Google Workspace's team is seeing a spike in phishing and spam hitting Gmail — up 10% in just the last two weeks.

'Tis the season for cybercrime and scams: Just ask Google.

As we move into the holiday season, the cloud giant is already spotting and stopping 10% more spam and phishing messages than usual: It blocked more than 231 billion spam and phishing emails in just the past two weeks. On average, Google says it catches and stops around 15 billion of these sketchy emails in Gmail per day, accounting for 99.9% of all spam, phishing, and malware-laden messages in the service.

Google Workspace Trust & Safety manager Nelson Bradley warned in a Nov. 22 blog post of five main themes and types of email scams to watch out for: gift cards and giveaways; phony charity lures; demographic-targeting; false subscription renewals; and cryptocurrency scams.

Nelson recommends users take time to think over an email before responding, as well as spot-check the information in the email, and, of course, not respond with any personal information or payment. 

"No reputable person or agency will ever demand payment or your personal information on the spot," he wrote.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Blocks 231B Spam, Phishing Emails in Past 2 Weeks

Cybercrime continues to evolve — and shows no signs of slowing down.

Tech companies have created the tools we use to build and run businesses, process consumer transactions, communicate with one another, and organize our personal and professional lives. Technology has shaped the modern world as we know it — and our reliance on tech continues to grow.

The tech industry's importance has not been lost on cybercriminals and nation-state groups, who target tech companies for a variety of reasons: to fulfill strategic, military, and economic goals; to access sensitive corporate data they can hold for ransom or sell on the Dark Web; to compromise supply chains; and much more.

Tech companies are no strangers to cybercrime — they've long been targets of adversary activity — but in the past year, these attacks have rapidly increased. Technology was the most targeted vertical for cyber intrusions between July 2021 and June 2022, according to CrowdStrike threat data. This made tech the most popular sector for threat actors during a year when CrowdStrike threat hunters recorded more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes.

If this sounds familiar, it's probably because you've seen this threat activity in the news — data breaches affecting the technology industry have dominated headlines in 2022. Tech companies of all sizes should be concerned about the potential for adversary activity, because they're often trying to steal data. Let's take a closer look at the threats that tech companies should be most worried about, what those adversary tactics look like, and how to stop them.

**How Today's Adversaries Target Tech Companies**

Enterprises, small to midsize businesses (SMBs), and startups alike must be aware of the threats they face and how to defend against them.

Adversaries are increasingly moving away from malware in an effort to evade detection: CrowdStrike threat data shows malware-free activity accounted for 71% of all detections between July 2021 and June 2022. This shift is partially related to attackers increasingly abusing valid credentials to gain access and maintain persistence (i.e., establish long-term access to systems despite disruptions such as restarts or changed credentials) in IT environments. However, there is another factor: the rate at which new vulnerabilities are being disclosed and the speed with which adversaries can operationalize exploits.

The number of zero-days and newly disclosed vulnerabilities continues to rise year-over-year. CrowdStrike threat data shows more than 20,000 new vulnerabilities reported in 2021 — more than any previous year — and more than 10,000 were reported by the start of June 2022. This is a clear indication this trend is not slowing down.

A closer look at tactics, techniques, and procedures (TTPs) used during intrusions reveals common patterns in adversary activity. When a vulnerability is successfully exploited, it's routinely followed by the deployment of Web shells (i.e., malicious scripts that enable adversaries to compromise Web servers and launch additional attacks).

**What Can Tech Companies Do to Stop Breaches?**

The technology industry is challenged to maintain a strong defense against a constantly evolving threat landscape. Today's attackers are changing their TTPs to be more subtle, to evade detection, and to cause more damage. It's up to defenders to protect the workloads, identities, and data their business relies on.

There is no one-size-fits-all model for how cybercriminals conduct their attacks, nor is there a single silver bullet for tech companies to defend themselves against every intrusion. However, a closer look at intrusion activity reveals critical areas of focus for IT and security teams. Below are key recommendations:

*   **Get back to basics:** It is paramount that tech companies have the basics of security hygiene in place. This includes deploying a strong patch management program, and ensuring robust user account control and privileged access management to mitigate the effects of compromised credentials.
*   **Routinely audit remote access services:** Adversaries will leverage any pre-existing remote access tooling at their disposal or attempt to install legitimate remote access software in the hope that it evades any automated detections. Regular audits should check to see if the tool is authorized and if the activity falls within an expected timeframe, such as within business hours. Connections made from the same user account to multiple hosts in a short timeframe may be a sign that an adversary has compromised credentials.
*   **Proactively hunt for threats:** Once an adversary breaches a tech company's defenses, it can be tough to detect them as they quietly collect data, look for sensitive information, or steal credentials. This is where threat hunting comes in. By proactively looking for adversaries in their environment, tech companies can detect attacks earlier and strengthen their security posture.
*   **Prioritize identity protection:** Adversaries are increasingly targeting credentials to breach tech companies. Any user, whether they're an employee, third-party vendor, or customer, can unknowingly be compromised and provide an attack path for adversaries. Tech companies must authenticate every identity and authorize each request to prevent cyberattacks, like a supply chain attack, ransomware attack, or data breach.
*   **Don't forget about threat prevention:** For tech companies, threat prevention tools can block cyber threats before they penetrate an environment or before they do damage. Detection and prevention go hand in hand. In order to prevent cyber threats, they must be detected in real-time. The bigger the IT environment, the greater the need for tools that can help with threat detection and prevention.

The evolution of cybercrime and nation-state activity shows no signs of slowing down. Tech companies must strengthen their defenses and understand an adversary's techniques in order to protect their workloads, identities, and data, and keep their organizations running.

How Tech Companies Can Slow Down Spike in Breaches

**Tuesday, November 22 —** As the cyber skills gap widens to record new levels, disruptive cybersecurity training and upskilling platform, **Hack The Box** (HTB), has announced its **annual global University ‘Capture the Flag’ (CTF) competition** that will take place from **December 2-4, 2022**.

This year’s event, which is **open to students and academics at higher education institutions worldwide**, is designed to inspire and prepare a new generation of security professionals to join the fight against cybercrime, at a time when they are most needed with the global talent shortage standing at 3.4 million. 

**With attacks spiking 28% in the last quarter of 2022** alone, and cybercrime predicted to cost the global economy **$10.5 trillion** **by 2025**, students taking part will learn only the latest practical hacking skills needed to combat the ever-growing and evolving volume of sophisticated threats. Higher education professionals will also be introduced to innovative and effective new methods of gamified and hands-on teaching.

HTB’s University CTF will see students across the globe face **over 20 sophisticated cyber challenges**, testing their skills in Cloud, Crypto, Pwn, Web, Forensics and more. This year’s challenges replicate the latest attack scenarios and cybercriminal techniques, helping to ensure students of all levels are prepared for a career in modern day cybersecurity.

This year’s CTF aims to shine a light on cyberbullying and create an inclusive space where students all over the world can gain access to the latest skills and networks but also learn in an interactive**, enjoyable and safe environment**. Titled **‘Supernatural Hacks’** this year’s CTF focuses on helping students to interact safely online and build their digital citizenship, all whilst teams work together in a fictional wizarding world to defeat cybers darkest villains. Proceeds from the competition are being donated to Cybersmile, a multi-award- winning nonprofit organisation committed to digital wellbeing and tackling all forms of abuse and bullying online.

**Haris Pylarinos, CEO and co-founder of Hack The Box**, says: _“Universities are the breeding ground for the next generation of cyber professionals, and its critical students have experience tackling real world threats. The massive rise in the volume and sophistication of cyberattacks, means demand for new skills is booming and the old ways are no longer working.”_

_“CTFs are a highly effective way to learn hands-on cyber skills through fun, gamified content. We’re seeing students join to not only sharpen their skills but also network with like-minded peers looking to enter a career in cyber. The competition is also an opportunity for academics and universities to learn new teaching methods that promote a ‘hacking mindset’ approach, needed to match the current threat landscape.”_

**Haris continues** “_The game has changed in cyber. Arbitrary degree and qualification hiring criteria needs to be phased out and businesses must prioritise practical-based skills and training experience. This will help cut the red tape holding back an untapped pool of highly skilled cyber talent waiting in the wings._

_Meanwhile, for younger generations increasingly looking for professions with purpose, hacking presents not only lucrative career prospects but an opportunity to do meaningful work stopping cybercriminal online - protecting businesses, governments, hospitals, schools and individuals from dangerous real-life threats. We’re excited to continue preparing the hackers of the future.”_

Last year’s University CTF winners included players from some of the biggest universities and schools in the world, **University of Warwick**, **Hasso-Plattner Institute** and **42 Paris**. With more students looking to upskill themselves than ever, HTB University CTF has also seen a **191% increase in participatio**n from 2021 to 2021, with 2022 set to see record levels of participants.

Teams, consisting of 1- 20 players, can enter the CTF from anywhere. All skill levels are welcome with challenge categories ranging from ‘Beginner to Hard’. The CTF style will be Jeopardy and FullPwn. As well as cash, swag prizes, and certificates of attendance can be earned for taking part

Hack The Box’s University CTF is sponsored by EY.

**Registration closes on** **November 30. Sign up** **here.**

Hack The Box Launches Annual University CTF to Inspire Next Generation of Security Professionals

Safe shopping guidance coupled with new CISO tool to help safeguard personal data and corporate networks.

SANTA CLARA, Calif., November 21, 2022 — CybeReady, provider of the world’s fastest security awareness solution, today announced five easy security tips to help holiday shoppers safely navigate Black Friday and Cyber Monday as holiday sales put employee data and corporate networks at risk. Coinciding with Black Friday, the company is also releasing its enhanced CISO Toolkit to provide complimentary tools with guidance on safe online shopping to help CISOs defend employee desktops, laptops, mobile devices, and connected corporate networks.

According to the FBI, “Every year, thousands of people become victims of holiday scams. Scammers can rob you of hard-earned money, personal information, and, at the very least, a festive mood.”

Shopping scams are notoriously active during Black Friday and Cyber Monday as millions of shoppers use their PC, laptop, or mobile device to scan for deals and make purchases. This presents a considerable risk to organizations with a large number of employees working remotely. These scams often focus on obtaining the victim’s financial information with methods that include phishing scams, advertising lures, push notification lures, and payment traps.

Black Friday and Cyber Monday phishing emails tend to showcase amazing deals. Oftentimes these offers use emotional tactics to lure consumers into clicking offers that don’t really exist. Consumers expect deals, so phishing emails on Black Friday focus on deals more than any other type of scam. Advertising lures entice the user to enter a fake website and provide credit card information. Payment traps force the user to submit their credit card information rather than using a digital wallet or payment service, allowing the capture of this sensitive payment information. Other factors weaken the buyer’s judgment, making the situation even more dangerous as limited-time deals make it difficult to dig into the details, and unknown senders frequently text and email the buyer, adding to the distraction.

So, when this unique shopping season arrives, it is critical to be hyper-aware of the increasing risks to personal finances and employer networks. In response, CybeReady is offering the following guidelines to help reduce the chance of a scam or other sinister attack achieving success:

**Before Shopping**:

1.  Always enter the URL for a merchant’s website yourself. Do not use a link from an ad or email. Use the brand’s official shopping application on your smartphone.

**While Shopping**:

1.  Check for the lock symbol next to a website’s URL to ensure it is a secure site.
2.  Use a third-party payment method that does not transmit credit card information to the seller (like PayPal or Venmo), or use a disposable card.

**After Shopping**:

1.  Visit the merchant’s website to see sales updates. Do not click links in emails or texts claiming to provide order updates.
2.  Keep an eye on your financial account for any unanticipated transactions.

Because some employees will inevitably use their corporate connected PCs, laptops and mobile devices to take advantage of short-term shopping specials, CISOs are also advised to implement additional safeguards during this time period. To assist security leaders, CybeReady is releasing its enhanced CISO Toolkit for the holidays, which provides complimentary tools to help communicate relevant security information to employees – quickly and effectively. Download the free CISO Toolkit here.

The enhanced toolkit provides an overview of security guidelines, policies and tips, offering easy-to-understand information to help avoid cybersecurity traps with guidance on:

1.  Holiday Shopping Security
2.  Zoom Security
3.  Online Privacy
4.  Password Security
5.  Fake News and Rumors
6.  Remote Work
7.  COVID-19-related Phishing Emails
8.  Security in Times of Crisis
9.  Sextortion - what employees need to know
10.  Tips for Worry-Free Vacations

“It is important to realize how good deals for employees can become a bad ordeal for your organization,” said CyberReady CEO, Eitan Fogel. “During the Holiday Season employees may be easily distracted and hackers are very aware of this, resulting in a significant increase in cyberattacks as the holidays approach. In response, it must be an all-hands effort to ensure security is a top priority.”

**Resources****:**  

CybeReady Case Studies - https://cybeready.com/resource-center/case-studies

CybeReady White Papers - https://cybeready.com/resource-center/white-papers

The Ultimate Guide of Security Awareness Training - https://cybeready.com/complete-guide-cyber-awareness

**About CybeReady**  
CybeReady offers the world’s fastest security training platform, that evolves your organization from security awareness to cyber readiness. CybeReady’s solution autonomously engages more employees, more effectively, frequently, and easily. Infused with training expertise and powered by machine learning, CybeReady’s adaptive, easy-to-digest security training content program guarantees to reduce your high-risk employee group by 80%. CybeReady’s fully-managed solution has been deployed by hundreds of enterprises worldwide, including the City & County of San Francisco, SodaStream, ING, StitchFix, Teva Pharmaceuticals, Avid Technology, and others, CybeReady is fully-managed, making it the security awareness training solution with the lowest total cost of ownership (TCO) available today. Founded in 2015, CybeReady is headquartered in Tel Aviv, Israel, with offices in the Silicon Valley. For more information, please visit www.cybeready.com.

CybeReady Releases Five Easy Tips to Shop Safely During Black Friday

Industry experts to share insights into how FIDO and related technologies can bring password-less authentication to IoT.

**MOUNTAIN VIEW, Calif., Nov. 22, 2022 /PRNewswire/ —** The FIDO Alliance today announces its latest Authenticate Virtual Summit: Securely Onboarding All the Things: The FIDO Fit in IoT, sponsored by Daon and Nok Nok. Responding to rising industry demand for more insight into the role of FIDO and passwordless technology in IoT, the free event will offer attendees expert perspectives and education from leading industry organizations and solution providers on strengthening authentication in IoT. The program will take place virtually on December 7 2022, from 8:00am - 12:00pm PT, and will be made available to registrants on-demand following the event.

Lack of IoT security standards and outdated processes, such as shipping with default password credentials and manual onboarding, leave devices and the networks they operate on open to large-scale attacks. As the IoT market continues to grow, projected to surpass the $1 trillion mark in 2022, the FIDO Alliance formed the IoT Technical Working Group to address these challenges – aiming to provide a comprehensive authentication framework for IoT devices relying on passwordless authentication.

Launched in 2021, the FIDO Device Onboard (FDO) specification is the working group's first output: an open IoT standard which enables devices to simply and securely onboard to cloud and on-premise management platforms. The upcoming virtual summit will delve into this specification and FIDO's role in IoT with speakers from Intel, Qualcomm, FIDO Alliance and more:

*   Introduction: The FIDO Fit in IoT
*   Introduction to FIDO Device Onboard
*   FIDO Device Onboard: Technical Deep Dive
*   FDO Demo
*   FDO Case Study
*   FDO Certification 101

Register for the event here.

**Sponsorship Opportunities**

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities. Visit the Authenticate sponsorship page for more information or contact \[email protected\].

**About the FIDO Alliance**

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FIDO Alliance Announces Authenticate Virtual Summit Focused on Securing IoT

**US DEPARTMENT OF JUSTICE, NOV. 21 —** Two Estonian citizens were arrested in Tallinn, Estonia, yesterday on an 18-count indictment for their alleged involvement in a $575 million cryptocurrency fraud and money laundering conspiracy.

The indictment was returned by a grand jury in the Western District of Washington on Oct. 27 and unsealed today.

According to court documents, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a multi-faceted scheme. They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank. In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies. Potapenko and Turõgin then used shell companies to launder the fraud proceeds and to purchase real estate and luxury cars.

“New technology has made it easier for bad actors to take advantage of innocent victims – both in the U.S. and abroad – in increasingly complex scams,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “The department is committed to preventing the public from losing more of their hard-earned money to these scams and will not allow these defendants, or others like them, to keep the fruits of their crimes.”

“The size and scope of the alleged scheme is truly astounding. These defendants capitalized on both the allure of cryptocurrency, and the mystery surrounding cryptocurrency mining, to commit an enormous Ponzi scheme,” said U.S. Attorney Nick Brown for the Western District of Washington. “They lured investors with false representations and then paid early investors off with money from those who invested later. They tried to hide their ill-gotten gain in Estonian properties, luxury cars, and bank accounts and virtual currency wallets around the world. U.S. and Estonian authorities are working to seize and restrain these assets and take the profit out of these crimes.”

"The FBI is committed to pursuing subjects across international boundaries who are utilizing increasingly complex schemes to defraud investors,” said Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division. “Victims in the U.S. and abroad invested into what they believed were sophisticated virtual asset ventures, but it was all part of a fraudulent scheme and thousands of victims were harmed as a result. The FBI thanks our national and international partners for their efforts throughout the investigation to help bring justice for the victims.”

According to the indictment, Potapenko and Turõgin claimed that HashFlare was a massive cryptocurrency mining operation. Cryptocurrency mining is the process of using computers to generate cryptocurrency, such as Bitcoin, for profit. Potapenk and Turõgin offered contracts which, for a fee, purported to allow customers to rent a percentage of HashFlare’s mining operations in exchange for the virtual currency produced by their portion of the operation. HashFlare’s website enabled customers to see the amount of virtual currency their mining activity had supposedly generated. Customers from around the world, including western Washington, entered into more than $550 million worth of HashFlare contracts between 2015 and 2019.

According to the indictment, these contracts were fraudulent. HashFlare allegedly did not have the virtual currency mining equipment it claimed to have. HashFlare’s equipment allegedly performed Bitcoin mining at a rate of less than one percent of the computing power it purported to have. When investors asked to withdraw their mining proceeds, Potapenko and Turõgin were not able to pay the mined currency as promised. Instead, they either resisted making the payments, or paid off the investors using virtual currency the defendants had purchased on the open market—not currency they had mined. HashFlare closed its operations in 2019.

In May 2017, Potapenko and Turõgin offered investments in a company called Polybius, which they promised would form a bank specializing in virtual currency. They promised to pay investors dividends from Polybius’s profits. The men raised at least $25 million in this scheme and transferred most of the money to other bank accounts and virtual currency wallets they controlled. Polybius never formed a bank or paid any dividends.

The indictment also charges Potapenko and Turõgin with conspiring to launder their criminal proceeds by using shell companies and phony contracts and invoices. The money laundering conspiracy allegedly involved at least 75 real properties, six luxury vehicles, cryptocurrency wallets, and thousands of cryptocurrency mining machines.

Potapenko and Turõgin are both charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. If convicted, Potapenko and Turõgin each face a maximum penalty of 20 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The FBI is investigating the case.

The United States thanks the Cybercrime Bureau of the National Criminal Police of the Estonian Police and Border Guard for its support with this investigation. The U.S. Department of Justice’s Office of International Affairs provided extensive assistance to the investigation.

This investigation and today’s arrest demonstrate the great coordination and cooperation between U.S. and Estonian law enforcement. Estonia has been a crucial ally to disrupt this cyber-enabled crime, and the United States thanks the Estonians for their continued assistance and coordination.

Trial Attorneys Adrienne E. Rosen and Olivia Zhu of the Criminal Division’s Money Laundering and Asset Recovery Section and Assistant U.S. Attorneys Seth Wilkinson and Jehiel I. Baer for the Western District of Washington are prosecuting the case.

Individuals who believe they may have been a victim in this case should visit www.fbi.gov/hashflare for more information.

_An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law._

Two Estonian Citizens Arrested in $575 Million Cryptocurrency Fraud and Money Laundering Scheme

In the cybersecurity world, augmenting the human touch with artificial intelligence has produced extremely positive results.

From robotic assembly lines to self-driving cars, automated processes powered by artificial intelligence (AI) are reshaping society in significant ways. But AI can't do everything on its own — in fact, many organizations are beginning to recognize that automation often functions best when it works hand in hand with a human operator. Likewise, humans can often operate more efficiently and effectively when they receive a helping hand from well-trained AI. Cybersecurity — particularly identity security — is a perfect example of a field where augmenting the human touch with AI has produced extremely positive results.

**Automation Is No Longer Optional**

Consider the volume of identities that exist in today's environments. Users, devices, applications, servers, cloud services, databases, DevOps containers, and countless other entities (both real and virtual) now have identities that need to be managed. In addition, modern employees utilize a wide range of technologies and data in order to be productive in enterprise environments. Together, those two dynamics create a challenge for identity security — at today's scale, understanding which identities need access to what systems has moved well beyond human capacity.

This is important because cybercriminals are targeting identities with increased frequency. The most recent "Verizon Data Breach Investigations Report" (DBIR) indicated that credential data is now used in nearly 50% of breaches, and stolen credentials are one of the most common ways attackers are able to compromise identities. Attackers use a variety of methods to obtain those credentials, but social engineering is perhaps the most popular. People make mistakes, and attackers have gotten very good at identifying ways to trick people into making them. This is a major part of what makes today's attackers so difficult to stop: Human beings are often the weak point, and human beings cannot be patched. Designing a preventative solution that stops 100% of attacks simply isn't possible.

**Shifting the Focus to Containment**

This isn't to say that preventative measures like employee education, multifactor authentication, and frequent password changes aren't important — they are. But they also aren't enough. Eventually, a determined attacker will find a vulnerable identity to compromise, and the organization will need to know what systems it had access to and whether those privileges exceeded its actual needs. If an accountant has their user identity compromised, that is a problem — but it is a problem that should be limited to the accounting department. But in an organization where overprovisioning is common, an attacker who compromises a single identity might have access to any number of systems. This problem is more common than you might think — when an organization has tens of thousands of identities to manage, ensuring that each one has privileges that line up with its essential functions is difficult.

At least, it used to be. Applied to identity security, AI-based technologies have made it possible to not only help enterprises manage identity permissions at scale, but evolve identity security decisions over time to ensure those decisions match the shifting needs and dynamics of the business. AI can be trained to identify patterns that normal, human users would never notice. For example, they might look for permissions that are rarely used and recommend that they be revoked — after all, if they aren't being used, why risk allowing an attacker to exploit them? These tools can be trained to identify when access to certain data is frequently requested by the same type of user. They can then flag that information to an IT team member, who can judge whether additional permissions are warranted.

By identifying these patterns, AI-based identity tools can help to establish more appropriate permissions for identities across the organization, while also providing IT staff with the information they need to make informed decisions as circumstances change. By eliminating extraneous, unnecessary permissions, AI tools ensure that compromising a single identity will not grant an attacker free reign throughout the entire system. They also mean that, far from impeding productivity, the IT team can enhance it. By quickly identifying when it is safe and appropriate to grant additional permissions, they can make sure all identities under management have access to the technology and data they need, when they need it. None of this would be possible without human beings and AI working hand in hand.

**AI-Driven Identity Security Is the Future**

Gone are the days when managing identities and their permissions could be accomplished manually — today, ensuring that each identity has the right level of access can only be accomplished with significant help from artificial intelligence-based technology. By augmenting the human touch with AI, organizations can combine the speed and accuracy of automation with the contextual judgment of human decision-making. Together, they can help organizations more effectively manage their identities and entitlements while significantly limiting the impact of any potential attack.

**About the Author**

    

Grady Summers has a variety of technology and leadership positions spanning over 20 years and now serves as the Executive Vice President of Product at SailPoint. Grady is responsible for driving SailPoint's technology road map and solution strategy, ensuring strong and consistent execution across SailPoint's identity portfolio.

Identity Security Needs Humans and AI Working Hand in Hand

Luna Moth is relying solely on call-back phishing, as well as legitimate tools, to steal data and extract ransoms from victims of all stripes in an expanding cyberattack effort.

Researchers have spotted a threat actor that has managed to extort hundreds of thousands of dollars over the last few months from mostly small and midsize businesses — without using any encryption tools or malware.

Instead, the attacker — dubbed Luna Moth (aka the "Silent" ransomware group) has been using an array of legitimate tools and a technique dubbed "call-back phishing." The tactic is to steal sensitive data from victim organizations and use it as leverage to extort money from them.

**Targeted Attacks**

Most of the attacks so far have targeted smaller organizations in the legal industry; more recently, though, the adversary has begun going after larger companies in the retail sector as well, researchers from Palo Alto Network's Unit 42 said in a report Monday. The evolution of the attacks suggests the threat actor has become more efficient with its tactics and now presents a danger to businesses of all sizes, the security vendor warned.

"We are seeing this tactic successfully targeting all sizes of businesses — from large retailers to small/medium sized legal organization" says Kristopher Russo, senior threat researcher with Unit 42 at Palo Alto Networks. "Because social engineering targets individuals, the size of the company does not offer much protection."

Call-back phishing is a tactic that security researchers first observed the Conti ransomware group using more than a year ago in a campaign to install BazarLoader malware on victim systems.

**Call-Back Phishing**

The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom made for the recipient, originates from a legitimate email service, and involves some kind of a lure to get the user to initiate a phone call with the attacker.

In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contains an invoice — in the form of a PDF file — for a subscription service in the recipient's name. The attackers inform the victim the subscription will soon become active and get billed to the credit card number on file. The email provides a phone number to a purported call center — or sometimes multiple numbers — that users can call if they had questions about the invoice. Some of the invoices have logos of a well-known company on top of the page.

"This invoice even includes a unique tracking number used by the call center," Russo says. "So, when the victim calls the number to dispute the invoice, they look like a legitimate business."

The attackers then convince users who called to initiate a remote session with them using the Zoho Assist remote support tool. Once the victim is connected to the remote session, the attacker takes control of the victim's keyboard and mouse, enables access to the clipboard, and blanks out the user's screen, Unit 42 said.

After the attackers have accomplished that, their next step has been to install the legitimate Syncro remote support software for maintaining persistence on the victim's machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment.

In early attacks, the adversary installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems, but lately they appear to have whittled down their toolkit, Unit 42 said.

If a victim does not have administrative rights on their system, the attacker eschews any attempt to maintain persistence on it and instead goes straight to stealing data by leveraging WinSCP Portable.

"In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only exfiltrated what they could during the call," Unit 42 said in its report.

**Applying the Most Pressure**

The Luna Moth group has typically gone after data that, when leveraged, will apply the most pressure to the victim, Russo says. In targeting legal firms, the attacker appeared to have a good knowledge of the industry, knowing the kind of data that would likely cause the most harm in the wrong hands.

"In the cases that Unit 42 investigated, they targeted sensitive and confidential data of the law firm's clients," Russo explains. "The attacker reviewed the data they stole and included a sample of the most damaging data they stole in the extortion email."

In many attacks, the adversary called out the victim's largest clients by name and threatened to contact them if the victim organization did not pay the demanded ransom — which typically has ranged from 2 to 78 Bitcoin.

In the cases Unit 42 has investigated, the attackers did not move laterally once they had gained access to a victim's machine. "However, they do continue to monitor the compromised computer if the victim has admin credentials — even going so far as to call and taunt the victims if they detect remediation efforts," Russo says.

Sygnia, one of the first to report on Luna Moth's activities, described the group as likely surfacing in March. The security vendor said it had observed the threat actor using commercially available remote access tools such as Atera, Splashtop, and Syncro, as well as AnyDesk for persistence. Sygnia said its researchers had also observed the threat actor using other legitimate tools such as SoftPerfect network scanner for reconnaissance and SharpShares for network enumeration. The attacker's tactic has been to store the tools on compromised systems with names that spoof legitimate binaries, Sygnia said.

"The threat actor in this campaign specifically seeks to minimize their digital footprint to evade most technical security control," Russo says.

Because they have been relying entirely on social engineering and legitimate tools in the campaign, the attacks leave very few artifacts, Unit 42 said. Thus, "we recommend that organizations of all sizes conduct security awareness training for employees" to protect against the new threat, Russo says.

Luna Moth's Novel, Malware-Free Extortion Campaign Takes Flight

The popular pen-testing tool is often cracked and repurposed by threat actors. Google now has a plan to address that.

Cobalt Strike, a popular red-team tool for detecting software vulnerabilities, has been repurposed by cyberattackers so frequently that publisher Fortra instituted a system for vetting potential buyers. In response, malicious actors have switched to using cracked versions of the software distributed online like any other hacker tool. Google's Cloud Security team has now come up with a way to counteract these shady uses while not interfering with legitimate ones: version detection.

Threat actors have easy access to Cobalt Strike through pirating, but these illegitimate versions usually cannot be updated, wrote Greg Sinclair, security engineer for cloud threat intelligence at Google. That provides Google researchers with a way to spot potentially malicious use by identifying the version of the software being used and flagging anything earlier than the current version.

To identify the version, Google researchers analyzed the Cobalt Strike JAR files from the past 10 years and generated signatures for the various components — 165 in all. Then the team bundled the signatures into a VirusTotal collection and released them as open source YARA rules on GitHub.

"Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe," Sinclair wrote.

Earlier in November, Google Cloud Threat Intelligence released on GitHub a similar set of signatures to detect Sliver, as Bleeping Computer pointed out. The command-and-control framework has been supplanting Cobalt Strike as the repurposed security tool of choice by some threat actors.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Releases YARA Rules to Disrupt Cobalt Strike Abuse

Analysts see an uptick in token theft from authenticated users, allowing threat actors to bypass MFA protections.

Threat actors are stealing authentication tokens already verified by multifactor authentication (MFA) to breach organizations' systems. 

A new alert from Microsoft Detection and Response Team (DART), said token theft for MFA bypass is particularly dangerous because it requires little technical expertise to pull off, it's tough to detect, and most organizations haven't considered token theft as part of their incident response plan. And as employees increasingly access systems through personal devices, security controls are weaker and malicious activity is hidden from the security team's view. 

Full visibility into devices reduces token theft risk, but DART concedes that's difficult with so many unmanaged devices accessing the network. For unmanaged devices, they recommend conditional access policies and strong controls. 

"As far as mitigations go, publicly available open-source tools for exploiting token theft already exist, and commodity credential theft malware has already been adapted to include this technique in their arsenal," DART added in its blog post about the MFA workaround. "Detecting token theft can be difficult without the proper safeguards and visibility into authentication endpoints."   

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading