This strategic partnership highlights the importance of breach prevention and creating a proactive security culture.

Today, ThreatBlockr, the autonomous cyber intelligence and active threat defense platform, and Engaged Security Partners, a firm specializing in human error prevention, have announced a partnership focusing on “left of boom” protection to bring enhanced breach prevention to customers. Engaged Security Partners uses ThreatBlockr’s platform for threat intelligence management and integration into the network. Together, Engaged Security Partners’ customers will benefit from blocking malicious traffic and reducing human error, turning employees into threat hunters and creating a strong first and last line of defense.

“We have been seeking a partner who prioritizes breach prevention, and since ThreatBlockr is the only solution that makes threat intelligence actionable with its patented technology and sits ‘left of boom,’ this is a natural partnership,” said Chad Earwood, CEO of Engaged Security Partners. “With over 95% of breaches caused by human error, which threat actors rely on to carry out attacks, it’s essential to stop threats before they hit the network. We are thrilled to partner with ThreatBlockr and leverage their innovative solution to create a proactive security environment.”

“The best way to eliminate human error is to eliminate bad traffic,” said Brian McMahon, CEO of ThreatBlockr. “We are excited to work with Engaged Security Partners to provide our proactive solution to their customers and continue to monitor, manage and block every threat.”

This partnership comes on the heels of a series of updates to the ThreatBlockr platform, including list consolidation, simplified policy configuration, easier protection of networks and ports, improvements to management systems and simplified access controls. These new enhancements, combined with Engaged Security Partners' innovative Security Intel Filtering (SIFT) service, will provide customers with a unique opportunity to take control of their security and understand the risks their company is facing.

**About ThreatBlockr**

ThreatBlockr is the only active defense cybersecurity platform that fully automates the enforcement, deployment, and analysis of cyber intelligence at a massive scale. As the foundational layer of an active defense strategy, ThreatBlockr’s patented solution blocks known threats from ever reaching customers’ networks. ThreatBlockr utilizes immense volumes of cyber intelligence from over 50 renowned security vendors to provide unparalleled visibility over the threat landscape resulting in a more efficient and effective security posture. Security teams at companies of all sizes use ThreatBlockr to deploy active security, gain real-time network visibility into threats and policy violations, ensure their network is protected, and reduce manual work. Block. Every.Threat. at threatblockr.com.

**About Engaged Security Partners**

Engaged Security Partners is an MSSP focused specifically on preventing human errors in cybersecurity, both technical and non-technical. ESP’s fully-managed solutions reduce noise for technical teams and transform security behavior of all employees to significantly reduce the risk of human errors. ESP serves as a first line of defense and the foundational layer of a proactive security culture for end-customers and partners.

ThreatBlockr Announces Partnership With Engaged Security Partners

IceFire has changed up its OS target in recent cyberattacks, emblematic of ransomware actors increasingly targeting Linux enterprise networks, despite the extra work involved.

In recent weeks, hackers have been deploying the "IceFire" ransomware against Linux enterprise networks, a noted shift for what was once a Windows-only malware.

A report from SentinelOne published today suggests that this may represent a budding trend. Ransomware actors have been targeting Linux systems more than ever in cyberattacks in recent weeks and months, notable not least because "in comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale," Alex Delamotte, security researcher at SentinelOne, tells Dark Reading.

But why, if Linux makes their job more difficult, would ransomware actors be moving increasingly toward it?

**The IceFire M.O.**

IceFire, first discovered last March, is standard-fare ransomware aligned with other "'big-game hunting' (BGH) ransomware families," Delamotte wrote. BGH ransomware is characterized by "double extortion, targeting large enterprises, using numerous persistence mechanisms, and evading analysis by deleting log files."

But where IceFire was once an exclusively Windows-based malware, its recent attacks have taken place against Linux-based enterprise networks.

The attack flow is straightforward. Having breached a target network, the IceFire attackers steal copies of any valuable or otherwise interesting data on target machines. Only then comes the encryption. What IceFire primarily looks for are user and shared directories, as these are important yet "unprotected parts of the file system that do not require elevated privileges to write or modify," Delamotte explained.

The attackers are careful, though. "IceFire ransomware doesn't encrypt all files on Linux: It avoids encrypting certain paths, so that critical parts of the system are not encrypted and remain operational."

IceFire tags encrypted files with an ".ifire" extension, as many IT admin have since discovered for themselves. It also automatically drops a no-frills ransom note — "All your important files have been encrypted. Any attempts to restore your files...." The note includes a unique hardcoded username and password the victim can use to log into the attackers' Tor-based ransom payment portal. Once the job is complete, IceFire deletes itself.

Source: SentinelOne

**How IceFire Is Changing**

Most of these details have remained consistent since IceFire's first entry onto the scene. However, some important details have changed in recent weeks, including the victimology.

Where IceFire was once primarily used in campaigns against the healthcare, education, and technology sectors, recent attacks have focused around entertainment and media organizations, primarily in Middle Eastern countries — Iran, Pakistan, Turkey, the United Arab Emirates, and so on.

Other changes to IceFire's M.O. derive from its operating system shift towards Linux. For example, SentinelOne has noted in the past that cyberattackers would distribute IceFire via phishing and spear-phishing emails, then use third-party, pen-test tools like Metasploit and Cobalt Strike to help it spread.

But "many Linux systems are servers," Delamotte points out, "so typical infection vectors like phishing or drive-by download are less effective." So instead, recent IceFire attacks have exploited CVE-2022-47986 — a critical remote code execution (RCE) vulnerability in the IBM Aspera data transfer service, with a CVSS rating of 9.8.

**Why Hackers Are Targeting Linux**

Delamotte posits a few reasons for why more ransomware actors are choosing Linux as of late. For one thing, she says, "Linux-based systems are frequently utilized in enterprise settings to perform crucial tasks such as hosting databases, Web servers, and other mission-critical applications. Consequently, these systems are often more valuable targets for ransomware actors due to the possibility of a larger payout resulting from a successful attack, compared to a typical Windows user."

A second factor, she guesses, "is that some ransomware actors may perceive Linux as an unexploited market that could yield a higher return on investment."

Finally, "the prevalence of containerization and virtualization technologies in enterprise environments has expanded the potential attack surface for ransomware actors," she says. Many of these technologies are Linux-based, so "as ransomware groups exhaust the supply of 'low-hanging fruit,' they will likely prioritize these higher effort targets."

Whatever the primary motive, if more threat actors follow in this same path, enterprises running Linux-based systems need to be ready.

Defending against ransomware requires "a multi-faceted approach," Delamotte says, prioritizing visibility, education, insurance, multi-layered security, and patching, all at once.

"By taking a proactive approach to cybersecurity," she says, "enterprises can increase their chances of successfully defending against ransomware attacks."

IceFire Ransomware Portends a Broader Shift From Windows to Linux

AT&T is notifying customers of a Customer Proprietary Network Information compromise, exposing years-old upgrade details.

A compromise of an unnamed marketing vendor used by AT&T has exposed data associated with nearly 9 million wireless telecom accounts.

The breached data did not contain payment information, account passwords, Social Security numbers, or other personally identifiable information, AT&T said in a statement provided to Dark Reading. Instead, the cyberattack allowed unauthorized access to information used to determine eligibility it said, characterizing the data as years old. 

The mobile carrier is notifying affected customers, it said. According to notification letter in an AT&T Community forum.

"We recently determined that an unauthorized person breached a vendor's system and gained access to your Customer Proprietary Network Information (CPNI)," the data breach notification letter in the AT&T community forum read. "In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed."

It added, "​We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission. Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​"

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AT&T Vendor Breach Exposes Data on 9M Wireless Accounts

The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.

Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members' personally identifiable information (PII) available for sale on the "Breached" criminal forum.

The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.

**DC Health Link: A Significant Breach**

In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.

"The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web," Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link's plans to notify affected individuals and offer credit monitoring services for them.

Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.

A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for "an undisclosed amount in Monero cryptocurrency." Interested parties are asked to contact the sellers via a middleman for details.

**IntelBroker's Resume of Previous Breaches**

This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service. 

Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.

Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. "IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware," Strand says.

IntelBroker's use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor's previous tactics. It suggests either a lack of resources or inexperience on the individual's part, Strand says. 

"In addition to IntelBroker's presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper," he tells Dark Reading.

In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.

"Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker," Strand says.

**Is House Members' PII a National Security Threat?**

Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor's reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).

The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.

"The amount tells you a great deal about who they may be thinking of in terms of buyers," he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But "you start talking millions, they are clearly then catering to nation-state buyers," he says.

Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. "We shouldn't only think external nation-states that might want to purchase this," Fier says. "Who is to say that other political parties and/or activists couldn't weaponize it?"

US Lawmakers Face Cyberattacks, Potential Physical Harm After DC Health Link Breach

Much like a hostage's proof-of-life video, the ransomware gang offers the film as verification that it has the goods, and asks $1 million for the data.

A ransomware gang, dubbed Medusa, has publicly released a roughly one-hour-long video containing stolen data from the Minneapolis Public School (MPS) District — with a demand of $1 million in payment in exchange for the data's deletion.

The video, shared on the American video-sharing platform Vimeo, came after Medusa listed the school district as one of its victims on its proprietary Tor data leak site. The ransomware gang provided a deadline of March 17 for the payment to be made, though it said it was willing to accept equal amounts of payment for the same data from additional buyers in the meantime. 

The video was first brought to the world's attention by Brett Callow, threat analyst at Emisoft, who, back in September, also shared screen captures of threats from the Vice ransomware gang threatening to leak data from the Los Angeles Unified School District (LAUSD).

"Medusa has uploaded a ~51 minute video to Vimeo which shows screenshots of the data they claim to have stolen from #MPS. It's the first time recall seeing this particular tactic. #ransomware," Callow posted in a tweet, alongside a screen capture of the Vimeo leak.

Though an MPS systems notice stated that the ransom has not yet been paid, and that there's no "evidence that any data accessed has been used to commit fraud," concerns about the level of cybersecurity regarding personal identifiable information (PII) of students in K-12 school districts abound, as attacks on student data continue to be ongoing. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Medusa Gang Video Shows Minneapolis School District's Ransomed Data

Unmanaged devices pose a significant challenge and risk for many organizations. Here are the five reasons you should care about unmanaged devices and assets.

Unmanaged devices pose a significant challenge for many organizations. These devices can be anything connected to a network but not actively managed by IT or security. These assets usually aren't captured in an asset inventory and can take many forms, such as shadow IT, rogue assets, and orphaned assets. Because security teams struggle to discover them, these devices fly under the radar and create potential footholds into a network.

What could happen if these devices are left unmanaged? Let's take a look at five reasons why you should care about unmanaged devices.

**Reason 1: Unmanaged devices are often the first foothold for attackers.**

Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These outliers are great entry points for an attack because they tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don't have anybody managing them. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.

**Reason 2: Unmanaged devices hinder incident investigations.**

Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. There was a case where an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command-and-control (C2) server. However, the SIEM and CMDB didn't have any record of the IP on the network, nor did the vulnerability management or endpoint detection and response (EDR) consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With an asset inventory that tracks Internet of Things (IoT) devices, the analyst would have quickly resolved this incident. They could have also found other devices that share the same make and model to see if they were using default credentials.

**Reason 3: Accidental network bridges bypass firewalls.**

In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn't identified ahead of time.

**Reason 4: Rogue devices complicate governance of security controls.**

Proper governance dictates that every device has security controls. It's impossible to figure out coverage gaps without knowing all of the devices on the network. To zero in on your gaps, you need to start with a full asset inventory. Then, you can overlay data from security controls and look for gaps in the inventory. Some common things to look for are Windows machines missing CrowdStrike (or EDR agents).

**Reason 5: End-of-life devices are potentially vulnerable.**

Manufacturers often no longer provide functional and security fixes for these end-of-life (EOL) devices, making them much riskier and more difficult to secure if something goes wrong. If unmanaged devices are not inventoried, security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.

**Solving for Unmanaged Devices**

Solving for unmanaged devices starts with a full asset inventory that delivers in-depth details about every asset on your network, including managed and unmanaged ones. Full asset inventory requires active, unauthenticated discovery, which doesn't assume any prior knowledge of network-connected devices, such as credentials to authenticate into devices and endpoints. Instead, it focuses on discovery capabilities that are research-driven to find and surface every network-connected asset, whether managed or unmanaged. This approach can be complemented through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.

Getting a handle on unmanaged assets is critical for any security program, and with a solution built around active, unauthenticated discovery, finding your unmanaged assets will finally be possible.

    

**About the Author**

Chris Kirsch started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and social engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world's largest hacker conference. Currently, Chris is the CEO of runZero (www.runzero.com), a cyber-asset management company he co-founded with Metasploit creator HD Moore.

5 Reasons You Should Care About Unmanaged Assets

More than five out of every 1,000 commits to GitHub included a software secret, half again the rate in 2021, putting applications and businesses at risk.

The rate at which developers leaked critical software secrets, such as passwords and API keys, jumped by half to reach 5.5 out of every 1,000 commits to GitHub repositories.

That's according to a report published by secrets-management firm GitGuardian this week. Though the percentage seems small, overall, the firm detected at least 10 million instances of secrets leaking to a public repository, accounting for more than 3 million unique secrets in total, the company stated in its "2022 State of Secrets Sprawl" report. 

While generic passwords accounted for the majority (56%) of secrets, more than a third (38%) involved a high-entropy secret that includes API keys, random number generator seeds, and other sensitive strings.

As more companies move their application infrastructure and operations to the cloud, API keys, credentials, and other software secrets have become critical to the security of their business. When those secrets leak, the results can be devastating, or at the very least, expensive.

"Secrets are the crown jewels of any business or organization — they really can grant access into all of your systems and infrastructure," says Mackenzie Jackson, security and developer advocate at GitGuardian. "The risk can be anything, from complete system takeovers, to small data exposures, or various other things."

    

Environment files (env) typically contain the most sensitive data. Source: GitGuardian

"Millions of such keys accumulate every year, not only in public spaces, such as code-sharing platforms, but especially in closed spaces such as private repositories or corporate IT assets," GitGuardian stated in its "2022 State of Secrets Sprawl" report.

And even those private spaces can be vulnerable. In January, for instance, collaboration and messaging platform Slack warned users that a "limited number of Slack employee tokens" had been stolen by a threat actor, who then downloaded private code repositories. Last May, cloud application platform provider Heroku, a subsidiary of Salesforce, acknowledged that an attacker had stolen a database of hashed and salted password after gaining access to the OAuth tokens used to integrate with GitHub.

**Infrastructure — as ... Whoops!**

Part of the reason for the increase in leaking secrets is because infrastructure-as-code (IaC) has become much more popular. IaC is the managing and provisioning of infrastructure through code instead of through manual processes, and in 2022, the number of IaC-related files and artifacts pushed to GitHub repositories increased by 28%. The vast majority (83%) of files consisting of configuration files for Docker, Kubernetes, or Terraform, according to GitGuardian.

IaC allows developers to specify the configuration of the infrastructure used by their application, including servers, databases, and software-defined networking. To control all those components, secrets are often necessary, Jackson says.

"The attack surface keeps expanding," he says. "Infrastructure-as-code has become this new thing and it's exploded with popularity, and infrastructure needs secrets, so infrastructure-as-code \[files\] often contains secrets."

In addition, three filetypes commonly used as caches for sensitive application information — .env, .key, and .pem — are considered the most sensitive, defined as having the most secrets per file. Developers should almost always avoid publishing those files to a public repository, Jackson says.

"If one of these files is in your Git repository, then you know you have holes in your security," he says. "Even if the file doesn't contain secrets, they just should never be there. You should have prevention in place to make sure that they're not there and alerting in place to know when they are there."

For that reason, companies should continuously scan systems and files for secrets, gaining visibility and ability to block potential dangerous files, Jackson adds.

"You want to scan all of your infrastructure to make sure you have visibility" he says. "And then the next steps include implementing tools to check engineers and developers ... to detect any secrets when they slip out."

Inside Threat: Developers Leaked 10M Credentials, Passwords in 2022

With more than 700,000 cybersecurity jobs available, now is a good time to consider a career change.

We've been battling the cybersecurity talent shortage for more than a decade, yet the problem seems to be getting worse, rather than better. According to CyberSeek, right now, there are almost 755,800 cybersecurity job openings in the US alone.

Over the past year, there's been a lot written about how companies are trying to close this gap by considering candidates with nontraditional backgrounds — including people looking to make a career change. While it's encouraging that someone may want to jump into cybersecurity, actually understanding how to make such a move can be difficult.

Let's face it: Making a career change is scary. It's completely unfamiliar territory. How do you even begin a career in cybersecurity? What steps are required? Do you need certifications before applying to a position? Do you need a degree? These are all real and relevant questions, and there hasn't been much guidance on how aspiring cybersecurity professionals can go about making a switch.

**Practical Steps**

With both a bachelor's and a master's degree in elementary education and teaching, I recently went through this process and had to find my own way, with very little outside help. So, it has become a passion of mine to help others in a similar position — no one should have to go this road alone.

Here are five practical steps for pursuing a new career in cybersecurity.

1.  **Reflect on the reasons you want to get into cybersecurity:** Don't make the career change because the grass seems greener or the pay seems higher. Really take the time to understand why this change resonates with your personal core value system. The old adage "If you love what you do, you will never work a day in your life" is applicable here. Make sure you're getting into cybersecurity for the right reasons.
2.  **Research different cybersecurity career paths to determine which you're most passionate about:** The job possibilities in cybersecurity are endless. If you want a technical role, applicable positions include designer/architect, defender, hacker, responder, auditor, and manager. If a less technical position is more up your alley, consider getting into education and training, conducting risk assessments, getting into marketing or HR, or becoming a salesperson. Whichever direction you choose to take, make sure your core cyber pathway aligns with your persona.
3.  **Look at your own job board:** Once you know which cybersecurity path you want to explore, look at your current company's job board to see which positions are open and if any of your skills are transferable. Don't worry if you don't have all the job qualifications listed — certain expertise and experience you do have could outweigh what you don't. For example, common "soft skills" required for many jobs across industries — such as being a life-long learner, a problem solver, or an effective communicator — now are essential to cyber roles and as equally valued as technical skills.
4.  **Network:** If you need to look outside your company for a cybersecurity role, think about who you know who could make a connection on your behalf. Joining industry and local cybersecurity groups is a great way to network. Women in CyberSecurity (WiCyS), which has a mission to "recruit, retain and advance women in cybersecurity," is an example of one such organization committed to networking and support.
5.  **Leverage the resources available to you to gain cybersecurity experience:** For example, (ISC)2 offers a free Certified in Cybersecurity Certification to help individuals kick-start their career. (I took this exam myself and found it very helpful and relevant.) Don't worry too much about overloading on certifications upfront, though. These can come down the road, if you decide to specialize in a certain area.

**A Note to Hiring Managers**

Entry-level cybersecurity job descriptions are deterring career changers (and recent graduates) from applying to open positions — and this in and of itself is contributing to the talent shortage.

Often, the requirements within entry-level job posts are unrealistic. For example, many require a Certified Information Systems Security Professional (CISSP), which can be attained only after five years of experience. How can an entry-level candidate already have five years under their belt? They can't. Cybersecurity professionals do not need a college degree to be successful. Post-secondary vocational schools, online training courses, and even self-learning can give candidates the skills they need to succeed.

We need to reset expectations, and the best way to do this is by having cybersecurity teams in need of new employees work directly with hiring managers to fix the disconnect between job descriptions and the actual qualifications needed to be successful in an entry-level cybersecurity role.

**It's All About Support**

Just as cybercriminals band together to go after victims, we in the cybersecurity industry need to collaborate too — not only to defend against bad actors but to help each other succeed. When security teams are fully staffed, companies' defenses against cybercriminals will be stronger. And we can help fill these open positions by supporting people who want to jump into cybersecurity, providing the resources they need to be successful, and helping to correct hiring managers' misperceptions of entry-level job qualifications. When we come together as an industry, we can truly make great strides to overcome the cybersecurity talent shortage.

How to Jump-Start Your Cybersecurity Career

A top Iranian, state-sponsored threat is a spear-phishing campaign that uses a fake Twitter persona to target women interested in Iranian political affairs and human rights.

A well-known Iranian threat group, Cobalt Illusion, has been linked to a spear-phishing campaign that is using the protests surrounding the death of Mahsa Amini in Iran as a lure.

Amini was a 22-year-old Iranian woman who was allegedly beaten to death by Iranian police for not wearing her hijab in accordance with government regulations. Her death set off a series of protests, particularly by women, who used them to publicly defy the same rules for which Amini was arrested.

Researchers from Secureworks identified the campaign, which targets such female protestors, political activists, and human rights researchers using a fake Twitter account. Someone using the name Sara Shokouhi, with a Twitter handle @SaShokouhi, reaches out to victims purportedly on behalf of US think tank Atlantic Council. In reality, Sara is a creation of the Cobalt Illusion advanced persistent threat (APT), aka Charming Kitten, APT42, Phosphorous, TA453, and Yellow Garuda.

"The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target's device," said Secureworks CTU Rafe Pilling, principal researcher and Iran thematic lead, in a press statement. "Having a convincing persona is an important part of this tactic."

A cluster of activity reported on Twitter Feb. 24 spurred investigation into possible malicious cyber activity, with a number of women actively involved in Middle East political affairs and human rights reporting contact from the individual, researchers revealed in a blog post published today. What they discovered is that the @SaShokouhi Twitter account, in operation since October, has been tweeting or engaging in posts supportive of the Mahsa Amini protest in Iran to appear "sympathetic to protesters' interests and demands and create an illusion of shared interests," the Secureworks Counter Threat Unit (CTU) research team wrote in the post.

**Finding Common Ground**

Cobalt Illusion appears to have used the protests as a way to find common ground with targets, the researchers said. Included in some of the posts made by @SaShokouhi were "cynical use of distressing content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism," the researchers wrote.

The researchers ultimately found that attackers created the Sara Shokouhi persona using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia, Pilling said. The APT also set up a fake Instagram account using the photos, @sarashokouhii.

The tactics used in the campaign are typical of the Cobalt Illusion APT, which is associated with Iran's Revolutionary Guard Corps (IRC) and has been active since about 2014.

"Phishing and bulk data collection are core tactics of Cobalt Illusion," Pilling said. "We've seen this happen in several guises in recent years."

Indeed, the group is known for using social media platforms to target academics, journalists, human rights defenders, political activists, intergovernmental organizations (IGOs), and nongovernmental organizations (NGOs) that focus on Iran. Their modus operandi is to set up trusted relationships through these platforms and then use phishing campaigns to steal credentials for systems they wish to access for cyber-espionage purposes, the researchers said.

Cobalt Illusion uses the information stolen through this activity in various ways, including to inform Iranian military and security operations of activity by persons of interest, which not only could lead to their surveillance, but even their arrest, detention, or targeted killing, Pilling said.

**Impersonating a Think Tank**

In the recent campaign observed by Secureworks, the SaShokouhi persona courted victims by claiming to work with Holly Dagres, a senior fellow at the Atlantic Council. In a tweet — a screenshot of which researchers included in their post — Dagres herself denied working with Shokouhi, indicating that the persona is not legitimate.

The link to Atlantic Council also is a giveaway that Cobalt Illusion is involved, the researchers said. That's because in previous activity confirmed by the Computer Emergency Response Team in Farsi (CERTFA) in September, the APT impersonated an Atlantic Council employee, they said. CERTFA is comprised of cybersecurity experts in Iran's digital security space.

"In that campaign, the group attempted to engage targets in video calls and delivered phishing links via the chat function at an appropriate point in the conversation," CTU researchers wrote.

CERTFA Lab has published a set of phishing indicators related to the campaign, which align with past Cobalt Illusion activity. Researchers recommended that organizations that could be targeted use available controls to review the IP addresses associated with the campaign and restrict access to them, being wary of the likelihood of their containing malicious content before opening them in a browser.

As always, when it comes to phishing, organizations should use industry-proven and reliable email-scanning technology to delete malicious messages before they reach employees, as well as train employees how to spot hallmarks of phishing activity to avoid engaging and thus risking compromise of sensitive data and systems, the researchers said.

Iranian APT Targets Female Activists With Mahsa Amini Protest Lures

Users should patch an unauthenticated remote code execution bug impacting FortiOS and FortiProxy administrative interfaces ASAP, Fortinet says.

Fortinet is warning users to patch a critical remote code execution (RCE) vulnerability in the FortiOS operating system, and in the FortiProxy secure Web gateway. 

An alert this week from FortiGuard Labs said a heap buffer underflow bug in the administrative interface could allow an unauthenticated, remote cyberattacker to execute code on a device running the platforms. The vulnerability could also allow a threat actor to perform a denial-of-service (DoS) attack on the GUI of devices running the vulnerable code, Fortinet added.

Fortinet has issued a security update for FortiOS and FortiProxy interfaces, and noted that no exploitation has been detected yet. 

"Fortinet is not aware of any instance where this vulnerability was exploited in the wild," the alert explained. "We continuously review and test the security of our products, and this vulnerability was internally discovered within that frame."

This is the latest bug to come to light in the popular security appliance vendor's gear. Just late last month, Fortinet urged FortiNAC users to update their systems against a flaw that allowed unauthenticated attackers to write arbitrary system files.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading