PRESS RELEASE

TAMPA BAY, Fla., Dec. 3, 2024 /PRNewswire/ -- KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today released its Q3 2024 Phishing Report. This quarter's findings reveal the most frequently clicked email subjects in simulated phishing tests, demonstrating the continued efficacy of HR and IT-related phishing attempts.

KnowBe4's Q3 2024 Phishing Report reveals that HR and IT-related phishing emails claim a significant 48.6% share of top-clicked phishing types globally. Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks. KnowBe4's 2024 Phishing by Industry Benchmarking Report reveals that about one in three users is susceptible to interacting with malicious links or fraudulent requests. Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into clicking malicious links or opening harmful attachments.

The report spotlights the ongoing threat posed by email-embedded phishing links, which continue to be the top attack vector of choice. These malicious links, PDF attachments and spoofed domains, when interacted with, often result in disastrous cyberattacks, including ransomware attacks and business email compromise. The report also reveals a surge in phishing campaigns leveraging QR codes. Popular QR code phishing subjects include HR reminders for policy reviews, DocuSign emails to sign an urgent document, and Zoom meeting invitations. These messages, often masquerading as communication from HR, colleagues or external vendors, pose substantial risks as they can easily be replicated by malicious actors.

"Our latest phishing report underscores the evolving sophistication of phishing tactics, with cybercriminals increasingly exploiting the trust employees place in internal communications," said Stu Sjouwerman, CEO of KnowBe4. "The prevalence of HR and IT-themed phishing attempts, coupled with emerging techniques like QR code integration, presents a complex threat landscape. These tactics are particularly deceptive as they leverage the perceived legitimacy of trusted sources, often prompting hasty actions before verification. In this rapidly changing environment, a well-trained workforce and a robust security culture are not just beneficial—they are essential. By prioritizing human risk management, organizations can effectively build a formidable defense against avoidable cyberthreats."

To download a copy of the Q3 2024 KnowBe4 Phishing Report infographic, visit here.

About KnowBe4 

KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven 'best-of-suite' platform for Human Risk Management, creating an adaptive defense layer that fortifies user behavior against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity protection content, tools and techniques to mobilize workforces to transform from the largest attack surface to an organization's biggest asset.

You May Also Like

KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report

A change in ownership and what it means for our readers.

Source: Informa TechTarget

Dear Reader,

Today, Informa Tech, the company behind Dark Reading, is combining with TechTarget's technology websites and Industry Dive's award-winning industry publications to create a new company: Informa TechTarget.

Our editorial footprint is greatly expanding. The combined Informa TechTarget newsroom features many of the most trusted publications in B2B media, over 300 world-class business journalists, and in-depth coverage across 30+ technology segments and 45+ industry verticals. In 2025 alone, we expect to produce over 60,000 stories that provide essential information for our readers across many markets. 

For more information, you can read the company's press release and check out our combined portfolio of publications.

Our commitment to you remains the same here at Dark Reading. Our group of highly experienced cybersecurity journalists will continue to independently report on the most notable developments, innovations, and disruptions in our industry. Whether navigating new technologies, cyber threats and vulnerabilities, regulations, or market dynamics, you need insight you can trust to make smart decisions and navigate the evolving cybersecurity business landscape. Readers who come to Dark Reading can expect reliable industry information they can't get anywhere else. 

Thank you for reading — and stay tuned for more vital coverage and resources as we continue to grow.

Kelly Jackson Higgins

Editor-in-Chief, Dark Reading

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Note From the Editor-in-Chief

Cisco encourages users to update to an unaffected version of its Adaptive Security Appliance (ASA) software since there are no workarounds for the 2014 vulnerability.

Source: Kristoffer Tripplaar via Alamy Stock Photo

NEWS BRIEF

Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors.

The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack.

In 2014, Cisco noted that "the vulnerability is due to insufficient input validation of a parameter," adding that an attacker could exploit the vulnerability by convincing the user to click on a malicious link.

Cisco now reports it became aware of in-the-wild exploitation attempts in November 2024 and recommends that customers upgrade to a fixed software release to mitigate the vulnerability. There are no workarounds for this flaw.

"Exploiting decade-old vulnerabilities like the ASA WebVPN bug underscores a persistent challenge in cybersecurity, that legacy vulnerabilities often remain unaddressed due to the sheer volume of security issues organizations face today," Meny Har, CEO and co-founder of Opus Security, said in an emailed statement to Dark Reading. "Without effective prioritization frameworks, critical vulnerabilities can slip through the cracks."

Decade-Old Cisco Vulnerability Under Active Exploit

Too much access and privilege, plus a host of unsafe cyber practices, plague most workplaces, and the introduction of tools like GenAI will only make things worse.

Source: Yuri Arcurs via Alamy Stock Photo

NEWS BRIEF

A survey of more than 14,000 employees across a variety of industries shows that employee behaviors when it comes to sensitive data often put organizations at risk.

The findings show that 80% of those surveyed access workplace applications from personal devices that lack necessary security controls. In addition, privileged access extends beyond IT admins, and 40% of respondents habitually download customer data. A third of respondents are able to alter sensitive data without controls, and roughly 30% can approve large financial transactions on their own.

In addition to this, the CyberArk study found that employees often practice bad cybersecurity habits. About half (49%) of respondents admitted to reusing the same login credentials for multiple work applications, while 36% use the same credentials for both work and personal applications; about 65% copped to bypassing cybersecurity policies for personal ease. All of these practices heighten the risk of organizations falling victim to leaks and data breaches.

The security firm warned that such behaviors will only continue with the growing use of on-the-rise tools, such as artificial intelligence, which are increasingly being introduced into the workplace. Roughly 72% of employees use AI tools, which can pose a threat when sensitive data is inputted into them — a likely scenario as 38% of employees only sometimes, if ever, adhere to guidelines dictating the handling of sensitive data when it comes to AI.

Cyber-Unsafe Employees Increasingly Put Orgs at Risk

A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.

Source: Photo Spirit via Shutterstock

A known threat actor in the malware-as-a-service (MaaS) business known as "Venom Spider" continues to expand capabilities for cybercriminals who use its platform, with a novel backdoor and loader detected in two separate attacks in a recent two-month period.

Researchers at Zscaler ThreatLabz uncovered campaigns between August and October of this year that leveraged a backdoor called called RevC2, as well as a loader called Venom Loader, in attacks that use known MaaS tools from Venom Spider (aka Golden Chickens), according to a blog post published Dec. 2.

RevC2 uses WebSockets to communicate with its command-and-control (C2) server and can steal cookies and passwords, proxy network traffic, and enable remote code execution (RCE). Venom Loader meanwhile uses the victim's computer name to encode payloads, thus customizing them for each victim as an extra personalization tactic.

Venom Spider is a threat actor known for offering various MaaS tools such as VenomLNK, TerraLoader, TerraStealer, and TerraCryptor that are widely used by groups such as FIN6 and Cobalt for cyberattacks. In fact, FIN6 was seen leveraging Venom Spider's MaaS platform in October, in a spear-phishing campaign spreading a novel backdoor dubbed "more\_eggs" capable of executing secondary malware payloads.

Related:Ransomware's Grip on Healthcare

**Even "More\_Eggs"**

That platform apparently has been enhanced yet again, this time with two new malware families observed in recent phishing campaigns. RevC2, observed by researchers in a campaign that occurred from August to September, used an API documentation lure to deliver the novel payload.

The attack began with with a VenomLNK file that contains an obfuscated batch (BAT) script that when executed downloads a PNG image from the website hxxp://gdrive\[.\]rest:8080/api/API.png. The PNG image aims to lure the victim with a document that is titled "APFX Media API Documentation."

Upon execution, RevC2 used two checks for specific system criteria and then executed only if they both pass, to ensure it's launched as part of an attack chain, and not in analysis environments such as sandboxes.

Once launched, the backdoor's capabilities include the ability to: communicate with the C2 using a C++ library called "websocketpp"; steal passwords and cookies from Chromium browsers; take screenshots of the victim's system; proxy network data using the SOCK5 protocol; and execute commands as a different user using the stolen credentials.

A second campaign occurring between September and October used a cryptocurrency lure to deliver Venom Loader, which in turn spread a JavaScript backdoor providing RCE capabilities that the researchers dubbed "More\_eggs lite." The malware is so-named because it has fewer capabilities than the previously discovered "more\_eggs," ThreatLabz security researcher Muhammed Irfan V A noted in the post.

Related:2 UK Hospitals Targeted in Separate Cyberattacks

"Although it is a JS backdoor delivered via VenomLNK, the variant only includes the capability to perform RCE," he wrote.

One notable feature of Venom Loader is that the DLL file it used in the observed campaign is custom built for each victim and is used to load the next stage, according to ThreatLabz.

The loader is downloaded from :hxxp://170.75.168\[.\]151/%computername%/aaa, "where the  %computername% value is an environment variable which contains the computer name of the system," Irfan V A wrote.

Venom Loader then uses %computername% as the hardcoded XOR key to encode its stages of attack, which in this case executes the More\_eggs lite backdoor for attackers to carry out RCE.

**MaaS Capabilities Expected to Expand**

ThreatLabz believes that the new malware included in Venom Spider's MaaS platform "are early versions, and expect more features and anti-analysis techniques to be added in the future," Irfan V A wrote.

Zscaler detected the malware using both a sandbox and its cloud security platform, which detected the following threat-name indictors related to the campaign: LNK.Downloader.VenomLNK; Win32.Backdoor.RevC2; and Win32.Downloader.VenomLoader.

Related:Incident Response Playbooks: Are You Prepared?

Zscaler also is providing a Python script that emulates RevC2's WebSocket server on its GitHub repository as well as included a long list of indicators of compromise (IoCs) in the blog post so defenders can check their respective organization's systems for evidence of the malware.         

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Venom Spider Spins Web of New Malware for MaaS Platform

Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Ransomware attacks keep increasing day to day, and healthcare systems are one of the prime targets. Despite ongoing efforts to patch vulnerabilities, the problem persists. Patching, long considered a cornerstone of cybersecurity defense, is no longer enough. The consequences of the attack for healthcare organizations go far beyond reputational and financial damage — they are a matter of patients' lives.

The reason is that all healthcare organizations are treasures of highly critical information: Medical records, personal information, and financial details all command a high price in the black market. What's more important, healthcare services cannot afford any downtime, and because these systems need to be online and working at all times, victims usually pay the ransom.

The growing sophistication of ransomware, combined with the complex IT environments in healthcare, means that traditional defenses like patching fall short. Meanwhile, attackers are finding a way to expose the open gaps that patching alone cannot close, even with regular updates.

**The Patching Problem**

Many believe patching is a line of defense that stops ransomware in its tracks, but patching has gradually reached its threshold of limitations. Most healthcare IT systems are amalgamating old legacy technology, critical life-supporting medical devices, and modern infrastructure, making it very difficult to implement patching. For instance, most medical devices run operating systems that are no longer supported by vendors. Patching is very risk-prone and might involve downtime, which affects patient service.

Patching covers only the known vulnerabilities. On the other side, ransomware attackers are increasingly leveraging zero-day vulnerabilities, those that have not yet been discovered, or do not have any patch available for them. Even fully patched systems can be vulnerable to such an attack, leaving the organization at risk for ransomware.

Then, we need to think about a lateral movement problem. Once inside a network, ransomware can easily cross over into unpatched or misconfigured systems. One more factor in the case of ransomware attacks is that there are no more single-entry points; the attackers simply use stolen credentials and/or unprotected routes of access to move across the network, infecting multiple systems and amplifying resultant damage.

**Expanding the Scope of Defense**

With such challenges, health organizations really do need to rethink their approach toward ransomware defense; patching, though necessary, represents only one piece of a much larger jigsaw puzzle.

The first recommended strategy is implementing advanced threat protection (ATP) solutions to provide an extra layer of security. These utilities use artificial intelligence and machine learning to detect suspicious activities and block ransomware before they actually cause serious damage. Instead of waiting for a patch that will fix a vulnerability, ATP systems can detect emergent threats in real-time, offering a proactive approach to defense.

Segmentation of a network can prevent ransomware from spreading; this is where healthcare organizations isolate the network into smaller segments. This is important, as once a part of the network is compromised, then the rest of it will always be safe. This is a very crucial tactic in containing ransomware and limiting its damage.

Phishing remains one of the most common methods for deploying ransomware, and healthcare staff are often targeted. Training employees to recognize phishing attempts, combined with multifactor authentication (MFA), adds an essential layer of protection. Even if attackers manage to steal credentials, MFA can stop them from gaining access to critical systems.

Incident response planning is also essential. Organizations need to be prepared for the worst-case scenario. Regularly updated backups, stored separately from the main network, are important for recovery after an attack. These backups ensure that healthcare services can be restored without paying a ransom. These plans should be tested periodically to make sure they work when needed most.

**Healthcare Can't Afford to Ignore the Need for a Broader Defense**

Ransomware is not just a technical issue; it's most definitely a business problem that no healthcare organization can afford to dismiss. Recent high-profile attacks have proved how vulnerable the providers of healthcare are; while patching remains an essential process, it only forms one part of the much larger total solution.

Security in healthcare must go beyond patching and involve a more strategic approach. This can be shown by the ever-increasing pressure placed by regulatory bodies, such as DHHS, to even further restrict cybersecurity guidelines for providers. Patch management falls under compliance, but it seems obvious that a more encompassing proactive approach to security must be enacted if patient data and operations are to be secured.

Healthcare leaders need to take this into consideration and invest a larger focus on enterprise-wide risk management. Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Ransomware's Grip on Healthcare

Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules.

Source: Design Pics Inc Alamy Stock Photo

Researchers are warning that an otherwise positive European data regulation has introduced massive risks to individuals and the companies they work for.

Ever since the passage of the General Data Protection Regulation (GDPR), Internet users in Europe — and in many places around the world following suit — have been able to download the entirety of the data that websites save about them. Besides the obvious benefits to privacy and transparency, the idea was portability: Anyone could take the data one site possessed about them and transfer it to another.

In a new blog post, CyberArk highlights a theoretical yet severe cost to this new right to data portability. Before the rule, everyone's most sensitive data was protected behind brick walls at ultrasecure data centers. Now that users can retrieve that data via a cloud-based mechanism, hackers can access their accounts and steal it all. Considering the extent of the data that websites collect about us today, the possibilities for malfeasance are endless.

"It's my legal right, and it's perfectly fine that I'm capable \[of seeing\] what information is being kept about me," says Lior Yakim, threat researcher at CyberArk Labs, who dubs the attack "White FAANG," since the vulnerable data could be exported from services provided by major tech companies like Facebook, Amazon, Apple, Netflix, and Google (FAANG).

Related:'Bootkitty' First Bootloader to Take Aim at Linux

However, he warns, "Because it's so easy to get all of that highly intrusive information — together with the fact that people use the same devices for corporate and personal purposes — there's a major risk."

**The Data Sites Have on You**

Companies hoard gobs of sensitive information, especially the largest technology companies most central to our online lives. They possess everything from our most sensitive personally identifying information (PII) to the long histories of our online activity. But even the most jaded Internet users might be surprised just how deep this hole goes.

Meta, for example, records not only your documented Facebook activity, but also plenty of undocumented data, like what posts you viewed, and exactly how long you viewed them.

Google, likewise, saves not only your entire search history, but even searches you typed but didn't ultimately execute.

GDPR's well-intentioned data portability regulations forced companies to make all of this information exportable at the click of a button, in a machine-readable format. And what's stopping a hacker in possession of your account from doing just that? "The most common protection is, indeed, multifactor authentication (MFA). But as we know, MFA can be bypassed," Yakim notes.

Related:China's Cyber Offensives Built in Lockstep With Private Firms, Academia

**The Risks to Individuals and Corporations**

With export data, there is no limit to what an attacker can do. They can use your Google search history to blackmail you, your GPS data from Meta to find where you live, and your Apple calendar history to know where you've been and where you'll be, to say nothing of the endless possibilities for cyberattacks.

Beyond all that, there's the risk to employers. Individual accounts can house all kinds of data that pertains to, or can otherwise be used to attack the companies they work for.

Again, the scenarios are limitless. With an Apple export, for example, a hacker could take the MAC address associated with an employee's unpatched AirPods, spoof a Bluetooth connection, exploit CVE-2024-27867 to gain access to them, then listen in on corporate meetings. Or, Yakim suggests, they can leverage information like the operating system version of the employee's mobile phone. "If I know, for example, that the mobile device of the employee is not up to date, I can search for specific, known vulnerabilities in order to target this employee," he says.

And there are far simpler, more present dangers than that. CyberArk surveyed 14,000 employees, finding that around 63% use personal accounts on their work computers, and 80% access work applications from their personal computers. Thanks to this comingling, work passwords tend to end up stored in far less secure personal accounts, from which they can be exported. This was how Cisco got breached in 2022, and Okta in 2023, a case that affected every one of its customers as well.

Related:VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

To prevent that from happening, employees need to draw a clear line in the sand between their business and pleasure online. "Personal accounts are less secure than corporate accounts," Yakim says. "That's the message that we're trying to deliver here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'White FAANG' Data Export Attack: A Gold Mine for PII Threats

Though it's still just a proof of concept, the malware is functional and can evade the Secure Boot process on devices from multiple vendors.

Source: Alexander56891 via Shutterstock

Researchers have spotted what they believe is the first ever malware capable of infecting the boot process of Linux systems.

"Bootkitty" is proof-of-concept code that students in Korea developed for a cybersecurity training program they're involved in. Though still somewhat unfinished, the bootkit is fully functional and even includes an exploit for one of several so-called LogoFAIL vulnerabilities in the Unified Extensible Firmware Interface (UEFI) ecosystem that Binarly Research uncovered in November 2023.

**A Novel Proof-of-Concept**

Bootkits operate at the firmware level and execute before the operating system loads, allowing them to bypass the Secure Boot process for protecting systems from malware during startup. Such malware can persist through system reboots, operating system reinstallation, and even physical replacement of certain parts, like hard drives.

Researchers at ESET who analyzed Bootkitty after finding a sample on VirusTotal just last month described it as the first UEFI bootkit for Linux they have come across. That's significant because, until now, bootkits — the most notorious of which includes BlackLotus and FinSpy — have been Windows-specific.

"\[Bootkitty's\] main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolar and Peter Strycek wrote.

Binarly, which also analyzed Bootkitty, found the malware to contain an exploit for CVE-2023-40238, one of several image parsing LogoFAIL vulnerabilities in UEFI that the company reported last year. The Bootkitty exploit leverages shellcode embedded within bitmap image (BMP) files to bypass Secure Boot and get the OS to trust the malware, Binarly said. The vendor identified Linux systems from multiple vendors as being vulnerable to the exploit, including those from Lenovo, Fujitsu, HP, and Acer.

"While this appears to be a proof-of-concept rather than an active threat, Bootkitty signals a major shift as attackers expand bootkit attacks beyond the Windows ecosystem," Binarly wrote. "The operating system bootloaders present a vast attack surface that is often overlooked by defenders, and the constant growth in complexity only makes it worse."

The UEFI — and prior to that the BIOS ecosystem — has been a popular target for attackers in recent years because of how malware operating at that level can remain virtually undetectable on compromised systems. But concerns over UEFI security really came to a head with the discovery of BlackLotus, the first malware to bypass Secure Boot protections even on fully patched Windows systems.

The malware took advantage of two vulnerabilities in the UEFI Secure Boot process, CVE-2022-2189, also known as Baton Drop, and CVE-2023-24932, to install itself in a virtually undetectable and unremovable manner. The relatively easy availability of the malware and Microsoft's struggles in addressing it, prompted a call from the US Cybersecurity and Infrastructure Security Agency (CISA) for improved UEFI protections.

"Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode," CISA noted at the time. "In particular, UEFI secure boot developers haven't all implemented public key infrastructure (PKI) practices that enable patch distribution."

**Functional Bootkit**

ESET found Bootkitty to contain capabilities for modifying, in memory, functions that normally verify the integrity of the GRand Unified Bootloader (GRUB), which is responsible for loading the Linux kernel during startup. However, the specific functions that Bootkitty attempts to modify in memory are supported only on a relatively small number of Linux devices, suggesting the malware is more proof of concept than an active threat. Bolstering that theory is the presence of several unused artifacts in the code, including two functions for printing ASCII art and text during execution, ESET said.

The Korean students who developed the bootkit informed ESET after the security vendor published its analysis. ESET quoted the students as saying they had created the malware in an effort to spread awareness about the potential for bootkits becoming available for Linux systems. Details of the malware were only supposed to have become available as part of a future conference presentation. However, a few samples of the bootkit ended up being uploaded to VirusTotal, they noted.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Bootkitty' First Bootloader to Take Aim at Linux

Chalk up another win for global cooperation among law enforcement, this time targeting seven types of cyber fraud, including voice phishing and business email compromise.

Source: Olena Bartienieva via Alamy Stock Photo

Following a global five-month operation involving law enforcement from 40 countries and regions, more than 5,500 financial crime suspects have been arrested and more than $400 million in virtual assets seized.

Operation HAECHI V spanned from July to November of this year and targeted seven types of cyber frauds: voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud.

As part of the operation, authorities from Korea and Beijing dismantled a voice-phishing syndicate responsible for $1.1 billion in losses, affecting more than 1,900 victims. 

During the length of the operation, Interpol also issued a Purple Notice related to cryptocurrency fraud practices involving stablecoin; Purple Notices are used to seek or provide information about operating methods as well as how suspected criminals conceal themselves. Interpol also alerted countries to the "USDT Token Approval Scam," in which threat actors access and control their victims' cryptocurrency wallets as part of Operation HECHI V.

"The effects of cyber-enabled crime can be devastating — people losing their life savings, businesses crippled, and trust in digital and financial systems undermined," Interpol Secretary General Valdecy Urquiza said. "The borderless nature of cybercrime means international police cooperation is essential, and the success of this operation supported by Interpol shows what results can be achieved when countries work together."

**About the Author**

Interpol Cyber-Fraud Action Nets More Than 5K Arrests

AWS Security Incident Response will help security teams defend their organizations from account takeovers, breaches, ransomware attacks, and other types of security threats.

Source: Leo Wolfert via Adobe Stock Photo

Amazon Web Services (AWS) has launched a new incident response service to help security teams respond to threats faster and reduce the time it takes for organizations to recover from attacks.

AWS Security Incident Response, unveiled ahead of the company's re:Invent 2024 conference in Las Vegas this week, relies on machine learning to automatically triage and analyze security signals from Amazon GuardDuty and other supported third-party threat detection tools available through the AWS Security Hub cloud security posture management service.

The new service will help security teams investigate incidents, coordinate responses across multiple stakeholders, manage permissions across environments, and document actions taken and decisions made. The automated triage feature filters security alerts based on customer-specific information to identify incidents that require immediate attention.

"Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness," wrote Betty Zheng, senior developer advocate at AWS, in a blog post announcing AWS Security Incident Response. "Manual investigation of findings strains resources and may cause customers to overlook critical security alerts."

The service offers preconfigured notification rules and permission settings. It can also be configured to execute containment actions, leading to faster incident response times and potentially reduced impact of security incidents, Zheng wrote. The service will create security cases for alerts that cannot be automatically resolved. For high-priority threats, the service connects to the AWS Customer Incident Response Team (CIRT), which provides support 24 hours a day, seven days a week.

The service provides self-service investigation tools, as well as capabilities such as secure data transfer (to share logs and other forensics data), messaging and video conference scheduling (to communicate with key stakeholders and investigators), and automated case history tracking and reporting. Security teams can either handle incidents independently or collaborate with third-party security vendors, based on their needs and requirements.

Security teams can monitor, measure, and improve their incident response performance over time via a service dashboard that displays critical metrics, such as mean-time-to-resolution (MTTR), number of cases addressed within a specific time period, and number of triaged findings.

AWS Security Incident Response is now available in 12 AWS Regions globally: US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Seoul, Singapore, Sydney, Tokyo), Canada (Central), and Europe (Frankfurt, Ireland, London, Stockholm). Interested organizations can enable it via the AWS management console and service-specific APIs. For the service to be able to monitor and analyze security alerts, administrators need to enable the proactive response feature to create service-level permissions. Once done, the alerts are automatically sorted and remediated using service automation and customer-specific data, including common IP addresses, AWS Identity and Access Management (IAM) principals, and other relevant attributes. 

"To experience the full service, we recommend activating Amazon GuardDuty and AWS Security Hub as well," AWS said in its post.

Source

DARKReading