• A well-known bot often used for cyber-attacks, the Qakbot
• The First responder Word

FOCUS TECH

QAKBOT

Initially designed to steal banking credentials, Qakbot has evolved into a more versatile malware with multiple uses like stealing data or using it as a trojan to enter within an IT system. Besides, it is highly modulable, which allows actor to add new functionalities easily. Over time, its capabilities have expanded to target various types of sensitive information. This increasingly widespread threat now affects a broader range of victims and industries, especially in European countries, and is used by well-known actors such as black basta ransomware group.

To protect against Qakbot, it’s important to take a proactive approach to security. Implementing various measures can help defend against this threat:

• Consider utilizing an EDR system within your organization to ensure constant monitoring and prompt responses to cyberattacks
• Monitor IoCs, verify child processes with Sigma rules and restrict admin access
• Train users to recognize phishing emails and avoid clicking on suspicious links or opening attachments from unknown senders, as it is a common infection way. It is also recommended to train on specific personalized modules as the phishing techniques get more and more sophisticated
• Implement strong, unique passwords for all accounts, and use MFA for all privileged accesses (mail, VPN, cloud…)
• Regularly update operating systems and software to patch vulnerabilities that could be exploited by Qakbot to spread from a post to another for example.

While no single solution can guarantee complete protection from Qakbot, combining these strategies will significantly reduce the risk of infection and help maintain a secure environment.

CERT-W: FROM THE FRONT LINE

THE FIRST RESPONDER WORD

SEE YOU NEXT MONTH!!

Cet article CYB Watch – April 2023 est apparu en premier sur RiskInsight.

CHATGPT

What opportunities for the underground world of cybercrime ?

Need a refresh about ChatGPT?

Figure 1 – Screenshot from ChatGPT when prompted “Introduce ChatGPT in a funny way and at the first person”

Unless living under a rock, you have heard about the incredibly notorious AI powered chatbot developed by OpenAI: Chat GPT, a tool that relies on the Generative Pre-trained Transformer architecture. But just in case, you must know that ChatGPT has been trained on a vast amount of data from the Internet and is able to understand human speech and interact with users. Chat GPT has not finished to be talked about: on March 14^th 2023, Open AI has announced the arrival of Chat GPT 4.0[i].

The growing popularity and potential future applications of ChatGPT have also caught the attention of cybercriminals. Nord VPN’s examination of Dark Web posts from January 13th to February 13th revealed a significant increase in Darkweb forum threads discussing ChatGPT, jumping from 37 to 91 in just a month. The main topics of these threads included:

• Breaking ChatGPT
• Using ChatGPT to create Dark Web Marketplace scripts
• A new ChatGPT Trojan Binder
• ChatGPT as a phishing tool with answers indistinguishable from humans
• ChatGPT trojan
• ChatGPT jailbreak 2.0
• Progression of ChatGPT malware

Figure 2 – Screenshot from CheckPoint: Cybercriminal is using ChatGPT to improve Infostealer’s code

These threads give a first interesting overview of all the rogue usage that can involves ChatGPT or be carried out via the chatbot. Another key security concern could also be included in this list when thinking about ChatGPT’s limitations in terms of cybersecurity, which is the risk of personal and/or corporate data leak, that could lead to identity theft, fraud, or other malicious uses.

What are the plausible cybercriminal use cases?

 Figure 3 – Screenshot of a ChatGPT answer when prompted “Talk at the first person about possible cybercriminal usage of ChatGPT”

Use Case #1 – Support malware creation and kill chain attack

ChatGPT is designed to decline inappropriate requests but there are ways to bypass its restrictions and generate malicious code. For example, instead of directly requesting a ransomware script, users can describe step-by-step functions needed for such a script, ultimately receiving functional parts of malicious code.

Figure 4 – Screenshot of a ChatGPT answer to the request “Write me a function named “find_files” in Python that searches all files that end up with “txt, pdf, docx, ppt, xlsm” starting from the root directory and that return all paths of files that match with the criteria”.

It has been proven possible to use ChatGPT to insert harmful code into a commonly used computer program and create programs that constantly change their appearance, making them harder for security software to detect and block and to obtain an entire process of an artificial intelligence-driven cyberattack, starting with targeted phishing emails and ending with gaining unauthorized access to someone’s computer.

Figure 5 – Screenshot from CheckPoint: Example of the ability to create a malware code without anti-abuse restrictions in a Telegram bot utilizing the OpenAI API

However, as highlighted by NCSC and Kaspersky, using ChatGPT for creating malware is not that reliable, due to potential errors and logical loopholes in the generated code, and even if it provides a certain level of support, the tool doesn’t currently reach the level of cyber professional.

Use Case #2 – Discover and exploit vulnerabilities

When it comes to code vulnerabilities, ChatGPT raises several challenges in terms of detection and exploitation.

In terms of detection, ChatGPT is currently able to detect vulnerabilities in any piece of code submitted if properly prompted to do so, but it can also debug code. For example, when a computer security researcher asked ChatGPT to solve a capture-the-flag challenge, it successfully detected a buffer overflow vulnerability and wrote code to exploit it, with only a minor error that was later corrected.

In terms of exploitation, the risks posed by ChatGPT, and more generally Large Language Models (LLMs) can be used to produce malicious code or exploits despite restrictions, as they can be bypassed. Additionally, LLMs may generate vulnerable and misaligned code, and while future models will be trained to produce more secure code, it’s not the case yet. Moreover, some security researchers remain skeptical about AI’s ability to create modern exploits that require new techniques.

Use Case #3 – Create persuasive content for phishing and scam operations

Creating persuasive text is a major strength of GPT-3.5/ChatGPT, and GPT-4 performs even better in this area. Consequently, it’s highly probable that automated spear phishing attacks using chatbots already exist. Crafting targeted phishing messages for individual victims is more resource-intensive, which is why this technique is typically reserved for specific attacks.

Figure 6 – Screenshot from chatGPT, pishing mail generation

ChatGPT has the potential to significantly change this dynamic, as it allows cybercriminals to produce personalized and compelling messages for each target. To include all necessary components, however, the chatbot requires detailed instructions.

A notable advantage of ChatGPT is its capability to interact and create content in multiple languages, complete with reliable translation. In the past, this was a key way to identify scams and phishing attempts. While some methods are being developed to detect content created by ChatGPT, they haven’t yet proven entirely effective.

This poses a significant risk to all companies, as it makes their employees more susceptible to such attacks and may expose their resources if passwords are stolen in this manner. As mentioned earlier, it is essential to raise awareness about this issue while also strengthening authentication methods, such as implementing two-factor authentication as a potential solution.

Interestingly, other uses have been made of ChatGPT notoriety to develop scams without using the tool itself, such as phishing mails/Scams in order to push towards the purchase of a (fake) ChatGPT subscription and to provide personal data details

Use Case #4 Exploit companies’ data

ChatGPT has been trained on a massive amount of internet data, including personal sites and media content, meaning that it may have access to personal data that is currently hard to remove or control, as no “right to be forgotten” measures exist to date. Consequently, ChatGPT’s compliance with regulations like GDPR is under debate. GPT-4 can manage basic tasks related to personal and geographic information, such as identifying locations connected to phone numbers or educational institutions. By combining these capabilities, GPT-4 could be used to identify individuals when paired with external data.

Another significant concern is the sensitive information users might provide through prompts. Users could inadvertently share confidential information when seeking assistance or using the chatbot for tasks, like reviewing and enhancing a draft contract. This information may appear in future responses to other users’ prompts. They might not only find their confidential documents or research leaked on such platforms due to employees’ inattention, but also reveal information about their system or employees which will be used by hacker to facilitate an intrusion. The primary course of action should be to increase awareness on this subject by providing formation and explanation or to restrict access to the website in the sensitive domains until there is a better comprehension of how data is utilized.

Not only the real ChatGPT can be used for this objective, but the creation of other chatbots using the same model as ChatGPT but configured to trick victims into disclosing sensitive information or downloading malware has also been observed.

Use Case #5 Disinformation campaigns

ChatGPT can be used to quickly write very convincing articles and speeches based on fake news. The American startup Newsguard has conducted an experience on ChatGPT to demonstrate its disinformation potential: on 100 fake information submitted to ChatGPT, the tool has produced fake detailed articles, essays and TV scripts for 80 of them, including significant topics such as Covid-19 and Ukraine[ii].

As highlighted (again) by the war between Ukraine and Russia, the crucial role of information and disinformation through cyber channels, can have significant consequences.

Use Case #6 Create darknet marketplace

Cybercriminals have also been observed using ChatGPT to support the creation of DarkWeb marketplaces. ChekPoint has illustrated this phenomenon with some examples[iii]:

• A cybercriminal post on a Darkweb forum showing how to code with ChatGPT a DarkWeb Market script that does not rely on Python or Java Script, using third-party API to get up-to-date cryptocurrency (Monero, Bitcoin and Etherium) prices as part of the Dark Web market payment system.
• Dark web discussions threads linked to fraudulent usage of ChatGPT, such as how to generate an e-book or a short chapter using ChatGPT and then sell its content online.

Figure 2 – Screenshot from CheckPoint: Multiple threads in the underground forums on how to use ChatGPT for fraud activity

What are the key take aways?

Even if ChatGPT tends to lack of the necessary level of features, it can still be a useful tool to facilitate cyberattacks. Even if it is an obvious support tool mostly for script kiddies and unexperimented actors, ChatGPT – as any AI tool – can be a facilitator for any type of hackers, either to completely conceive a malware, to accelerate malicious actions such as phishing or to increase the sophistication level of cyberattacks.

With the release of GPT-4, OpenAI has made efforts to counter inappropriate requests, however ChatGPT  still raise serious security issues and challenges for business security. It is important to keep in mind that the malicious use cases detailed in the previous section are only hypothetical scenarios: malicious use of ChatGPT has already been observed and it is essential to convey strong cybersecurity messages on the topic:

• Don’t include sensitive info in queries to #ChatGPT : Avoid personal/sensitive information sharing while using ChatGPT
• Stay informed and vigilant: AI-related topics are evolving quickly, it is central to stay put regarding tools evolution (e.g. release of Chat GPT 4.0), and new security topics that can emerged over time
• Scams and phishing are likely to become more and more realistic in their crafting: continue raising awareness about this risk and train yourself and your ecosystem
• Basic cybersecurity practices are still true: have a regular vulnerability management, set up doble authentication, train your teams and raise awareness…
• ChatGPT opening the door to the possibility of creating realistic fake content, it is central to stay informed about tooling initiatives aiming at detecting machine-written text such as GPT Zero, a tool developed by Princeton student (Note: OpenAI is also working on a tool to detect machine-written text, but is for now far from being perfect since it detect machine-written text only one in four times)

Reading of the Month

CERT-EU : RUSSIA’S WAR ON UKRAINE: ONE YEAR OF CYBER OPERATIONS

https://cert.europa.eu/static/MEMO/2023/TLP-CLEAR-CERT-EU-1YUA-CyberOps.pdf

[i] https://cdn.openai.com/papers/gpt-4.pd

[ii] https://www.newsguardtech.com/misinformation-monitor/jan-2023/

[iii] https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/

Cet article CDT Watch – March 2023 est apparu en premier sur RiskInsight.

BLINDSIDE

Facing the EDR behavioral supervision, attackers develop techniques for successful attacks by staying under the radars. One of these techniques is called Blindside. This technique works on many EDRs relying on a hook and was revealed by Cymulate. 

According to Cymulate, the author of Blindside, the technique is not immune to detection. Some mitigations can be implemented such as:

• Monitor the use of the SetThreadContext function: the function context can inform on breakpoint setting (write inside debug address registers)
• Monitor the presence of suspicious debug functions
• Edit EDR settings for checking debug registers

It remains difficult to bypass EDR solutions as their detection methods vary between vendors. Nevertheless, it is important to remember that it is possible and that the security should not rely solely on the solution.

CERT-W: FROM THE FRONT LINE

THE FIRST RESPONDER WORD

READING OF THE MONTH

SOPHOS: MATURING CRIMINAL MARKETPLACES PRESENT NEW CHALLENGES TO DEFENDERS

Maturing criminal marketplaces present new challenges to defenders, Sophos 2023 Threat Report

VULNERABILITY OF THE MONTH

PROXYNOTSHELL: WHEN APPLYING MITIGATIONS KEEPS YOU VULNERABLE

CVE-2022-41040 & CVE-2022-41082

Published by NVD: 02/10/2022

Products: Microsoft Exchange server

Versions: on-site/on premise 2013, 2016 and 2019

Score: 8.8 HIGH

Context   PoC

Microsoft Exchange is a mailbox server exclusively running on the Windows operating système.

In September 2022, a vulnerability to compromise the underlying Exchange server was discovered. It was named ProxyNotShell after its similarities with the ProxyShell vulnerability. To exploit ProxyNotShell, attackers need to have an authentified access to the Microsoft Echange server. The exploitation of the vulnerability allows attacker to deploy a webshell on the targeted server, giving them an initial access.

Around November, a number of mitigations (Hotfix) were released awaiting for a patch. As a result, some 60 000 servers worldwide still are vulnerables since the few mitigations rules can be bypassed by attackers.

According to CrowdStrike, Play ransomware group, which has been active since last June, took advantage of this in using a new exploit to bypass the URL rewrite mitigations for the Autodiscover endpoint. Early December the managed cloud hosting services company Rackspace technology complies to having been attacked after a successful exploit of the vulnerability in Microsoft Exchange Server.

The Microsoft Exchange server should have at least the KB5019758 patch. If not, the main action to perform is to immediately install the updates on the vulnerable servers. If some factors make the installation impossible, it is adviced to disable OWA until it can be applied. In addition, it is strongly recommended to disable remote PowerShell for non-admin users and use EDR tools to detect if web services are spawning PowerShell processes.

SEE YOU NEXT MONTH!!

Cet article CDT Watch – January 2023 est apparu en premier sur RiskInsight.

BRING YOUR OWN VULNERABLE KERNEL DRIVER (BYOVKD)

Facing the EDR behavioral supervision, attacker develops techniques for successful attacks by staying under the radars. One of these techniques is called BYOVKD: Bring Your Own Vulnerable Kernel Driver.

Even if it does not raise an alert on the EDR console, the Defense team must be vigilant to any telemetry that would indicate the loading of an unusual driver on assets. Furthermore, prevention mechanisms exist for this type of case, some examples below:

• Block abuse of exploited vulnerable signed drivers
• Driver block rules

CERT-W: FROM THE FRONT LINE

THE FIRST RESPONDER WORD

READING OF THE MONTH

EMOTET

What is Emotet 2022?

Emotet is a Malware-as-a-Service (MaaS) relying on a botnet network which appeared in 2014. It was originally designed as a banking Trojan aiming to steal sensitive information related to bank accounts. In 2021, police forces arrested several people belonging to Emotet organization, which then reappeared with new features in 2022. The group behind Emotet seems to be opportunist and most of its victims are from US, UK, Japan, Germany, Italy, Spain, France, and Brazil.

Why is it dangerous?

Emotet is a polymorphic malware whose code changes over time. Among the numerous new features of the 2022 version, searchers from the DFIR Report have identified an ability to bypass anti-malware detection. To do that, Emotet 2022 uses a 64 bits base code and various signatures to avoid pattern recognition. The malware is also able to keep itself up to date once downloaded by using Command & Control servers, which send it updates the same as an Operating System. The MaaS is also able to release IcedID, which are modular banking Trojans able to drop other malwares. Doing so, Emotet helped to distribute ransomwares for impact, Cobalt Strike for initial access, XMRig for stealing wallet data…

How does Emotet 2022 initial infection work?

Using a phishing email with a malicious Office attachment, Emotet exploits a 2017 Microsoft vulnerability which allows remote code execution on vulnerable devices (CVE 2017-11882) to compromise its first victim.

Once downloaded in memory, the malware executes a sequence of legitimate Windows commands to perform a recognition of its environment, then spreads in the local network and steals information.

Emotet spreads through spam emails. According to Deep Instinct, 45% of them are containing malicious Office attachment such as Spreadsheets or scripts in most of the cases. As those emails traduce the object and attachments names in the target’s local language and come from known senders, the phishing looks particularly realistic.

Comprehensive look of EMOTET fall 2022

Why is this new version of the MaaS particularly tricky?

Emotet 2022 can identify whether it’s downloaded into a sandbox environment, or a device connected to a network. In the first configuration it won’t activate itself, but in the second it will rely on a password dictionary to spread thanks to brute-force.  Moreover, the November 2022 Excel files generally enclosed contains macros which no longer needs a user click to be authorized. The victim is only asked two things: copying the files into the Microsoft Office Template zone, which requires administrator privileges. Opening the file in this location will execute the macros without any warnings.

How to protect from Emotet 2022?

Since Emotet 2022 uses malicious spam and phishing is the most used technique for initial access, we highly advice you to consider these measures:

• Provide your company a solution against phishing.
• Launch an awareness campaign for employees and stakeholders.
• Provide you company an Endpoint Detection and Response which complete the anti-virus by performing behavioural analysis, which helps visualize the virus kill chain to identify the action levers.

Give a local administrator account to an employee only in case of specific need.

VULNERABILITY OF THE MONTH

DEBIAN-SPECIFIC REDIS SERVER LUA SANDBOX ESCAPE VULNERABILITY – CVE-2022-0543

Published by NVD: 18/02/2022

Products: Redis server for Debian and Debian-derived Linux distributions

Versions: less and equal to 5:5.0.14-1+deb10u2, 5:6.0.16-1+deb11u2, 5:7.0.5-1, 5:7.0.7-1

Score: 10 CRITICAL

Context  PoC

Redis is an opensource NoSQL database management system. Redis includes an embedded Lua scripting engine, it allows client to run scripts. By design, the Lua engine must be sandboxed: it means that packages and APIs available are limited in an execution context. Redis clients are not allowed to execute arbitrary code on the Redis server.

In some Debian and Debian-derived Linux packages, the Lua environment is not sufficiently regulated because the Lua Library is provided as a dynamic library. It can allow attackers to access arbitrary Lua functionalities and results in a Lua Sandbox escape.

Early December, reports indicate that attackers are exploiting this vulnerability to deploy a new backdoor malware dubbed Redigo on Redis Server. The malware communicates with a server of command and control using port 6379 which is a legitimate port used by Redis for communication between client and server: the Redis server joins a botnet network.

According to Aqua, the malware has some functions specially written to the Redis server which may imply that the group behind this desired to build an adjusted attack that would target Redis servers.

A successful attack implies that attacker could execute arbitrary commands and access to sensitive information.

A group of attackers is behind the Redigo malware which is an emerging threat. Furthermore, the exploit of the CVE-2022-0543 is public and is used in the wild to deploy the malware. Vulnerable Redis Server must be patched and up to date.

SEE YOU NEXT MONTH!!

Cet article CDT Watch – December 2022 est apparu en premier sur RiskInsight.

What are the supply chain threats?

What’s a picture of the current situation?

Since 2019, there has been a growing focus on third-party attacks. With good reason: CyberArck estimates in a study from 2022 that 71% of organizations suffered a successful

software supply chain-related attack that resulted in data loss or asset compromise. According to Argon Security – recently acquired by Aqua Security – published the latest edition of its annual Software Supply Chain Security Review this week. The Software Supply Chain Security Review from Argon’s report that software supply chain attacks grew by more than 300% in 2021 compared to 2020.

In terms of maturity, in 2022: a survey of 1,000 CIOs found that 82% said their organization is vulnerable to cyber-attacks targeting software supply chains (Venafi). From our own Cyberbenchmark, we can see that 50% of our interviewee don’t control their security requirements with their third party and 15% conduct audits on their most critical suppliers in 2022.

What kind of attacks are we talking about? 

Attacks on the supply chain are related to threats around third parties. ENISA defines this type of attack as follows: “ A supply chain attack is a combination of at least two attacks. The first attack is on a supplier that is then used to attack the target to gain access to its assets. The target can be the final customer or another supplier. Therefore, for an attack to be classified as a supply chain one, both the supplier and the customer have to be targets.”

As a reminder the supply chain involves a wide range of resources (hardware and software), storage (cloud or local), distribution mechanisms (web applications, online stores), and management software

• Indirect or bounce attack: An attack on one or more intermediate information systems. The attacker uses the supplier as an entry vector to retrieve the information needed to access the final target.
• Supply chain attack: the attacker relies on a software production chain to infect a legitimate program and distribute it to third parties.

Why is it serious?

First because these attacks are complicated to detect: originally used for espionage, these are attacks where the attacker aims to remain discreet until the attack is launched. Second because it is a one-to-many kind of attack. A small change in software source code can affect the entire supply chain (plus, the chains are increasingly interconnected). The most known example is Kaseya and its 800 and 1,500 total businesses affected victims. Thirdly, many enterprises don’t have enough visibility on their ecosystem to anticipate or even detect the flaws in their IS. As we have seen, the security maturity in this field is currently quite low.

There are some aggravating factors:

• The cyber criminal’s ecosystem has matured and industrialized, allowing more sophisticated attacks to target matured victims. ​They can therefore afford this kind of sophisticated attack which used to take time, financial investment, and expertise…
• Expansion of the attack surface: The IS ecosystem is increasingly large, and increasingly interconnected, and more and more third parties are involved. They have potentially less control of the IS and less visibility, therefore potentially less control of the security of all these third parties, particularly in IAM management: who has very privileged access rights to its IS…
• The risk is to give access to third parties who can represent entry points for attackers: to one’s IS and to one’s sensitive data since one shares them with third parties
• In 2021, in an analysis conducted with 1200 CISOs (in America, Europe and Singapore), about 38% of respondents said that they had no way of knowing when or whether an issue arises with a third-party supplier’s cybersecurity (in 2020, it was 31%) (BlueVoyant66)
• Github estimates that there is 203 dependencies on an average software project in 2022.  If a popular app includes one compromised dependency, every business that downloads from the vendor is compromised as well, so the number of victims can grow exponentially.

Examples of attacks

• Compromise intermediate elements of the supply chain​ (i.e. source code tools) ​

Midstream attacks target intermediate elements such as software development tools, manipulating the build process of the artifact​

• Ex: SolarWinds
• Compromise upstream software ​(i.e. compromising the source code)​

Infects a system that is ‘upstream’ of users, for example through a malicious update, which then infects all ‘downstream’ users who download it. ​

• One of the biggest was the compromise of CCleaner 2017 update  with 2.3 million users impacted

• Compromise project interdependencies​

Compromise third-party components, such as an open-source package​

Dependencies confusion: the attackers provide a fake “new” upgrade of a software’s project needed component for the targeted software to automatically download it and implement it in the project. ​

• Ex: Apple, Microsoft, Uber, Paypal (BugBounty 2020)

Within these strategies, one of the most impactful methods is to target the CI/CD pipeline. If the infrastructure is not secured enough and there is a poor access management (our audit teams often see this), it can be easily targeted. Once compromised, the attacker has access to a part of the critical ‘linfra, to the source code of the application and the infrastructure and can generally do what he wants

The impacts are high:

• Attackers have access to critical IT infrastructure, development processes, source code, libraries, and applications: ​
• Modify the code or inject malicious code during the build process and alter the application ​
• Deploy malware via the orchestrator directly on production environments

CERT-W: FROM THE FRONT LINE

The First Responder Word

READING OF THE MONTH

ENISA

This is the tenth edition of the ENISA Threat Landscape (ETL) report, an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis.

Link to the report

SEE YOU NEXT MONTH!!

Cet article CDT Watch – November 2022 est apparu en premier sur RiskInsight.

Bumblebee

SOURCES :

Bumblebee is still transforming, Proofpoint

[1] https://www.malware-traffic-analysis.net/2022/index.html

[2]https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/

CERT-W: FROM THE FRONT LINE

The First Responder Word

Reading Of The Month

We recommend the article of Robert Lemos, a darkreading contributing writer about firms which suffers identity-related breaches.

80% of firms suffered identity-related breaches in last 12 months, Robert Lemos

SEE YOU NEXT MONTH!!

Cet article CDT Watch – June 2022 est apparu en premier sur RiskInsight.

The marketplaces of stolen data

Which type of data are sold?

The different platforms of marketplaces sell different types of data. While some platforms are really focused on selling one specific “product” (eg. hacking forums where Initial Access to companies is sold, as well as auction sites to sell stolen data eg. REvil and its auction site back in 2020), other platforms thrive with a very wide panel of goods, ranging from various weapons to “fullz” (full data about people: Social Security numbers, Bank account numbers, ID,…) without forgetting per-install malware service and financial information about a company. Overall, personal data is one of the most common types one can find on these marketplaces, as well as organization initial access, and non-financial or financial accounts/credentials.

When it comes to prices, whereas the number and variety of data items sold are increasing, the prices are declining as the market grows.

The price of an Initial Access depends on its quality, but it ranges from a couple of hundred USD for a small company to hundreds of thousands of dollars for the bigger ones. The average price is $7,100 in 2021. Patricia Ruffio listed here the prices found per type of data, from credit card data with account balance up to 5K ($120) to social media account ($65 for a gmail account), going through PayPal account logins ($150 for 50 accounts) and European Passport ($3,800). In comparison, DDOSing an unprotected website for a month now costs $850 on average and installing malware on a thousand devices ranges from $45 to $5500 depending on its quality and success rate.

Last but not least, some ransomware groups such as BlackByte go as far as selling stolen data on dedicated auction sites, not only as a means of pressure on victim companies, but also as a very juicy second revenue stream, with starting bids reaching up to $500,000.

What’s the selling process?

Besides a classical strategy of competitivity between the different marketplaces, based on discounts or fidelity points, the platforms are fighting over a security aspect in order to gain the buyer’s trust.

With the growth of marketplaces comes a strong trend for the sellers to strengthen their client’s trust. Taking advantage of legal uncertainty, these websites or events like the Evolution Marketplace exit scam with over $12 million in Bitcoin have greatly tarnished their reputation and taken its toll on customer and vendor trust.

As a result, along with the numerous DDOS protection, layers marketplaces now hide behind to prevent attacks from rivals, the quality of vendors and their items is now more thoroughly assessed and monitored. Direct scams are supposedly prevented by using the marketplace platform as an intermediate deposit for payment so that a client may be refunded in case of deception by the vendor. All transactions are currently mainly in Bitcoin and Monero for anonymity purposes.  Some auction and IAB platforms even sometimes use mandatory referral systems to shield themselves from outsiders & untrustworthy members.

Consequently, dark web marketplaces seem more reliable and stolen data is more prone to be sold quickly.

Once sold, what are the stolen data used for?

The financial reason is undoubtedly the main aspect for many actors in the market: most of these data can be used directly for blackmail of course, or to launch another cyberattack with a bigger impact…and more gains. It can be “standard” attacks such as personal data simply used as a basis for phishing operations and for compromising, for example, bank accounts, or it can be larger attacks. In fact, the average ransom paid by companies rose up to $541k according to the 2022 Unit 42 Ransomware Threat Report, highlighting the high profitability of simple ransom and blackmail with the stolen data. While not as straightforward, leveraging stolen Social Security Numbers, IDs, Credit cards are other ways to generate profit or to gain access to companies using identity theft.

However, stolen data may be used for more varied purposes. Corporate espionage is one of them: should a competitor be informed of a potential data leak, and what prevents it from looking at your deepest hidden secrets? It can also be a political matter: for example when Lockbit2.0 hits the French ministry of Justice, the main concerns shift to who laid their hands on such potentially sensitive pieces of information and what their intentions are. Another example of societal impact would be the data breach of Pfizer/BioNTech vaccines data in 2020, which led to attackers modifying the stolen data on the vaccine and publishing them with the headline “Vaccines are malicious”.

What are the impacts on my organization?

As mentioned, the collected data such as initial access can be the essential vector to compromise an organization’s SI and lead to even more impacting attacks. Besides, the main victim’s perimeter is not the only one compromised: the whole ecosystem of partners, clients, and providers… can be affected. If the ransomware is the first type of attack coming to mind after a data breach, one should not underestimate the impacts of identity impersonation and fraud, targeted DDoS…

As it has often been proven and discussed these last years, the financial impact of such compromission can be colossal and even led organizations to their end. Besides, the cost of the attack itself is not the only one to be taken into account. Other components must be considered: loss of customer’s trust, loss due to potential system’s unavailability, cost of intervention from experts to investigate, but also cost of new customer acquisition to win back those that have been lost. Just as an example, Equifax announced that the data breach it faced in 2017 cost around $1.5 billion dollars if not more.

The financial and reputational impacts are intrinsically linked. Indeed, upon facing a data breach, a company is very likely to get customer or partner disengagement. According to a report from IBM, the lost business contributes to 38% of data breach costs. Companies also handle PII (Personally Identifiable Information) which, if stolen, can lead to additional legal costs, class-action settlements, or fines from public institutions.

The total cost of a data breach could be deadly for some companies and must be acknowledged. Equifax spent several million in fines and settlements after dealing with its massive data breach in 2017.

Last but not least, the social and political aspects must not be neglected. Last year, the Labour Party suffered a data breach through a ransomware attack on a third-party supplier. This kind of attack can lead to disinformation campaigns or even interferences in the election process.

In order to prevent a data breach, beyond cybersecurity basic actions, companies must enhance their maturity level when it comes to data security. Evaluating the value of the data is one of the key: the more attractive the data is, the greater chance an attacker will try to steal it. Storage and network security, Identity and Access Management, Cyber Resilience are some of the topics to be addressed at first. On top of this, companies should also focus on creating a strong watch on cybersecurity events and implement, even small, Cyber Threat Intelligence programs. Looking at the cybercrime ecosystem as well as spotting potential attack vectors and modus operandi is never a bad idea to anticipate a cyberattack.

CERT-W: FROM THE FRONT LINE

The First Responder Word

Reading Of The Month

We recommend the Citalid overview of the

Russio-Ukrainien conflit’s cyber aspect

(click on the picture)

SEE YOU NEXT MONTH!!

Cet article CDT Watch – May 2022 est apparu en premier sur RiskInsight.

Overview

Spring is a lightweight opensource application framework for Java. It allows for easy development and testing of Java applications.
Spring is used to create Java enterprise applications. It provides means to build applications and supports different scenarios.
A new vulnerability was found in Spring Core leading to a Remote Code Execution.

On March 31st, a CVE was released: Spring4Shell (CVE-2022-22965)

Exploitability

Prerequisites

/ JDK9.0 or higher

/ Spring Framework 5.3.0 to 5.3.17 or 5.2.0 to 5.2.19 & older versions

/ Apache Tomcat as the servlet container

/ Spring-webmvc or spring-webflux dependency

/ Packaged as a traditional WAR

Risks 

Once all prerequisites are met, the Spring4Shell exploit allows for unauthenticated Remote Code Execution on the vulnerable host. This initial access may lead to further harmful infection steps by attackers.

A list of applications and vendors that have published a statement indicating if their product was affected is available:

https://www.kb.cert.org/vuls/id/970766

Difficulty

Many researchers are still sceptical as to how achievable this exploit is. It is now clear that due to the heavy prerequisites of the exploit, it should occur in fewer cases than the Log4Shell exploit. However, once the prerequisites are met, exploiting the vulnerability is pretty straightforward and has fewer constraints than Log4Shell (egress traffic is not needed).

Real-world examples

Some real-world examples meet the prerequisites. Some researchers have found that the Handling Form submission sample code provided by Spring in one of their tutorials is vulnerable to the Spring4Shell exploit.

Mitigations

Main recommendation: Update applications to Spring Framework 5.3.18 or 5.2.20 if possible

Manual workaround:

This section is applicable only if it is not possible to update the applications as mentioned above.

A temporary fix may be manually applied to mitigate the possibility of the Spring4Shell exploit: the following class must be created under the project package of the application system. After making sure the class is loaded by Spring, the project must be recompiled. This workaround only works against exploits known at this time, it’s effectiveness may not be guaranteed in the long term.

Good practice:

Point of attention:

The Spring4Shell exploit only provides command execution on the vulnerable host: it allows for initial access on a server exposed to the Internet. Commands will be executed in the context of the running application. A healthy, up-to-date infrastructure, as well as a good application of the least privilege principle, may greatly mitigate Spring4Shell’s impact.

Cet article Identity card of the Spring4Shell vulnerability by CERT-W est apparu en premier sur RiskInsight.

Conti Kill Chain

SOURCES :

CERT-W: FROM THE FRONT LINE

The First Responder Word

READING OF THE MONTH

We recommend the interview of Pompompurin, a cyber activist who’s work ranges from leaking the data of thousands of WeLeakInfo Users to abusing the FBI’s Servers to send thousands of false emails.

The interview by Data Knight

Cet article CDT Watch – March 2022 est apparu en premier sur RiskInsight.

THE RISE OF INITIAL ACCESS BROKERS

As seen in the underground economy edition, the cybercriminal economy relies on the professionalization and specialization of its system. Among the main actors of this ecosystem, such as the Bullet Proof Hoster or the RaaS, the Initial Access Brokers (IAB) have become more and more crucial these last years. 

What is the IAB’s role in the underground economy?  

They are providers of victims’ access. They scan the web for vulnerabilities, send phishing e-mails or try to use brute force to get hold of the passwords of company employees, or even create persistent access in the victim’s network. Those ready-made ‘access’ are sold on the dark market: depending on its level of quality, prices can range from $1K to $100K. The average selling price of initial access to a network is $7,100. Price is based on the organization’s revenue, type of access sold, and number of devices accessible. For example, Access to an Australian company with 500 million USD in revenue that enables an attacker with “admin” level of privileges has been offered for 12 BTC, and access to a Mexican government body for 100,000 USD. 

The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099.  The geography of initial access brokers’ operations has also expanded: if the US-based companies are the most popular victims (30% in 2021), the European companies access sold was multiplied by three between 2019 and 2021. French companies were the most popular lot for sellers of access to compromised networks – they accounted for 20% of all victim companies in 2021 in Europe, followed by the UK (18%). 

Finding and selecting access opportunities represent an essential but very time-consuming piece of the current “ransomware business model”. By monetizing this activity, the IABs are offering a huge advantage of time and energy for the buyers, who can select from a menu of options, picking victims based on their revenue, country, and sector, as well as the type of remote access being offered. 

What kind of access are we talking about? 

One of the main trends of the IAB market is the diversification of access Grows. If RDP and VPN are still the most common offer, new attack vectors such as access to VMWare’s ESXi servers have become quite popular. 

According to several types of research, the kind of access mostly sold are   

• Active Directory credentials: domain administrator access is one of the most valuable access since it allows the attacker to distribute malware all over the network immediately.  
• Initial Network Access (RDP, VPN, SSH): : is one the most common access sold since it is a very popular protocol among remote workers to access their corporate resources. One of the methods used by the IAB is to launch massive scans for RDP servers all around the internet and try to brute force it. 
• Web shell access: some IABs set up web shells on compromised web servers and sell access to it. 
• Admin account on CMS (WordPress, PHP): they provide access to web hosting content (including payment solutions and credit card details)  
• Admin account on virtualization machines and root access on Linux servers: the sale of root access to VMware ESXi increased significantly and some attacker’s group contains code that specifically targets those systems. 
• Remote Monitoring and Management access: offer elevated permissions into several machines of the network, making it interesting data for IABs to sell. 

According to the IAB, the services can include more stolen data, such as information on the financial health of the targeted victim, to help the attacker set the highest realistic price for the ransom.  

What does that mean for me? 

The rise of the IABs activity is, among other things, a direct consequence of the mass shift to remote work and an increase of exposed remote services, (RDP, SSH…) and of the adoption of cloud applications increase. As seen; the main kinds of access sold relies on several vulnerabilities that can be corrected with standard cybersecurity measures: utilize strong passwords, enable 2FA when possible, admins and user awareness, frequent account review… 

Besides, the IABs have become a keystone of the current cybercriminal system. Which means they are an interesting indicator to look at to monitor the criminal activity and the risk to become a target. Especially in the case of a mature actor, setting up monitoring programs across surface-, deep-, and dark-web forums and marketplaces, to detect IABs offering can provide relevant information to prioritize defense actions and prepare against potential attacks.

CERT-W: FROM THE FRONT LINE

The First Responder Word

READING OF THE MONTH

We recommend the Cisco Almanac for 2022:  

“2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics” 

2022 Cybersecurity Almanac 

 

UPDATE ON THE UK NATIONAL CYBER STRATEGY

The UK’s National Cyber Strategy transmits a more ‘proactive’ stance to cyber power with a commitment to a ‘whole of society’ approach. The new strategy is supported by £2.6 billion investment seeing a 26.9% percent increase in comparison to previous strategy.

It is structured in five pillars: UK Cyber Ecosystem, Cyber Resilience, Technology advantage, Global leadership and finally Countering threats with 53 action plans. The plans aim to improve intel sharing platforms to truly ‘defend as one’ with a new Govt Cyber Coordination Centre (GCCC). Supporting industrial partners and strengthening business regulations through govt levers and enhance the nation’s cyber structure and skills.

Access the summary from the UK office here!

SEE YOU NEXT MONTH!!

Cet article CDT Watch – February 2022 est apparu en premier sur RiskInsight.

SysJoker: Windows Version

To produce this tech focus, we used data from:

New SysJoker Backdoor Targets Windows, Linux, and macOS – Intezer

CERT-W: FROM THE FRONT LINE

The First Responder Word

Reading Of The Month

To learn more about the main trends anticipated by Sophos for cybersecurity in 2022, it is here:

Interrelated threats target an interdependent world, Sophos

Cet article CDT Watch – January 2022 est apparu en premier sur RiskInsight.

CERT-W: FROM THE FRONT LINE

The First Responder Word

For more information for vulnerability detection and remediation, contact Wavestone CERT-W!

Reading Of The Month

To learn more about the evolution of cybercrime, we recommend reading the Internet Organized Crime Threat Assessment 2021 of Europol. This report focuses on changes and developments of cybercrime threats during the last 12 months.

Internet Organized Crime Threat Assessment 2021, Europol

Cet article CDT Watch – December 2021 est apparu en premier sur RiskInsight.

File Obfuscation

Discover Cobalt Strike capabilities with the technical zoom of the month:

To learn more about the given malwares:

Cobalt Strike Training videos

CERT-W: FROM THE FRONT LINE

The First Responder Word

We recommend the 2021 Benchmark on cybersecurity incidents which reviews the interventions of the CERT-W carried out between September 2020 and October 2021. This Benchmark provides keys to understanding the security issues and a snapshot of current cybersecurity threats in France.

CERT-W’s 2021 Benchmark on cybersecurity incidents

Reading Of The Month

To learn more about Conti, one of the most dangerous Ransomware, we recommend reading the Conti Ransomware Group In-Depth Analysis of Prodaft. According to Prodaft, this report will show you how the gang works with details obtained by their team who accessed Conti’s infrastructure.

Conti Ransomware Group In-Depth Analysis by Prodaft

Cet article CDT Watch – November 2021 est apparu en premier sur RiskInsight.

DECRYPTION

The underground economy of the ransomware

In recent years the products of the underground economy have evolved quickly. Cyber criminals now offer services for others to purchase, the most popular being: Ransomware-as-a-service (RaaS).

Let’s pretend you are a hacker aiming to launch a successful ransomware attack. Only, you are quite new to the business. What do you think you need? A very sophisticated level of coding and development skills? Not anymore. The whole underground economy of RaaS can provide you with every necessary element to conduct your attack, from the access credentials to the mixers helping you to launder your gains.

What do I need for my ransomware attack?

Need #1 – Enter my target’s network. In order to do so, you need to acquire access to the victim’s network: your first providers are the initial access brokers (IABs) or botmasters.

They are specialized in vulnerability exploit. They identify the flaws through massive phishing campaigns and/or scans and then access the system. Once inside, they set up remote persistent access to the target’s network. The botmasters then sell you the access: depending on its level of quality, prices can range from $1K to $100K (seen for a Mexican government body). The average price for network access in 2020 was $5,400. The botmaster’s services also include information on the financial health of the targeted victim, to help the attacker set the highest realistic price for the ransom

Need #2 – Anonymous infrastructure to host my hacking tools and store my data. The second actor of the chain is the bulletproof hoster, providing you with infrastructure-as-a-service, including anonymization services. The subscription can go from $5 per month to any price.

Need #3 – A ransomware to encrypt my victim’s files!

Now the main part: where can you find a ransomware? The most popular way is to subscribe to a RaaS platforms, offering 4 main services:

• Provide necessary information: potential victims, their financial status, security level…
• The ransomware: the malicious code and a tool kit to facilitate the attack
• Negotiation service (including support to collect the ransom)
• Money laundering service

Other services are offered, according to what you are ready to pay. Here is an example of different price subscriptions and services on a RaaS platform. It can go from $100 to $84,000 (Maze).

Where is the money going?

Need #4 – Clean my money! Once the attack is successful, the people in charge of the money laundering and money mules take the stage.

After a payment to the perpetrator’s wallet is made, money is then dispersed and mixed across numerous wallets, to provide anonymity. This bitcoin mixing through multiple other wallets makes the payment tracing quite difficult. In the Colonial Pipeline case, the wallet received the 75 BTC from them, mixed with 57 payments from 21 different wallets. However, this case has proven that the tracing is not insurmountable. No matter how many times the bitcoins are moved, ultimately it has to go through cryptocurrency trading platforms (such as BTC-E) and be cashed out at exchange points.

Recently, the situation involves global anti-money laundering (AML) regulators armed with blockchain sleuthing tools to trace and screen transactions, making the cash-out process harder to go unnoticed. To face this upgrade, cybercriminals can use a system described as “The Treasure Man”. You can find and hire them on darknet marketplaces (such as Hydra). They will cash-out your gains and hide them – physically – for you to pick up. “They bury it underground or hide it behind a bush, and they will tell you the coordinates. There is a whole profession” (Elliptic) 

Who are the people behind the RaaS platforms?

RaaS platforms are based on very organized and structured groups such as SMEs. REvil (one of the biggest RaaS) indicated having a team of 10 developers and systems admins, besides their project managers. To recruit the best experts, the platform’s leaders choose their employees after a challenging recruitment process. The candidates prove themselves through job interviews, hacking exercises and agree to an “ethical charter”. You can read here the undercover investigation of journalists who followed the process to be hired as hackers by a RaaS.

The subscribers or affiliates of a RaaS platform (in this story, that’s you) are “only” in charge of the intrusion, the data collect and the ransomware deployment on the victim network. The affiliates usually pocket between 60 and 80 % of the ransom, with the rest going into the operators’ coffers. The RaaS platform of Netwalker requires 20% of the ransom, but other groups can ask 70%. REvil recently announced being paid at least 100,000,000$ per year. 

No honor among thieves?

If the RaaS market is a very well-organized business model, it still is the underground economy we are talking about. It’s not because you are a potential RaaS client, that you are in a safe place.

The two years of research on the darknet of Håkon Melanda have shown that most of the RaaS items sold on the darknet markets are frauds, where the buyers either get rubbish or ransomware that redirects the whole payment somewhere else than the buyer’s wallet. If the authentic RaaS vendors are indeed taking the lion’s share in terms of gains, the others are not doing bad either by targeting naive cybercriminals. 

If the RaaS distribution process significantly facilitated the ransomware attack for more people, it does not mean it is accessible to every internet user. Not only employees of a RaaS platform need to have a strong resume to be hired, but the affiliates too have to prove their skills before being allowed to subscribe to a RaaS service. Well-established RaaS groups such as NetWalker are known to be rather picky and carefully check any new affiliate with interviews and a short trial period. The basic requirement for an affiliate candidate is – at least – to demonstrate experience in carrying out network intrusions and lateral movement.

Conclusion: The Circle of money

This very well-organized and profitable economic system yearns for one thing: to be even more profitable, like any business. To hire better experts, with better tools and launch more sophisticated attacks to collect more money. How can they develop themselves? Through the ransom paid by previous attacks. According to Ondrej Krehel studies, most of the largest ransomware gangs were launched with seed money from previous operations such as Darkside with Zloader. Moreover, as groups sought to diversify with new operations, members adopted a sort of venture capital structure, in which one team provides funds to help another build the infrastructure and tools needed to start its operations. The more ransom that is sent to the system, the more experts will be attracted by this profitable business, the more investors will fund it.

Besides, once a ransom is paid, the payer is identified as a “good client” by the market. Cybereasons studies indicated that 80% of organizations that paid the ransom after a ransomware attack were hit again. When a victim pays a ransom, it does not guarantee recovery of their system, but it is for sure the best way to fund a future attack, more sophisticated, against themselves.

CERT-W: FROM THE FRONT LINE

The CTI Word

FOCUS TECH

File Obfuscation

To learn more about the given malwares:

Reading Of The Month

Instead of a report, we recommend for the reading of the summer the interview of BlackMatter, who has his heart set on explaining how there are taking the best from REvil and DarkSide, their business model and their guidelines of victims’ target.

Cet article Newsletter CERT-W, from the front line – Summer 2021 est apparu en premier sur RiskInsight.

DECRYPTION

CYBER CRIMINAL NETWORK DISMANTELING

The last 6 months, large-scale coordinated international actions have dismantled several of the biggest cybercriminal networks such as Emotet, Netwalker, Egregor or even Cl0p. Let’s have a closer look at some of them.

What is Emotet?

Emotet was originally a banking trojan, stealing emails and contact list, retrieving passwords on navigators and systems, spreading within the infected network. In 2019, Emotet lost its banking module and became a dropper of malwares. The trojan used a botnet of 1.6 million machines  to realize phishing campaign and install itself on victims’ machines.

Why is Emotet called the “king of malware”?

At the end of 2020, Emotet was identified as one of the most dangerous malwares. Additionally, being a dropper as well as a botnet, Emotet also served as a front door to many other malwares. It was used to drop malicious payloads directly onto the victims’ assets: for example, TrickBot was dropped onto the targeted machine which in turn, would drop Ryuk or Conti ransomware. According to Checkpoint Research, Emotet was at the top of the Global Threat Index in October 2020 and was linked to a wave of ransomware attacks. According to CISA, the U.S. Cybersecurity & Infrastructure Security Agency, Emotet infections cost is estimated at $1 million per incident.

Main TA542’s customer base, “The Malware As a Service EMOTET”, ANSSI 2021

During several months, Europol used the help of Eurojust, France, Germany, United States of America and announced their successful dismantle of the Emotet network in January 2021.

Does this dismantling mean the end of the malware?

The end of one botnet actually led to the rise of several others, such as TrickBot, which even though existed since 2016, replaced Emotet as one of the most well-established MaaS (Malware as a Service) not long after the events on January.

This turn of events might not be so surprising, as threat actors often pivot and change their tools along the way, whether by choice or by necessity as it was the case here. Taking one malware down would only force them to use another one. Yet, what is interesting is that TrickBot also suffered a dismantlement of its own, back in October 2020. In an attempt to disrupt one of the most used distributors of ransomware, Microsoft joined forces with other security teams to take down TrickBot servers. As you may have noticed, this was months before law-enforcement took down Emotet, and now TrickBot or other versions of this malware, still lives on. These actions only disrupted TrickBot activities for a few days, before going back to what it was and even overtaking Emotet dominance.

Moreover, TrickBot seems to be somehow connected to the Bazar malware (BazarLoader and BazarBackdoor), as some part of its infrastructure is shared with TrickBot and both show code similarities. This new toolset is now the most seen malware used to deploy Ryuk ransomware instead of the previous Emotet-TrickBot-Ryuk or TrickBot-Ryuk chain of infection. These changes might have to do with the previously mentioned dismantlements, or due to a new collaboration between threat actors.

What about the people behind these groups?

More recently, on June 4th, Alla Witte was charged on multiple counts for participating in TrickBot criminal activities. Is this arrest, serving as a warning with several hundreds of years of prison if convicted, going to change cybercriminals’ operations? A few months before that, the Ukrainian authorities cooperated with the French law enforcement to conduct an arrest against Egregor members, while a Canadian tied to Netwalker ransomware was charged by the police for distributing the malware. Last year was also marked by several other arrests of cybercriminals around the world. For instance, the arrest of members of the Infinity Black website selling user credentials, lead to the end of the website and the group altogether. On the other hand, the arrests mentioned regarding Netwalker and Egregor seem to concern ransomware affiliates. And as the operators are still free and collaborate with other affiliates, their ransomware continues being deployed around the world. Alla Witte’s case is different since she is suspected to be a malware developer for the TrickBot Group. While her possible conviction might slightly disrupt TrickBot, it seems like their operations still go on, as according to the any.run website and its malware trend tracker, the trojan was last seen on June 16th, 2021. Last but not least, some mid-tier members of the Cl0p gang may have been arrested mid-June in Ukraine even though it seems no core actor behind Cl0p were apprehended.

What could be the long-term consequences of these takedown for the cybercriminal activities?

It’s still early to draw meaningful conclusions on the consequences for cybercriminal activities with the recent arrests. Yesterday, June 16th, at the Geneva summit, U.S. President Joe Biden met with Russian President Vladimir Putin. One of the hot topics of discussions was the ransomware attacks on U.S. entities from Russian soil. Biden warned Putin that United States would not tolerate any other cyber-attacks, especially on 16 critical sectors. The G7 and the NATO also stated that in order not to consider cyber-attacks as armed attacks, Russia should try to identify and disrupt ransomware organizations within its borders.

Even with the arrests of criminal gang members and cybersecurity talks at the presidential levels, some experts say there would be no or little impact on ransomware groups that will still operate with impunity. The near future will give hints about the possible evolution of the cyber-attacks landscape. On one hand, the rising of a broader international collaboration against cyber-criminal gangs which could lead to less opportunistic and lucrative attacks. On the other hand, growing tensions between two blocks: U.S.-Europe and Russia-China with possible sanctions from either side and more cyber espionage, supply-chain or state-sponsored attacks.

CERT-W: FROM THE FRONT LINE

The First Responder Word

FOCUS TECH

Phishing

Think like a cybercriminal and understand how a spear phishing campaign is built to avoid them!

The technical zoom of the month:

To learn more about this:

Reading Of The Month

We recommend the short report “APT trends report Q1 2021”, which reviews the highlight events and findings observed by the Global Research and Analysis Team at Kaspersky during the Q1 2021 around the world.

Cet article Newsletter CERT-W, from the front line – June 2021 est apparu en premier sur RiskInsight.

Cet article CERT-W Newsletter February 2021 est apparu en premier sur RiskInsight.