The FBI recently released a PIN (Private Industry Notification) in order to “highlight emerging ransomware trends,” in this case “dual ransomware attacks,” a type of attack that targets the same organization twice with two different types of ransomware, resulting in a significantly more encrypted system for the victims. A dual ransomware attack is classified by the FBI as an attack “against the same victim occurring within 10 days, or less, of each other,” most of which “occurred within 48 hours of each other.”
What is a Dual Ransomware Attack?
In these attacks, the FBI warned, “cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Variants were deployed in various combinations.” Typical ransomware attacks have a simpler timeline, one that begins with an initial intrusion, escalation, encryption, and then a pay-day. This new ransomware trend, labeled as a “dual ransomware attack,” results in higher layers of encryption, causing the timeline to become initial intrusion, escalation, encryption, further encryption, and then, because of the two different deployed ransomware variants, two pay-days. “Second ransomware attacks against an already compromised system could significantly harm victim entities,” the PIN points out, reiterating the threat that a second layer encryption attack could have on a company.
Dual Ransomware Mitigation Recommendations
The FBI has created a set of recommendations for all network defenders in order to fortify organizations against the rising menace of dual ransomware attacks. Central to these guidelines is establishing strong liaisons with regional FBI Field Offices for identifying vulnerabilities and mitigating threats.
Offline Data Backups: Maintaining regular, encrypted, and immutable offline backups to ensure data integrity and availability during cyber incidents.
Vendor Security Review: Rigorous security assessment of third-party vendors and monitoring connections for suspicious activities.
Enhanced Access Management: Adherence to National Institute of Standards and Technology (NIST) standards for password policies, coupled with phishing-resistant multifactor authentication.
Network Segmentation: Implementing network segmentation to curb ransomware spread and control traffic flows between subnetworks.
Proactive Monitoring: Employing network monitoring tools and Endpoint Detection and Response (EDR) tools for identifying abnormal activities and potential ransomware traversal.
Timely Patching: Ensuring all systems are updated to the latest security patches to minimize exposure to cyber threats.
By embracing these measures, organizations can significantly bolster their defense mechanisms, making it exceedingly challenging for cyber adversaries to exploit system and network vulnerabilities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from September that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2023-41993
This vulnerability, rated at a critical NIST CVSSv3 score of 9.8/10, pertains to the handling of web content in Safari, iOS, iPadOS, and macOS Sonoma. Processing web content posed a risk of arbitrary code execution, a concern that Apple addressed through enhanced checks. The issue is resolved in Safari 17, iOS 16.7, iPadOS 16.7, and macOS Sonoma 14. Notably, there have been reports of active exploitation targeting iOS versions prior to 16.7.
CVE-2023-38205
Adobe ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier are affected by an Improper Access Control vulnerability. This vulnerability, rated at a high NIST CVSSv3 score of 7.5/10, could potentially lead to a Security feature bypass, allowing attackers to access the administration CFM and CFC endpoints. Importantly, exploitation of this issue does not necessitate user interaction.
CVE-2023-5174
This critical vulnerability exclusively impacts Firefox on Windows under non-standard configurations, such as ‘runas.’ With a NIST CVSSv3 score of 9.8/10, it stems from a situation where Windows fails to duplicate a handle during process creation, inadvertently leading to a use-after-free scenario. It’s essential to note that this bug does not affect other operating systems. This vulnerability can result in a potentially exploitable crash. It is relevant to Firefox versions less than 118, Firefox ESR versions less than 115.3, and Thunderbird versions less than 115.3.
CVE-2023-4760
In Eclipse RAP versions from 3.0.0 to 3.25.0, a critical vulnerability exists that permits Remote Code Execution on Windows when utilizing the FileUpload component. This vulnerability is attributed to an insecure extraction of file names within the FileUploadProcessor.stripFileName(String name) method. When a forward slash (/) is detected in the path, everything preceding it is removed, but potentially present backslashes () are retained. This flaw allows for the upload and execution of malicious files, posing a significant threat. An illustrative example is the upload of a file with the name /….\webapps\shell.war, which under Windows is saved as ….\webapps\shell.war in the webapps directory and can subsequently be executed. The NIST CVSSv3 score for this vulnerability is 9.8/10.
CVE-2023-2262
A critical vulnerability with a NIST CVSSv3 score of 9.8/10 exists in Rockwell Automation select 1756-EN* communication devices. This vulnerability is characterized by a buffer overflow, which, if exploited, could enable a threat actor to perform remote code execution. To exploit this vulnerability, a maliciously crafted CIP request must be sent to the device. The consequences of this vulnerability are severe, as successful exploitation could result in unauthorized access, control, or manipulation of these industrial devices, potentially leading to operational disruptions and damage.
Conclusion:
In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Deceptive Cyberattack Strikes GitHub’s Software Supply Chain via Impersonation of Dependabot
Chinese State-Sponsored Cyber Espionage Campaign Targets South Korean Organizations Over Multiple Years
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as LastPass, the password manager company, and informing you that action needs to be taken on your account in order to avoid deactivation, in this case updating personal information. The email explains that “LastPass” takes our security very personally, so we should confirm our information in order to maintain full access to our account. It seems both urgent and genuine, so why shouldn’t we click the “Confirm My Information” button? Luckily, there’s plenty of reasons that point to this being a phishing scam.
Here’s how we can tell not to click on this link:
The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their email address, and a simple look at the sender’s address makes it very apparent that the email is not from LastPass. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases in bold like “Warning” and “To avoid the deactivation” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
The final warning sign for this email is the lack of legitimate LastPass information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. While this specific email includes a small footer at the bottom, a quick investigation proves that it’s just for show. This email lacks all of the parts of a credible LastPass email and can be immediately detected as a phishing attempt.
General Recommendations:
A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this week’s Cybersecurity Brief:
Deceptive Cyberattack Strikes GitHub’s Software Supply Chain via Impersonation of Dependabot
In a recent cyberattack targeting software supply chains, hackers successfully inserted malicious code updates into hundreds of GitHub repositories by exploiting stolen passcodes to commit unauthorized changes. They cleverly used the name of a well-known tool, Dependabot, to deceive developers into accepting these tainted updates.
The attackers exploited stolen personal access tokens (PATs), which are security credentials used to authenticate code updates, to push code changes into the GitHub repositories. They employed a known technique to impersonate the contributor’s identity, making it appear as if Dependabot had made the changes. This tactic added malicious code to the end of JavaScript files, enabling it to load and execute code from the attacker’s site.
This deception technique, involving the impersonation of Dependabot, is a new twist in the realm of software supply chain attacks and could easily mislead unsuspecting developers, according to Guy Nachshon, a security researcher at Checkmarx.
“The attacker plants code changes to appear as if they were made by Dependabot — so the victim won’t deep dive into the code changes,” he says. “This is a software supply chain attack and the first time we’ve witnessed such a deception technique with the impersonation of Dependabot.”
This incident is the latest in a series of attacks targeting developers and the GitHub platform itself, aiming to inject malicious code into the software supply chain. For instance, in previous incidents, attackers stole code from Dropbox’s GitHub repositories by tricking a developer into divulging their credentials and two-factor authentication code on a phishing site. Another attacker created a malicious Python package that masqueraded as a software development kit for a popular security client.
It’s essential to note that these types of attacks are not exclusive to GitHub, as various threat actors have attempted to exploit impersonation tactics to manipulate users into trusting a fraudulent code commit, often coupled with stolen PATs. GitHub emphasizes that its systems were not compromised in this attack, and there’s no evidence to suggest that GitHub users are at risk. Nevertheless, malicious actors continue to seek opportunities to compromise personal data and sensitive information wherever they can find it.
Dependabot, a tool purchased by GitHub in 2019, automates regular software and security checks for projects hosted on the GitHub platform. Attackers could have submitted their malicious code under any name, but by masquerading as Dependabot, they gained a level of trust among developers. Nicolas Danjon, a security researcher at GitGuardian, highlights this point: “Dependabot is an automated process that will add some merge requests to your projects to update your dependencies. As a developer, if you see a request that comes from Dependabot, you’re not even going to check the code — you just accept it because you trust the source.”
However, it’s important to stress that the actual code submission is made possible by the theft of PATs. Without these stolen credentials, the threat would be significantly diminished, according to Checkmarx’s Nachshon. Developers are urged to secure their accounts and adopt the principle of least privilege by using fine-grained tokens instead of classic tokens.
To safeguard software development pipelines against attacks, developers should prioritize enhancing security measures. This includes ensuring that the theft of a single credential cannot lead to code compromise. GitHub has already taken steps in this direction by scanning all public repositories for developer secrets like passwords and security tokens and mandating two-factor authentication for all developer accounts.
The impersonation attack underscores the importance of not relying solely on project attributes, such as the number of developers and commits, to determine project trustworthiness. In 2022, researchers demonstrated that some of the signals and metadata used for assessing a software project’s trustworthiness could be forged, potentially deceiving developers into downloading malicious code.
To enhance security, organizations should not only protect their development secrets but also employ honey tokens, a deception defense strategy that scatters fake credentials throughout developers’ environments. This helps detect when attackers attempt to use invalid identities. Additionally, developers should thoroughly analyze the code from the packages they use to check for any signs of malicious code infiltrating the supply chain.
Checkmarx’s Nachshon also recommends that GitHub allows every user to access their security access logs, a feature currently limited to enterprise users. This would empower users to monitor and track their security activities more effectively, potentially identifying suspicious activities or unauthorized access more promptly.
Chinese State-Sponsored Cyber Espionage Campaign Targets South Korean Organizations Over Multiple Years
A sustained and extensive cyber espionage campaign, believed to be orchestrated by Chinese state-sponsored actors, has come to light. This ongoing campaign, referred to as TAG-74 by Recorded Future’s Insikt Group, has been identified as a significant threat to a range of entities in South Korea, including academic institutions, political bodies, and government organizations. The adversaries behind TAG-74 have strong links to Chinese military intelligence, making their activities of concern to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.
This targeted cyber campaign has a specific focus on South Korean academic institutions, aligning with China’s broader objectives of intellectual property theft and expanding its influence. Additionally, it is motivated by strategic considerations, including China’s relations with the United States.
The attackers employ social engineering tactics, using Microsoft Compiled HTML Help (CHM) files as lures to deliver a custom variant of an open-source Visual Basic Script backdoor named ReVBShell. Subsequently, this backdoor serves as the entry point for deploying the Bisonal remote access trojan. ReVBShell is designed to go dormant for specific periods, as dictated by commands from a remote server, with the ability to modify these time intervals. Furthermore, it employs Base64 encoding to obfuscate its command-and-control (C2) communications.
The usage of ReVBShell has been associated with two other Chinese-linked clusters, known as Tick and Tonto Team. AhnLab Security Emergency Response Center (ASEC) also reported an identical infection sequence involving Tonto Team in April 2023. Bisonal, the remote access trojan employed in this campaign, is a versatile threat capable of gathering information about processes and files, executing commands and files, terminating processes, downloading and uploading files, and deleting files on disk. The connections between TAG-74 and other Chinese threat groups, particularly Tick, underscore the prevalent sharing of tools and techniques among these actors.
Recorded Future notes that the TAG-74 campaign reflects a long-term strategy aimed at collecting intelligence from South Korean targets. Given the group’s sustained focus on South Korean entities over many years and its likely affiliation with the Northern Theater Command, it is anticipated that TAG-74 will continue to remain highly active in gathering intelligence from strategic targets within South Korea, as well as in Japan and Russia.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
The list of export-restricted military documents leaked by players of the popular free-to-play game War Thunder just got longer. The flight manual for the F-117 Nighthawk, a stealth aircraft manufactured by Lockheed Martin, was posted on the War Thunder official site forum, a place for community discussion about various War Thunder related topics like in-game strategy, proposed game changes, and, over the past few years, occasionally classified military documents. The leaked flight manual included lots of information about F-117 flight sensor locations, firing angles, and many other intricacies.
A Consistent Issue
Oddly enough, this isn’t the first time War Thunder forum moderators have had to remove forum posts on the basis of them including military-classified content. On the topic of the F-117 flight manual leak, the head of PR for War Thunder’s developer Gaijin Entertainment, Konstantin Govorun, confirmed that their “moderators quickly nuked the post, deleted the files and banned the user. This is probably 12th time this happens.”
The History of War Thunder Leaks
The first leak relating to War Thunder and classified military documents, according to Wikipedia, was of the Challenger 2 tank and its armor structure. Following classified documents leaked by users consisted of specifications of many different tanks, fighter jets, and helicopters, most of which had the export-restricted classification level. In each case, posts containing the sensitive information were deleted and users were subsequently warned. Many of the leaks weren’t intended to be malicious, either. Most of them were posted in order to settle arguments about in-game content, a sort of “I-told-you-so” card that’s been pulled several times based on the numerous incidents.
The Leclerc Leaks
In the example of the document leak involving the French Leclerc tank, from October 2021, the documents were posted on the forum in order to resolve an argument about turret rotation speed.
The (blurred) Leclerc documents posted in the War Thunder ForumThe (blurred) argument about turret rotation speed that spawned the leak
The poster of the documents claimed to a crew member on the Leclerc S2, which at the time was fielded by the French Army. The post itself was removed within a few hours in accordance with Gaijins strict moderation policy. In response to the recent leaks, a spokesperson for the US Air Force stated that the government “has urged companies to avoid allowing the distribution of information that is detrimental to public safety and national security.” The number of times that the leaks have occurred points to a larger issue here, and could be happening for a number of reasons, but the biggest takeaway from this ongoing issue is that it’s absolutely necessary to check if a document is classified or export restricted before sharing it with others.
FAQ on War Thunder Leaked Military Documents
What is the War Thunder military documents leak?
The War Thunder military documents leak refers to incidents where classified or export-restricted military documents have been posted on the War Thunder official forum. These leaks typically involve sensitive information about military vehicles and equipment used in the game.
How many times have military documents been leaked on the War Thunder forum?
As of the latest incident involving the F-117 Nighthawk flight manual, this marks the twelfth time classified or export-restricted military documents have been leaked on the War Thunder forum.
What types of documents have been leaked?
The leaks have included various classified or export-restricted military documents, such as:
Challenger 2 Tank Armor Structure
Leclerc Tank Turret Rotation Speed
Specifications of Various Tanks
Fighter Jet Manuals
Helicopter Specifications
F-117 Nighthawk Flight Manual
What was included in the most recent leak of the F-117 Nighthawk?
The leaked flight manual for the F-117 Nighthawk included detailed information about the aircraft’s flight sensor locations, firing angles, and other critical operational intricacies.
Why do these leaks keep happening?
Many of these leaks occur because players are trying to win arguments or validate their points about in-game content by using real-world classified information. While these actions are not typically malicious, they nonetheless pose significant security risks.
How does War Thunder handle these leaks?
War Thunder’s developer, Gaijin Entertainment, has a strict moderation policy. When a leak occurs, the moderators quickly remove the post, delete the files, and ban the user who posted the classified information.
What is the stance of the US government regarding these leaks?
In response to these leaks, a spokesperson for the US Air Force has stated that the government urges companies to avoid the distribution of information that could compromise public safety and national security.
What was the first instance of a classified document leak on the War Thunder forum?
The first known instance of a classified document leak on the War Thunder forum was related to the Challenger 2 tank and its armor structure.
What happened in the Leclerc tank document leak?
In October 2021, documents about the French Leclerc tank were posted on the forum to resolve an argument about turret rotation speed. The poster claimed to be a crew member on the Leclerc S2, which was fielded by the French Army at that time. The post was removed within a few hours due to Gaijin’s strict moderation policies.
How can companies avoid such leaks?
It is crucial for individuals and companies to ensure that any documents being shared are not classified or export-restricted. Proper training and awareness about the importance of safeguarding sensitive information can help prevent such leaks.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
38 Terabytes. That’s the amount of storage it takes to store 7600 hours of HD video, enough to watch for 316 days without repeating anything.
It’s also the amount of private company data that Microsoft AI researchers accidentally exposed, including over 30,000 internal Teams messages, according to cloud security company Wiz.
The Microsoft Azure Leak
A Microsoft-owned GitHub repository, named robust-models-transfer, was set up by Microsoft’s AI research devision, and was intended for use in AI image recognition. In the repository, users were instructed to download AI models from an Azure storage link. What Microsoft wasn’t aware of, however, was that the Azure URL shared in the repository granted root access to the entire Azure storage account. This mistake, according to Wiz, was a result of a misconfigured SAS (Shared Access Signature) Token, which can allow users to easily share permissions through simply sending a link to a collaborator. However, instead of the typical read-only permissions, according to Wiz, the token “was configured to grant permissions on the entire storage account, exposing additional private data by mistake.”
Just a few of the confidential files released through the data leak, from Wiz
According to Wiz, the Azure token allowed full access to the storage account for 3 years before the token was invalidated manually on June 24, 2023. Microsoft completed their investigation into the data leak on August 16, 2023, and “no customer data was exposed, and no other internal services were put at risk because of this issue,” the Microsoft Security Response Center reported.
How to Prevent Azure Data Leaks
Wiz recommends that users stray away from using SAS entirely due to the concerns about their management and trackability. “There isn’t any official way to keep track of these tokens within Azure, nor to monitor their issuance, which makes it difficult to know how many tokens have been issued and are in active use.” It’s recommended that users take several steps in order to prevent similar leaks, including:
Consider utilizing Service SAS tokens with Stored Access Policies for external sharing.
For time-limited sharing needs, opt for User Delegation SAS tokens.
Establish separate storage accounts dedicated to external sharing to limit the potential impact of over-privileged tokens to external data only.
Use a CSPM solution to enforce and monitor SAS token access policies across your organization.
To eliminate SAS tokens entirely, disable SAS access for each storage account separately.
Block access to the “list storage account keys” operation in Azure to prevent unauthorized access to account keys.
Rotate the account keys periodically to invalidate pre-existing SAS tokens.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
On September 12, Microsoft released new information about threat actors Storm-0324, a group that gains initial access to systems through email-based phishing and then distributes access to other malicious groups. The transfer of access typically leads to ransomware deployment, making Storm-0324 essentially a middle-man group for system intrusion, one that specializes in initial system penetration. According to Microsoft’s insights, Storm-0324 is associated with various malware strains, including JSSLoader, which facilitates access for ransomware-as-a-service actors like Sangria Tempest (also known as ELBRUS, Carbon Spider, FIN7). In the past, Storm-0324 has been linked to the distribution of malware such as Gozi infostealer and Nymaim downloader and locker.
An example of a typical Storm-0324 attack timeline, from Microsoft Security
Storm-0324’s Expansive Phishing Resume
One of the prime characteristics of Storm-0324 that makes them stand out as threat actors is their ability to craft malicious email chains. They utilize traffic distribution systems (TDS) like BlackTDS and Keitaro in order to tailor user traffic, evading detection by certain security solutions. These emails often appear as legitimate services like DocuSign and Quickbooks, baiting users to click on links that lead to SharePoint-hosted files containing malicious JavaScript. The infection chain that follows typically involves the delivery of a first-stage payload through various file formats, including Microsoft Office documents, Windows Script Files (WSF), and VBScript. According to Microsoft, these payloads have included malware like Nymaim, Gozi, Trickbot, Gootkit, Dridex, Sage ransomware, GandCrab ransomware, and IcedID.
An example of a Storm-0324 phishing email from Microsoft Security
Since 2019, however, Storm-0324 has predominantly been distributing JSSLoader, which ultimately hands off access to prominent ransomware actor Sangria Tempest. This handoff begins with phishing emails referencing invoices or payments, leading victims to a SharePoint site hosting a ZIP archive. Once the JavaScript within this archive is executed, a JSSLoader variant DLL is dropped, followed by additional Sangria Tempest tooling.
New Teams Phish and Microsoft’s Response
In recent developments, Storm-0324 has started using phishing lures sent over Microsoft Teams, leveraging a tool called TeamsPhisher to target users. Microsoft has taken proactive measures to combat these threats, suspending accounts and tenants associated with fraudulent activities. To lessen the impact of this new campaign, they have “rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders,” in essence making it clearer to Teams users when they chat with people outsize of their organization. In addition to these enhancements, they also implemented “new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant,” which will assist in the prevention of impersonation tactics utilized in social engineering.
Microsoft recommends defenders to start implementing steps to prevent Storm-0324 attacks including:
Deploy authentication methods that are resilient to phishing attacks, safeguarding user credentials.
Require phishing-resistant authentication for employees and external users accessing critical applications, enhancing security.
Train users about social engineering and credential phishing threats, emphasizing caution with unsolicited messages and MFA code sharing.
Utilize Safe Links in Microsoft Defender for Office 365 to verify URLs and neutralize malicious links.
Activate ZAP in Microsoft Office 365 to quarantine and neutralize threats post-delivery.
Limit the use of domain-wide, administrator-level service accounts, reducing the risk of unauthorized access and malware installation.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Constantly, we hear that new, emerging technologies pose the greatest threats to our cybersecurity. The fear of the unknown drives organizations to enhance their security measures, aiming to prepare for complex attacks by various threat actor groups. Countless news reports highlight new technologies and innovations in the realm of cybersecurity, all aimed at discovering, tracking, and patching vulnerabilities that could potentially be exploited. While digital vulnerabilities are crucial to consider, it’s essential to recognize that the most obvious vulnerability is quite literally right in front of our faces.
Social Engineering and MGM’s Compromisation
MGM is currently reeling from an extremely detrimental cyberattack, an attack that has shut down the company website, crucial systems that keep the hotels operating efficiently, and slot machines, not to mention the MGM Rewards App. “How could one gain access to such a large system and exploit it so efficiently?”, one might ask. According to Scattered Spider, the subgroup of ALPHV behind the attack, MGM was compromised by using social engineering. The hackers allegedly found an employee on LinkedIn and called the organization’s help desk to access their account. All it took was a quick Google search and a quick conversation with the help desk, who was fooled into believing the person calling was just an employee having trouble accessing their company account. The reason for the intrusion wasn’t within MGM systems being insecure, but in fact human error.
Why is Human Error Such a Risk?
Social engineering, like the method employed by Scattered Spider, is a prime example of how cybercriminals exploit human error to gain unauthorized access to sensitive systems. Phishing, another common technique, preys on the human tendency to trust and respond to seemingly legitimate messages or requests. These tactics are often the most significant threats faced by companies because they target vulnerabilities at the core of cybersecurity, rather than exploiting computer systems directly. In social engineering attacks, instead of preying on vulnerable computer systems, threat actors prey upon human nature, for example in the MGM attack’s case relying on the human nature to be understanding overriding protocol that would prevent ALPHV from gaining access to their system.
Types of Attacks that Exploit Human Error
Social engineering attacks come in various forms, from impersonating trusted colleagues or vendors to using psychological manipulation to extract sensitive information. In many cases, these attacks don’t require advanced technical skills or complex hacking tools; they rely on the art of deception and the willingness of individuals to assist what appears to be a legitimate request. All it takes is one unsuspecting employee to fall victim to a social engineering attack for cybercriminals to gain a foothold within an organization.
Some types of social engineering attacks from malicious actors that rely on human error include:
Pretexting: Pretexting involves creating a fabricated scenario or pretext to obtain information from individuals. Attackers often pose as someone trustworthy, such as a co-worker, customer, or even a government official. By building a credible backstory, they convince the target to share sensitive information or perform certain actions. For example, an attacker might impersonate a company executive and request financial data from an employee, exploiting their trust in the executive’s authority.
Phishing: Phishing attacks, as mentioned earlier, use deceptive emails, messages, or websites to trick recipients into revealing personal information, login credentials, or financial details. These messages can appear highly convincing, often mimicking reputable organizations, banks, or government agencies. Threat actors create a sense of urgency or fear to manipulate recipients into taking immediate action, such as clicking on a malicious link or downloading a harmful attachment.
Baiting: Baiting attacks entice victims by offering something appealing, like free software, music downloads, or other enticing digital content. The attacker typically disguises malicious code within the enticing offer. When victims download the bait content, they unknowingly infect their systems with malware, giving attackers access to sensitive information and/or control over the compromised device.
Tailgating and Piggybacking: Physical security is just as vital as digital security. In these types of attacks, individuals gain unauthorized access to secure areas by exploiting trust or exploiting the kindness of others. Tailgating involves an attacker closely following an authorized person into a restricted area, while piggybacking occurs when an attacker convinces someone to hold a door open for them. Both methods capitalize on the human tendency to be polite and helpful.
Quid Pro Quo: In quid pro quo attacks, attackers offer something in exchange for information or access. For instance, they might pose as IT support and promise to fix a non-existent issue on a victim’s computer. In return, they request the victim’s login credentials or other confidential information. This type of social engineering leverages the victim’s desire for immediate help or gain.
Conclusion
The recent MGM cyberattack is only one example in a relentless slew of social engineering attacks that aim to exploit the ever-so vulnerable human nature. Social engineering and phishing attacks, which manipulate individuals rather than computer systems, will continue to pose substantial risks to organizations, which is why it’s incredibly necessary for organizations to provide proper cybersecurity training to employees. All it takes is one small foothold: a click on a phishing link, a held-open door for an attacker to enter the building, or secure information given from an IT help desk to a threat actor pretending to be an employee.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
MGM Resorts is currently scrambling to recover from a powerful ransomware attack that happened last Monday, causing a substantial amount of network systems to go down. Company websites as well as many crucial systems are currently offline, including the MGM app, which facilitates reservations, acts as a digital key to unlock rooms, and allows users to pay for food. MGM made an announcement on X acknowledging the attack at 11:30 AM Monday.
The question arises: how could such a complex system have been compromised so easily? According to malware archive vx-underground on X, ALPHV was able to gain access to the MGM systems by socially engineering an IT helpdesk employee they found on LinkedIn. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” vx-underground said in their tweet from Tuesday night.
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.
A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
Vx-underground goes on to further suggest that MGM Grand will not meet ALPHV’s demands, commenting: “In our opinion, MGM will not pay,” meaning that the issue could last a while, at least until MGM takes action to replace compromised systems. The ransomware attack has also caused substantial delay in helping customers, as shown by this video from Tuesday at MGM Bellagio.
Ryan McConechy, CTO of Barrier Networks, said it’s often typical for organizations with systems as large and as complicated as MGM’s to shut down in order to prevent further enumeration. “Until MGM provides more information, it’s not clear the exact reason why they decided to take this action…maybe to prevent active attackers pivoting or malware spreading…but it is a very costly move,” McConechy stated. “For every minute the gaming floor was down, MGM was losing money. Likewise, with reservations and their websites still being down, the company continues to suffer massive financial losses,” he explained. As of Wednesday, the MGM website is still unavailable, as well as many slot machines in various MGM casinos.
BlackCat, alternatively referred to as ALPHV, emerged onto the ransomware scene in November 2021. Specifically, BlackCat operates as a ransomware-as-a-service (RaaS) entity and ranks among the most sophisticated RaaS ventures to date. BlackCat ransomware is meticulously engineered to resist removal efforts and may make attempts to incapacitate antivirus software or other protective measures. Additionally, it can tamper with system files and configurations to establish a persistent presence and complicate the recovery process after an attack. The culprits behind BlackCat ransomware demand payment, typically in the form of cryptocurrency like Bitcoin, in exchange for the decryption key. Victims may also encounter a message on their screens containing instructions on how to fulfill the ransom payment and obtain the decryption key.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Apple has just rolled out a crucial security update for iPhones and iPads in response to the discovery of newly identified vulnerabilities CVE-2023-41064 and CVE-2023-41061 in their system software. These vulnerabilities, also known as “BLASTPASS,” were found by researchers at the University of Toronto’s Citizen Lab, who revealed that the flaw was actively being exploited to distribute Pegasus, a commercial spyware developed by the Israeli company NSO Group. BLASTPASS is a serious duo of vulnerabilities, specifically because of their clickless nature: they only require a user to load an image or attachment in order to be exploited.
CVE-2023-41064 is a buffer overflow issue fixed in macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and CVE-2023-41061 is a validation issue fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. Both vulnerabilities, when exploited, result in remote code execution. Neither of the vulnerabilities have CVSS scores at this time. Citizen Lab strongly advises all users to take immediate action and update their devices.
How To Install the Update:
Access Your Settings: Open the Settings app on your iPhone or iPad.
Navigate to General: Within Settings, select “General.”
Find Software Update: Scroll down and tap on “Software Update.”
Install iOS 16.6.1: You should see the iOS 16.6.1 software update listed. Tap it to begin the installation.
If you don’t immediately spot the update, follow these steps:
Check Your iOS Version: Return to the General page and tap “About” to confirm your iOS version. If it’s 16.6.1, you already have the update installed.
Update Older Versions: If your device is still running 16.6 or an earlier version, repeat the previous steps.
Restart Your Phone: If you still don’t see the update, try restarting your phone.
Verify Internet Connection: Double-check your internet connection to ensure it’s stable. Then, wait a bit and try checking for the update again.
It is absolutely necessary to update your IOS devices as soon as possible in order to negate the effects of the BLASTPASS vulnerabilities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
With the popularization of generative AI tools like ChatGPT, information has become increasingly easy to retrieve. Ask it anything, and ChatGPT will respond to the best of its ability, modifying itself to your prompt’s specifications as best it can. The more detailed the prompt, the more specific of a response you can get from an LLM (large language model) like ChatGPT. Naturally, the bot has filtrations as well. “OpenAI employs a response filtration system to filter out inappropriate, biased, or harmful content generated by the model,” was ChatGPT’s response when asked about the content filtration system. What’s been discovered, though, particularly through online communities utilizing ChatGPT for entertainment purposes, is that with a specific set of instructions a prompter is able to exploit the chatbot, “jailbreaking” it to disregard the content filtration system. This is only one of the several vulnerabilities that are becoming apparent in LLMs, vulnerabilities that will need to be kept in check as LLMs become more regularly used by organizations. The Open Worldwide Application Security Project (OWASP) recently published the OWASP Top 10 for LLM which details this jailbreaking method, known as prompt injection.
What is Prompt Injection?
“Direct Prompt Injections, also known as ‘jailbreaking’, occur when a malicious user overwrites or reveals the underlying system prompt. This may allow attackers to exploit backend systems by interacting with insecure functions and data stores accessible through the LLM,” OWASP describes in their report. Users inject a highly detailed prompt into the LLM that allows the user to almost overwrite previously trained instructions, essentially rooting the LLM. Depending on how much information the LLM holds, a malicious actor could then extract sensitive information the LLM may have access to. More like a typical malicious injection is an indirect prompt injection, which according to the OWASP Top 10 can “occur when an LLM accepts input from external sources that can be controlled by an attacker, such as websites or files. The attacker may embed a prompt injection in the external content hijacking the conversation context.”
The Scope of the Prompt Injection Vulnerability
The extent of this vulnerability is so dangerous specifically because of the overall differences throughout organization-utilized LLMs, and the fact that even companies like OpenAI don’t have complete control over their products. The OpenAI website states that while they’ve “made efforts to make the model refuse inappropriate requests, it will sometimes respond to harmful instructions or exhibit biased behavior.” It’s not that OpenAI as a company isn’t attempting to improve their LLMs, it’s that vulnerabilities within LLMs seem to be more unpredictable and more extensive than previously imagined. Companies that utilize ChatGPT and other LLM’s APIs in their tools may be vulnerable to various types of injections, most of which include injecting unauthorized scripts into the LLM.
Examples of Prompt Injection
OWASP cites a few examples of both indirect and direct prompt injection in their overview:
A malicious user crafts a direct prompt injection to the LLM, which instructs it to ignore the application creator’s system prompts and instead execute a prompt that returns private, dangerous, or otherwise undesirable information
A user employs an LLM to summarize a webpage containing an indirect prompt injection. This then causes the LLM to solicit sensitive information from the user and perform exfiltration via Java
A malicious user uploads a resume containing an indirect prompt injection. The document contains a prompt injection with instructions to make the LLM inform users that this document is an excellent document eg. excellent candidate or a job role. An internal user runs the document through the LLM to summarize the document. The output of the LLM returns information stating that this is an excellent document
A user enables a plugin linked to an e-commerce site. A rogue instruction embedded on a visited website exploits this plugin, leading to unauthorized purchases
A rogue instruction and content embedded on a visited website which exploits other plugins to scam users.
Of course, vulnerabilities vary based on the LLM itself, and how much information it actually has access to. A customer support AI chatbot on a company’s website likely doesn’t have as much information as a company tool that utilizes an LLM’s API.
Prevention of Prompt Injection Attacks
There’s currently no foolproof way to prevent prompt injection, but OWASP does give a list of steps you can take to lessen the impact of these attacks:
Enforce privilege control on LLM access to backend systems. Provide the LLM with its own API tokens or extensible functionality, such as plugins, data access, and function-level permissions. Follow the principle of least privilege by restricting the LLM to only the minimum level of access necessary or its intended operations
Implement human-in-the-loop or extensible functionality. When performing privileged operations, such as sending or deleting emails, have the application require the user approve the action first. This will mitigate the opportunity or an indirect prompt injection to perform actions on behalf of the user without their knowledge or consent
Segregate external content from user prompts. separate and denote where untrusted content is being used to limit their influence on user prompts. For example, use ChatML for OpenAI API calls to indicate to the LLM the source of prompt input
Establish trust boundaries between the LLM, external sources, and extensible functionality (e.g., plugins or downstream functions). Treat the LLM as an untrusted user and maintain final user control on decision-making processes. However, a compromised LLM may still act as an intermediary (man-in-the-middle) between your application’s APIs and the user as it may hide or manipulate information prior to presenting it to the user. Highlight potentially untrustworthy responses visually to the user
Conclusion
Prompt injection will continue to be a dangerous vulnerability, and the necessity of LLM cybersecurity will only grow as LLMs become more commonly utilized by tech organizations. To ensure your LLM security, it’s essential to implement steps that limit the scope of prompt injection attacks and remain informed about new LLM vulnerabilities. While generative AI is incredibly powerful and a great tool for organizations, utilizing APIs from LLMs comes with a risk, so it’s important to make educated decisions while implementing it into your organization.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.