Archives: TecAdmin

Using mailed out “BadUSB” drives as the initial attack vector, cybercriminals are attempting to infiltrate sensitive networks and infect them with BlackMatter or REvil ransomware strains.

The FBI recently released a notice about cybercriminal group FIN7, according to a Bleeping Computer article, warning defense contractors to be wary of USB drives being sent through the mail. According to the notice, FIN7 is impersonating Amazon and the Department of Health & Human Services (depending on the target victim) in an effort to get them to plug in the USB drive.

The USB drives are ‘BadUSB’ or ‘Bad Beetle USB’ devices with the LilyGO logo, and are commonly available for sale on the Internet. The drives register with the victim computer as a keyboard and include a wealth of hacker tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts.

The goal of these drives is to infect networks with either BlackMatter or REvil ransomware.

This is a real-world form of targeted attack that uses the same social engineering we commonly see in phishing attacks. Users that undergo continual Security Awareness Training are already aware they should not be plugging in unknown USB drives – especially those sent unsolicited.

These attacks could just as easily be turned into an access for sale attack, given the amount of control hackers have over the compromised endpoint. Be on guard.

A sophisticated China-aligned threat actor is using social engineering to carry out cyberespionage and financially motivated attacks, according to researchers at Trend Micro.

“Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lusca that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes,” the researchers write. “The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others. However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.”

The threat actor used spear phishing, watering-hole sites, and website vulnerabilities to compromise its victims.

“The group has three primary attack vectors, two of which involve social engineering,” the researchers write. “The social engineering techniques can be broken down into spear phishing emails and watering hole websites. Our telemetry data shows Earth Lusca sending spear phishing emails containing malicious links to one of their targets — a media company. These links contain files that are disguised either as documents that would be of interest to the potential target, or as opinion forms allegedly coming from another media organization. The user eventually downloads an archive file containing either a malicious LNK file or an executable — eventually leading to a Cobalt Strike loader.”

The threat actor used watering-hole sites to target victims who are interested in certain topics.

“In addition to spear phishing emails, Earth Lusca also made use of watering hole websites — they either compromised websites of their targets or set up fake web pages copied from legitimate websites and then injected malicious JavaScript code inside them,” Trend Micro says. “These links to these websites are then sent to their victims (although we were not able to definitively pinpoint how this was done).”

New-school security awareness training can enable your employees to avoid falling for targeted social engineering attacks.

A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang’s Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees.

“If there’s one thing BlueNoroff has been very good at, it’s the abuse of trust,” Kaspersky says. “Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means. Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.”

This campaign is targeting small- to medium-sized cryptocurrency companies, as the attackers know that these companies often lack the resources to defend against sophisticated attacks.

“According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups,” the researchers write. “The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.”

Seongsu Park, a senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said that companies of all sizes need to be aware of these types of attacks.

“As attackers continuously come up with a lot of new ways to trick and abuse, even small businesses should educate their employees on basic cybersecurity practices,” Seongsu Park said. “It is especially essential if the company works with crypto wallets. There is nothing wrong with using cryptocurrency services and extensions, but note that it is also an attractive target for APT and cybercriminals alike. Therefore, this sector needs to be well protected.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart social engineering attacks.

The weakest part of your cybersecurity can be identified by looking at how cyberattacks take place, and how well your defenses stand up. But did you know the answer comes from the year 1885?

While cybersecurity is a constantly moving target, there are some constraints put on threat actors that keep their methods and tactics within a real of possible actions. For example, they need to work within the confines of the operating systems used by the victim organization – which only have so many ways to be exploited and taken advantage of. The same is true for users; with 85% of breaches involving a human element, cybercriminals use a combination of establishing urgency and credibility to convince the potential victim to engage with the threat actor’s malicious content.  And while new phishing themes are constantly being created to align with current events, the tactics feel very much the same; it’s pretty much always click the link, open the attachment, or reply to the email.

So, if it’s really as simple as making sure users don’t interact with malicious email content, why are cyberattacks continuing to flourish? Part of the answer lies with organizations that don’t employ their users to play a role in protecting the organization. If users are educated with Security Awareness Training to be mindful of malicious content in their Inbox, they are likely to interact with and fall for phishing attacks.

But just putting users through this kind of training a few times a year isn’t enough.

The core of the problem is that people forget what they’ve learned. Back in 1885, German psychologist Hermann Ebbinghaus hypothesized that memory retention declines over a very short period of time – something now known as the Forgetting Curve. In as little as just 20 minutes, 40% of what’s been learned has already been forgotten.

Source: The Forgetting Curve

He found that repetition in learning over a period of time (in most cases, repetitions were measured in days) actually increases  the % of knowledge retained. You can see below the impact on the percentage of information retained when the information is re-reviewed over time.

Source: The Forgetting Curve

Applying this to cybersecurity, it becomes clear that a) even if users are put through some form of training, they will forget most or all of what they’ve learned (and will click the malicious link sometime in the future), and b) it takes continual Security Awareness Training to ensure users retain best practices, good cyber hygiene, and a vigilant state of mind when interacting with unsolicited (and potentially malicious) email content.

Video game maker Electronic Arts (EA) has stated that around fifty high-profile accounts for the soccer game FIFA 22 were hacked after attackers manipulated the company’s customer service employees.

“Over the last few weeks we’ve been made aware of reports that high-profile player accounts are being targeted for takeover,” the company said. “Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts.”

Some of the hacked accounts belonged to real soccer/football players and professional video game streamers. EA is still working to restore accounts to their rightful owners.

“At this time, we estimate that less than 50 accounts have been taken over using this method,” EA said. “We are currently working to identify rightful account owners to restore access to their accounts, and the content within, and players affected should expect a response from our team shortly. Our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.”

EA notes that “[t]here is always a human factor to account security,” and the company is taking the following steps to mitigate these attacks in the future:

“All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

“We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

“Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.”

New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.

A new joint cybersecurity advisory from CISA, the FBI, and the NSA cautions organizations against Russian-based attacks and provides mitigations to be implemented.

It’s one thing to see an advisory that simply says “hey, we’re seeing bunch more attacks.” But when you also see 8 pages of recommended security measures and a statement encouraging “the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting”, you know they know something you don’t.

This is exactly what is in yesterday’s cybersecurity advisory entitled “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure”.

While the advisory isn’t focused on a specific threat, it does begin with some general statements of what’s been observed:

Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks.

 Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.

Even if you’re not a “critical infrastructure” organization, this advisory is solid reading. It offers real-world examples of Russia-based attacks, vulnerabilities used, observed tactics and techniques mapped to the MITRE ATT&CK Framework, and practical guidance to shore up your Detection, Incident Response, and Mitigation efforts.

In general, the advisory makes the following high-level recommendations:

• Be prepared – this includes minimizing security gaps and creating a detailed incident response plan
• Enhance your organization’s cyber posture – this includes implementing best practices across identity and access management, protective controls, as well as vulnerability and configuration management
• Increase organizational vigilance – this includes staying updated on threats and ensuring users are educated through continual Security Awareness Training