Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

When you let go of that trapeze, you really want your teammates to be ready to catch you. Send us a cybersecurity-related caption to describe the above scene and our favorite will win its wordsmith a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 27, 2024 deadline:

• Email \[email protected\] with the subject line "Edge November Toon."

• Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Joseph Ayella, a recurring winner, for sending us the winning caption for last month's "And For My Next Trick..." cartoon.

"I call this trick the woman-in-the-middle attack."

Some noteworthy contenders included: "All we could get was half a FTE for security assessments," "And with this SIEM solution, we could cut a half of our SOC analysts," and "I'm glad he's not the hacker." A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Aerialist's Choice

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client data across multiple platforms efficiently. 

****The NAKIVO Backup Solution for MSPs: Data Protection for VMware, Microsoft 365, Proxmox and More** **

The growing demand for reliable data backup among individuals and organizations is simultaneously an opportunity and a challenge for managed service providers (MSPs). On one hand, finding the best MSP backup solution for multiple IT platforms can help expand the client base and increase revenue. On the other hand, the need to protect several environments can complicate management and impact the service quality.

MSPs need a comprehensive set of data protection functions with convenient management capabilities for multiple environments including VMware, Microsoft 365 and Proxmox. The NAKIVO backup solution for MSPs provides up-to-date functionality, extended compatibility, streamlined management, ultimate scalability, and flexible licensing.

****NAKIVO: The Best MSP Backup and Recovery Solution** **

The NAKIVO backup solution for MSP allows you to deliver robust data protection services, including backup-as-a-service (BaaS) and disaster-recovery-as-a-service (DraaS), for client infrastructures of any type, size and complexity. The features developed specifically for managed service providers enable seamless data protection and convenient management. Download the Free Trial and get 15 days to try the solution without feature or capacity limitations.

****MSP Backup and Recovery for VMware Environments****

NAKIVO backup solution for MSP enables you to provide efficient managed online backup services for VMware workloads. You can store backups of VMware VMs and data locally or send them offsite to Amazon S3, Wasabi, Azure Blob, Backblaze B2 or any other S3-compatible storage. NAS and tape destinations are also available.

The most noteworthy features are: 

*   Native integration with VMware’s Changed Block Tracking (CBT) for incremental backups.
*   Flash VM Boot – boot VMware virtual machines to original or custom hosts directly from backups for instant recovery.
*   Replication from backup – perform incremental replication from backups to offload production environments.
*   Real-Time ReplicationBETA – create exact copies of VMs and continuously update them to ensure near-instant RPOs.
*   Automated Failover – configure failover to replicas and launch presets once an incident occurs, achieving near-zero RTOs.
*   Physical-to-virtual recovery (P2V) – restore Windows and Linux machines as VMware vSphere VMs.
*   Cross-platform recovery – recover Hyper-V VMs as VMware workloads and vice versa. 

Use the NAKIVO Backup solution for MSPs to enable reliable backup and swift, flexible recovery of client VMware infrastructures, VMs and data items. 

****Microsoft 365 Data Protection: Backup as a Service for Office 365****

NAKIVO provides SaaS backup functionality to protect Microsoft 365 data. The solution enables: 

*   Backups of Microsoft 365 data, including Exchange Online, OneDrive for Business, SharePoint Online and Microsoft Teams.
*   Onsite Microsoft 365 backup storage for data availability and resilience to cyber threats.
*   Using Microsoft’s native change tracking technology for Exchange Online and Teams to accelerate backup workflows and optimize storage space usage.
*   Fast granular recovery – near-instant recovery of the required items without restoring an entire user account.
*   Retention flexibility – custom retention policies with recovery points rotated daily, weekly, monthly or yearly to store data for as long as you need

NAKIVO Backup solution for MSPs makes data protection in Microsoft 365 straightforward, ensuring SaaS data availability, business continuity and compliance for your clients.

****Proxmox Backup and Recovery: A New Frontier for MSPs****

With the latest update, NAKIVO’s backup as a service solution now supports agent-based backup and recovery for Proxmox VE. The available Proxmox data protection functionality includes the following: 

*   Fast, incremental and app-aware backups of Proxmox VMs.
*   Backup data tiering with multiple destinations including onsite, offsite, public cloud, NAS, deduplication appliances or tape storage.
*   Immutable storage, data encryption, role-based access control and two-factor authentication to protect Proxmox backup data from ransomware and unauthorized access.
*   Full VM recovery or granular recovery of individual files, folders and app objects to original or custom locations.

NAKIVO Backup for MSPs allows you to offer your clients several backups as a service benefit such as affordability and delegated administration combined with the free Proxmox hypervisor. This brings enhanced data availability and infrastructure resilience while maintaining the initial cost-efficiency of systems for clients.

****NAKIVO Backup Solution for MSPs: Versatility Across Environments****

With the NAKIVO solution, you can deliver managed backup as a service for physical, virtual, cloud, SaaS and hybrid environments, including:   

*   NAS
*   File shares
*   Proxmox VE
*   Nutanix AHV
*   Oracle RMAN
*   Microsoft Hyper-V
*   AWS EC2 instances
*   VMware vSphere and Cloud Director
*   Windows and Linux physical servers and workstations 

The wide range of supported environments allows you to easily and quickly cater to the unique needs of every client. With a single MSP backup solution to serve all clients, you can minimize management overhead, increase productivity and scale your business with ease. 

****Ransomware Protection and Advanced Security for MSPs****

Reliable solutions that offer backup and disaster recovery as a service should prioritize threat protection over prevention, enabling clients to restore data even in worst-case scenarios. The NAKIVO solution provides:

*   Immutable storage – enables immutability for local and cloud repositories to protect backup data from change or deletion by ransomware.
*   Malware scan – check your backups before recovery to ensure they don’t contain malware.
*   AES-256 encryption – enables encryption for backup data both during transfer and retention to prevent third-party access. 
*   Role-based access control (RBAC) – limit backup and recovery operations to specific users and ensure authorized access to data protection activities.
*   Direct Connect – connect to clients’ remote resources via a secure port channel without the need to establish and maintain a VPN.

With the NAKIVO backup solution for MSPs, you can ensure client data availability and recoverability when other cybersecurity measures fail. 

****Ease of Management and Automation for MSPs****

Streamlining management and workflow automation are key to efficient MSP backup and recovery. The solution from NAKIVO includes:

*   Multi-tenant mode – create isolated environments for up to 100 clients (tenants) with a single solution deployment.
*   Tenant resource allocation – flexibly allocate VMs, hosts, clusters, backup repositories and other resources in your infrastructure to tenants.
*   MSP Console – uses a unified and intuitive web interface to manage remote client environments from a single panel.
*   Self-service portal – allows clients to manage their own data protection activities.
*   Automation and scheduling – schedule custom backup and recovery workflows from the centralized panel to avoid overlaps and resource bottlenecks.
*   Policy-based data protection – set up policy rules to automatically back up or replicate machines that match the criteria you define.
*   Backup verification – receive verification reports or OS screenshots to verify that backups are recoverable. 
*   Site Recovery – create presets to automate and orchestrate complex disaster recovery sequences and restore entire environments in just a few clicks.
*   Non-disruptive DR testing – run disaster recovery tests by schedule or on demand without disrupting production networks.

Use the advanced management, automation and scheduling capabilities of the NAKIVO solution to adjust to every client’s needs. Ensure data security in the most dynamic and ramified environments.

****MSP Backup Pricing and Cost Efficiency****

NAKIVO offers convenient licensing for managed service providers. This means:

*   5 editions with different feature sets – pick the edition that suits your offering.
*   Perpetual or subscription-based license – choose the one that maximizes your profits.
*   Per-workload pricing – ensure there are no upfront fees or extra costs for unused capacity.
*   Monthly and annual subscription – pay monthly for added flexibility or annually for sizable discounts and additional savings.
*   24/7 vendor support – get in touch with NAKIVO experts whenever you need to guarantee service quality and meet SLAs. 
*   MSP Partner Program – receive certification, training and free marketing support from NAKIVO. 

You can leverage these benefits to increase your business efficiency and win more clients. Provide quality services at affordable costs to boost your revenue.

****Conclusion****

The NAKIVO solution enables efficient MSP backup and recovery for VMware, Microsoft 365, Proxmox VE and other platforms. Install the Free Trial to test the solution’s data protection management, recovery and cybersecurity capabilities in your environment. With NAKIVO, you can provide the best MSP backup solution, meet client needs, cut costs by up to 50%, increase productivity and grow your profit.  

1.  **How To Create a Complete GitHub Backup**
2.  **Recover Lost Data with Mac Data Recovery Software**
3.  **How to Recover Illustrator Files on Windows and Mac**
4.  **Microsoft Planner Backup – Restore: Guide to Data Protection**
5.  **Insights on Google Cloud Backup & Disaster Recovery Service**

NAKIVO Backup for MSP: Best Backup Solution for MSPs

The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.

Source: Cinematic via Alamy Stock Photo

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.

Networking devices are a known favorite of China's advanced persistent threats (APT), and why wouldn't they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 

Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.

**The First Salvo in a Long Cyber War**

On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.

Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).

Related:Dark Reading News Desk Live From Black Hat USA 2024

"AWS SM was quite a new technology, and it was quite a subtle misconfiguration," Sophos chief information security officer (CISO) Ross McKerchar recalls. "That was one of the first indicators that we were up against an interesting adversary." 

Later, the attackers deployed a novel rootkit called Cloud Snooper. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.

The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.

**A Five-Year Evolution in Chinese TTPs**

Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.

It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.

Related:The Overlooked Importance of Identifying Riskiest Users

It helped, too, that around that same time — July 2021 — China's Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the country's Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. "It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives," McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.

Chinese APTs weren't only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader operational relay box networks (ORBs). These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.

Related:FBI, Partners Disrupt RedLine, Meta Stealer Operations

**What's Happening Now**

After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, they've been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.

These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and UEFI bootkits, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldn't be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, they've demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.

"There's a clear arc of moving to stealthier and stealthier persistence in the activity that we've uncovered," McKerchar says.

He explains how "the first malware, whilst it was bespoke for our devices, it wasn't really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasn't explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits."

He concludes, "It'd be hard to speculate on what's next, except \[that\] they're going to be improving again."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APTs Cash In on Years of Edge Device Attacks

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.
The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket,

Vulnerability / Cloud Security

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.

The activity, codenamed **EMERALDWHALE**, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon.

"The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services," Sysdig said in a report. "Phishing and spam seem to be the primary goal of stealing the credentials."

The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or group.

Targeting servers with exposed Git repository configuration files using broad IP address ranges, the toolset adopted by EMERALDWHALE allows for the discovery of relevant hosts and credential extraction and validation.

These stolen tokens are subsequently used to clone public and private repositories and grab more credentials embedded in the source code. The captured information is finally uploaded to the S3 bucket.

Two prominent programs the threat actor uses to realize its goals are MZR V2 and Seyzo-v2, which are sold on underground marketplaces and are capable of accepting a list of IP addresses as inputs for scanning and exploitation of exposed Git repositories.

These lists are typically compiled using legitimate search engines like Google Dorks and Shodan and scanning utilities such as MASSCAN.

What's more, Sysdig's analysis found that a list comprising more than 67,000 URLs with the path "/.git/config" exposed is being offered for sale via Telegram for $100, signaling that there exists a market for Git configuration files.

"EMERALDWHALE, in addition to targeting Git configuration files, also targeted exposed Laravel environment files," Sysdig researcher Miguel Hernández said. "The .env files contain a wealth of credentials, including cloud service providers and databases."

"The underground market for credentials is booming, especially for cloud services. This attack shows that secret management alone is not enough to secure an environment."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.

Source: Funtap via Shutterstock

"Midnight Blizzard," a threat group linked to Russia's foreign intelligence service, is stoking more concern than usual for both its sheer scope and its use of a new tactic for harvesting information and gaining control of victim systems.

Microsoft this week said its threat intelligence group observed Midnight Blizzard actors sending out thousands of spear-phishing emails to targeted individuals at more than 100 organizations worldwide since Oct. 22.

**Large-Scale Campaign**

Besides its wide scope, the campaign is noteworthy for Midnight Blizzard's use of a digitally signed Remote Desktop Protocol (RDP) configuration file in its spear-phishing emails. The RDP file connects to a server controlled by a threat actor; when the file is opened, it allows the attacker to harvest user credentials and detailed system information to aid further exploit activity.

"The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of zero trust," Microsoft said on its threat intelligence group blog this week. "Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the UK, Europe, Australia, and Japan."

Midnight Blizzard — aka Cozy Bear, APT29, and UNC2452 — has been the proverbial thorn in the side of security organizations for some years now. The group's many victims include SolarWinds, Microsoft, HPE, multiple US federal government agencies, and diplomatic entities worldwide. Its well-documented tactics, techniques, and procedures (TTPs) include using spear phishing, stolen credentials, and supply chain attacks for initial access. Midnight Blizzard actors have also targeted vulnerabilities in widely used networking and collaboration technologies such as those from Fortinet, Pulse Secure, Citrix, and Zimbra to gain an initial toehold on a target network.

**Bidirectional Connection**

The RDP file in the Microsoft, AWS, and zero-trust themed emails in Midnight Blizzard's latest campaign allows the attacker to establish a quick, bidirectional connection with a compromised device. The threat actor is using it to harvest a range of information including user credentials, files, and directories on the victim system and connected network drives; information from connected smart cards and other peripherals; Web authentication credentials; and clipboard data. The RDF file is signed with a LetsEncrypt certificate to lend it an air of legitimacy. "This access could enable the threat actor to install malware on the target's local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access Trojans (RATs) to maintain access when the RDP session is closed," Microsoft cautioned.

Stephen Kowski, field CTO at SlashNext, says Midnight Blizzard's use of signed RDP files in its current campaign is significant. Signed RDP files can bypass traditional security controls since they appear to come from a legitimate source, he points out.

"This technique is particularly cunning because RDP files are commonly used in business environments, making them less likely to raise immediate suspicion, while the legitimate signature helps evade standard malware detection systems," he says. He advocates that organizations scan all email attachments in real time, with a particular focus on RDP files and other seemingly legitimate Microsoft-related content. "The use of legitimately signed files creates a significant blind spot for conventional security tools that rely heavily on signature-based detection or reputation scoring," Kowski advises.

**Mitigating the Threat**

Microsoft has released a list of indicators of compromise for the new Midnight Blizzard campaign, including email sender domains, RDP files, and RDP remote computer domains. It has recommended that security teams review their organizational email security settings and antivirus and anti-phishing measures; turn on Safe Links and Safe Attachments settings in Office 365; and enable measures for quarantining sent email if needed. Other recommendations include using firewalls to block RDP connections, implementing multifactor authentication, and strengthening endpoint security configurations.

Venky Raju, field CTO at ColorTokens, says the campaign is a reminder why organizations need to maintain a tight rein over the use of Microsoft's remote desktop. While it can be useful to share devices, folders, and clipboard content over an RDP session, it gives attackers a way into a user's device. "Signing the RDP configuration file may prevent email security systems from classifying the email as having a suspicious link or attachment. It may also reduce the warnings presented by the RDP client," he points out.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Midnight Blizzard' Targets Networks With Signed RDP Files

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for…

A malvertising campaign is exploiting Meta’s platform to spread SYS01 infostealer, targeting men 45+ via fake ads for popular software. The malware steals Facebook credentials, hijacks accounts espicially those administrating business pages, and spreads further attacks globally.

A new malvertising campaign is exploiting Meta’s advertising platform to spread the **SYS01 infostealer**, a cybersecurity threat known to Meta and particularly Facebook users for stealing their personal information.

What makes this attack targeted is that millions of users globally, specifically men aged 45 and above, are potential victims of this ongoing attack, which cleverly disguises itself as advertisements for popular software, games, and online services.

This campaign, first detected in September 2024, stands out due to its impersonation tactics and popular brands that it exploits. Instead of focusing on a single lure, the attackers mimic a broad range of trusted brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder.

****How the Attack Works:****

According to Bitdefender’s **blog post** shared with Hackread.com ahead of publishing on Wednesday, the malicious ads often lead to MediaFire links offering direct downloads of seemingly legitimate software. These downloads, packaged as zip archives, contain a malicious Electron application.

Once executed, this application drops and **runs the SYS01 infostealer**, often while displaying a decoy app that mimics the advertised software. This deceptive tactic makes it difficult for victims to realize they’ve been compromised.

For your information, an Electron application is a type of desktop app built with web technologies like HTML, CSS, and JavaScript. Electron is an open-source framework developed by GitHub that allows developers to create cross-platform applications that run on Windows, macOS, and Linux, all from a single codebase.

In this attack however, behind the scenes, the Electron app uses obfuscated Javascript code and a standalone 7zip executable to extract a password-protected archive containing the core malware components. This archive includes PHP scripts responsible for **installing the infostealer** and establishing persistence on the victim’s system. The malware also incorporates anti-sandbox checks to evade detection by security researchers.

****Stealing Data and Hijacking Accounts:****

The primary goal of the SYS01 infostealer is to harvest Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used to further attacks/scams.

What’s worse, the attack also leverages the advertising capabilities of hijacked accounts, allowing attackers to create **new malicious ads** that appear more legitimate and easily bypass security filters. This creates a self-sustaining cycle where stolen accounts are used to spread the malware even further. The stolen credentials are also likely sold on underground marketplaces, further enriching the criminals.

Fake Netflix, Super Mario Bros. Wonder, and other malicious ads are currently being used in the campaign (Via Bitdefender)

****Global Reach and Protection****

While the campaign has a global reach, impacting users in the EU, North America, Australia, and Asia, Bitdefender could not verify the full extent of its impact, especially outside the EU, which remains unclear due to limited data transparency.

Nevertheless, if you are on Facebook—especially if you run a business page—you must watch out for SYS01 Infostealer and **similar threats**. While using common sense is essential, here are some vital steps you should take:

1.  **Monitor your accounts:** Regularly check your Facebook and other social media accounts for suspicious activity. Report any unauthorized access immediately and change your passwords.
2.  **Be wary of ads:** Exercise caution when clicking on ads, especially those offering free downloads or deals that seem too good to be true. Verify the source before downloading any software.
3.  **Stick to official sources:** Download software directly from official websites or trusted app stores. Avoid third-party platforms and file-sharing services.
4.  **Use strong security software:** Install reputable security software and keep it updated. Choose a solution that offers real-time protection and advanced threat detection.
5.  **Enable two-factor authentication (2FA):** Activate 2FA on your Facebook and other important online accounts for added security.

1.  **Fake GTA VI Beta Download Spreads Malware**
2.  **ALPHV Ransomware Uses Google Ads to Target Victims**
3.  **Fake WhatsApp clone steals crypto on Android and Windows**
4.  **Facebook, Meta, Apple, Amazon Most Impersonated in Scams**
5.  **Fake ChatGPT and Facebook Ads Used in DNS Investment Scam**

Fake Meta Ads Hijacking Facebook Accounts to Spread SYS01 Infostealer

PRESS RELEASE

LONDON, Oct. 28, 2024 /PRNewswire/ -- VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 2024 Email Threat Trends Report, shedding light on the evolving cybersecurity landscape. This comprehensive analysis of real-world data reveals the sophisticated strategies and techniques employed by cybercriminals, with a particular persistent focus on the highly lucrative tactic of business email compromise (BEC). VIPRE processed 1.8 billion emails globally, of which 208 million were malicious.

BEC impersonation weaponisation  

In this third quarter of 2024, cybercriminals intensified their efforts to exploit organisational vulnerabilities through employee deception. BEC scams surged, accounting for 58% of phishing attempts. Notably, 89% of these BEC attacks involved impersonation of authority figures, including CEOs, senior executives, and IT staff, underscoring the sophisticated tactics employed by malicious actors.

BEC aims for the manufacturing sector 

The manufacturing sector saw a significant rise in BEC attacks, potentially driven by financial fraud. These incidents increased from just 2% in Q1 to 10% in Q3 this year. This rise may be attributed to the industry's widespread use of mobile sign-ins at various worksites. Employees accessing systems "on the go", often under pressure to meet production deadlines, are more susceptible to phishing attempts.

Subtler tactics are a larger threat

Email threats in Q3 were dominated by scams (34%), commercial spam (30%), and phishing (20%). These email threats overshadowed ransomware and malware combined, which comprised less than 20% of all email attacks. Interestingly, despite their lower prevalence, ransomware and malware continue to receive disproportionate attention from the cybersecurity industry.

Sneakier attachments 

To counter advancing email security solutions, criminals are deploying increasingly more intricate methods to bypass defenses. Attackers are employing sneakier techniques such as disguising malicious attachments as voicemail recordings or critical security updates to lure unsuspecting users into downloading them.

Additionally, Microsoft PDFs and .DOCX files remain the most common forms of malicious attachments. In Q3 2024, 2.18 million emails were detected containing harmful attachments, marking a 30% increase from the previous quarter's 21% attachment-based attacks.

Phishing links and compromised websites

Cybercriminals continue to favour the URL redirection technique, a tactic that typically proves effective at evading security controls. This deceptive ploy utilises a "clean" URL within the body of the email, which then redirects unsuspecting users to a malicious one once inside. In Q3 2024, URL redirection accounted for 52% of such attacks, leading victims to meticulously crafted fraudulent websites designed to appear authentic, and gain trust.

Malspam pendulum swing from malicious links to attachments

When it comes to malspam, there is a pendulum swing from a preference for malicious links to attachments. During Q3, malspam efforts were centered on malicious attachments (64%), while only 36% employed a link. The attachment formats used were predominantly LNK, ZIP, and DOCX. Only a quarter ago, links were the tool of choice by a factor of nearly nine-to-one (86% links to 14%).

The 'Malware Family of the Quarter' goes to Redline

Redline is the top malspam family of Q3 2024, a spot it has maintained since the corresponding quarter in 2023. RedLine is designed to steal sensitive information from web browsers, such as credentials and payment data. Typically distributed via phishing emails or malicious websites, it sends stolen data to a command-and-control server controlled by the attacker. It can completely take over a compromised machine and uses multiple infiltration methods.

"The findings of this report yet again illustrate the sophistication of criminal tactics. BEC email and phishing attacks are becoming more targeted and convincing," Usman Choudhary, CPTO, VIPRE Security Group, says. "Additionally, malware distribution through malicious spam campaigns continues to pose a serious threat to organisations. These findings stress the critical need for robust cybersecurity measures and ongoing employee education to combat these evolving threats, especially as bad actors gear up for the upcoming holiday season – Black Friday, Thanksgiving, Christmas, and New Year."

To read the full report, click here: VIPRE's Email Threat Trends Report: Q3 2024. 

VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock vigilance of the cybersecurity landscape.

About VIPRE Security Group

VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world's largest threat intelligence clouds, delivering exceptional protection against today's most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and security awareness training for compliance and risk management. VIPRE solutions deliver easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services operating globally across North America and Europe.

Business Email Compromise (BEC) Impersonation: The Weapon of Choice of Cybercriminals

Russian state-sponsored hackers Cozy Bear are targeting over 100 organizations globally with a new phishing campaign. This sophisticated…

Russian state-sponsored hackers Cozy Bear are targeting over 100 organizations globally with a new phishing campaign. This sophisticated attack uses signed RDP files disguised as legitimate documents to gain remote access and steal sensitive data. Learn how to protect yourself and your organization from this threat.

Microsoft has revealed that the Russian state-sponsored threat actor Cozy Bear (or APT29, UNC2452, and Midnight Blizzard) has launched a new phishing campaign targeting over 100 organizations worldwide, especially Ukraine, the United States and Europe.

The campaign, active since October 22, 2024, involves highly targeted emails designed to trick users into opening malicious files, ultimately granting the attackers access to sensitive information.

The attackers are mainly focusing on organizations in critical sectors such as government, defence, academia, and non-governmental organizations. This aligns with Cozy Bear’s previous pattern of targeting entities holding valuable intelligence.

****What’s new this time?****

Cozy Bear is using a never-before-seen approach involving signed Remote Desktop Protocol (RDP) configuration files. These apparently harmless files are sent as attachments in phishing emails, often disguised with lures related to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails are composed with sophistication, even impersonating Microsoft employees to enhance their credibility.

****How does it work?****

According to Microsoft’s blog post shared with Hackread.com ahead of publishing, when a user opens the malicious RDP file, a connection is established to a server controlled by Cozy Bear.

This connection grants the attackers access to a wide range of resources on the victim’s device, including files, connected peripherals, clipboard data, and even authentication features. This access can be exploited to install malware, steal sensitive data, and maintain persistent access even after the RDP session is closed.

****What’s at risk?****

The potential consequences of a successful attack are significant. Cozy Bear could gain access to confidential government information, intellectual property, and sensitive data belonging to various organizations. The compromised devices could also be used as launchpads for further attacks, potentially spreading the infection to other connected systems.

Patrick Harr, CEO of Pleasanton, Calif.-based SlashNext Email Security+, commented on the recent developments, warning organizations about the increasing sophistication of phishing attacks.

_“_This attack once again highlights that phishing continues to be the most dangerous threat to your organization which is why companies must not only continuously train their users, they must also employ AI detection and phishing sandboxes for malicious links and files directly in their email, collaboration and messaging apps,_“_ Patrick advised.

_“_These new sophisticated attacks, many of them AI-generated, evade current secure email gateways (SEGs) and even Microsoft Defender for Office. The only way organizations can defend themselves is by using AI to prevent these attacks before successful breaches._“_

Microsoft, along with CERT-UA and Amazon, has confirmed the ongoing campaign and is working to notify affected customers. Cybersecurity experts urge organizations and individuals to be alert, especially when dealing with emails containing attachments or requests for remote access.

Additionally, enabling multi-factor authentication, using phishing-resistant authentication methods, and educating users about these phishing techniques are important steps in mitigating this attack.

1.  TeamViewer Confirms Breach by Midnight Blizzard
2.  Midnight Blizzard Hacked UK Home Office via Microsoft
3.  Midnight Blizzard Hackers Hit MS Teams in Precision Attack
4.  Iranian Hackers Hit Microsoft 365 Users with MFA Push Bombing
5.  Russian Malware Attack Hits Ukrainian Military Recruits via Telegram

Russian Cozy Bear Hackers Phish Critical Sectors with Microsoft, AWS Lures

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad…

Find the best VPN for streaming with essential features like high-speed servers, strong encryption, streaming optimization, and broad device compatibility. Enjoy seamless access to geo-restricted content securely.

Some geo-restricted content can only be unlocked and streamed using a Virtual Private Network (VPN). A VPN for streaming services allows you to watch content seamlessly while protecting your online identity.

With so many VPNs available, not all perform equally, making it challenging to find the best VPNs without interruptions. In this article, we’ll break down essential features to consider when selecting the top VPNs for streaming.

**Server Locations and Coverage**

An important feature in a streaming VPN is server locations and coverage, which determine the content you can access. Choose a VPN with a wide range of high-speed servers to prevent connectivity issues. A strong network spread across multiple countries will allow access to geo-restricted content. Look for VPN providers that frequently update servers, as this indicates a commitment to maintaining quality.

**Speed and Bandwidth**

To support HD streaming, ensure your VPN offers speeds of at least 100 Mbps, with no bandwidth limits or throttling. A VPN optimized for streaming should minimize buffering and reduce latency for smoother content loading.

****Encryption and Security****

When choosing a VPN for streaming, prioritize strong encryption and security. Look for AES-256 encryption or higher, and support for OpenVPN, IKEv2, and WireGuard protocols. The VPN should also include DNS leak protection to keep your IP address secure. If the VPN connection drops, an automatic internet disconnect feature ensures data remains private. These protections ensure that your data will not be exposed to third parties.

****Streaming Optimization****

Streaming optimization is key. The VPN should be optimized for high-speed, low-latency streaming, with custom protocols tailored to this purpose. Look for features that automatically select the best server for streaming, reducing buffering and enhancing speed.

****Device Compatibility****

Your VPN should support all the devices you plan to connect, including Windows, macOS, iOS, Android, and Linux. Look for compatibility with smart TVs (such as Samsung TV, Android TV, and Apple TV) and gaming consoles (PlayStation, Xbox, Nintendo Switch). It should also work with popular streaming platforms like Roku, Chromecast, and Amazon Fire TV. Browser extensions for Chrome, Firefox, and Safari add versatility, making it easier to stream across multiple devices.

****Simultaneous Connections****

Choose a VPN that supports at least five simultaneous connections. This feature lets you connect multiple devices without altering individual settings, which is convenient for families or business use. Check the VPN documentation for setup guides and confirm compatibility with less common devices like Linux and Chromebook. Additionally, look for split tunneling to configure specific device connections.

****Customer Support****

Reliable customer support is essential when using a VPN for streaming. Quick access to assistance for any issues or questions is critical. Look for providers that offer guides, FAQs, and tutorials for self-help, and a prompt email response time (ideally within 3 hours). Social media support is a plus. Effective customer support indicates a provider’s commitment to user satisfaction and technical support.

****Pricing and Payment Options****

Consider affordability and payment flexibility. Some VPNs offer discounts for long-term plans, free trials, money-back guarantees, and even cryptocurrency options. Make sure you’re getting value for your investment and review refund policies carefully. Look out for hidden fees or sudden price hikes, and ensure pricing transparency before subscribing.

****Logging Policy****

Opt for a VPN with a strict no-logs policy. It should avoid storing IP addresses, tracking online activities, or saving connection metadata. This policy helps ensure your privacy, reduces data breach risks, and underscores the VPN’s commitment to protecting client data.

****Compatibility with Popular Streaming Services****

Ensure the VPN is compatible with major streaming platforms you want to access, such as Netflix, Disney+, Hulu, Amazon Prime Video, HBO Max, and BBC iPlayer. Compatibility with these services ensures a smooth streaming experience and value for your subscription.

****Conclusion****

When selecting a VPN for streaming, consider these key features to make an informed choice. Look for speed, encryption, extensive server locations, streaming optimization, and privacy protections. Ensure the VPN provider doesn’t store user data and that its pricing, support, and device compatibility meet your expectations. Taking these steps will give you the best streaming experience while maintaining your online privacy.

1.  **Everything you need to know about VPN tracking**
2.  **Almost Every Major Free VPN Service is a Glorified Data Farm**
3.  **Surfshark VPN Data Breach Awareness with See-Through Toilet**
4.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
5.  **Google Launches Verification Badges for Security Tested VPN Apps**

Top VPN Features to Consider When Choosing the Right Streaming Service

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.
This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the

Cyber Security / Hacking News

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.

This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the knowledge you need to stay safe.

So grab your popcorn (and maybe a firewall), and let's dive into the latest cybersecurity drama!

**⚡ Threat of the Week**

**Critical Fortinet Flaw Comes Under Exploitation:** Fortinet revealed that a critical security flaw impacting FortiManager (CVE-2024-47575, CVSS score: 9.8), which allows for unauthenticated remote code execution, has come under active exploitation in the wild. Exactly who is behind it is currently not known. Google-owned Mandiant is tracking the activity under the name UNC5820.

 **🚢🔐 Kubernetes Security for Dummies**

How to implement a container security solution and **Kubernetes Security best practices** all rolled into one. This guide includes everything essential to know about building a strong security foundation and running a well-protected operating system.

Get the Guide**️🔥 Trending CVEs**

CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904

**🔔 Top News**

*   **Severe Cryptographic Flaws in 5 Cloud Storage Providers:** Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. The attacks, however, hinge on an attacker gaining access to a server in order to pull them off.
*   **Lazarus Exploits Chrome Flaw:** The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome (CVE-2024-4947) to seize control of infected devices. The vulnerability was addressed by Google in mid-May 2024. The campaign, which is said to have commenced in February 2024, involved tricking users into visiting a website advertising a multiplayer online battle arena (MOBA) tank game, but incorporated malicious JavaScript to trigger the exploit and grant attackers remote access to the machines. The website was also used to deliver a fully-functional game, but packed in code to deliver additional payloads. In May 2024, Microsoft attributed the activity to a cluster it tracks as Moonstone Sleet.
*   **AWS Cloud Development Kit (CDK) Account Takeover Flaw Fixed:** A now-patched security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed an attacker to gain administrative access to a target AWS account, resulting in a full account takeover. Following responsible disclosure on June 27, 2024, the issue was addressed by Amazon in CDK version 2.149.0 released in July 2024.
*   **SEC Fines 4 Companies for Misleading SolarWinds Disclosures:** The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The federal agency accused the companies of downplaying the severity of the breach in their public statements.
*   **4 REvil Members Sentenced in Russia:** Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia. They were originally arrested in January 2022 following a law enforcement operation by Russian authorities.

**📰 Around the Cyber World**

*   **Delta Air Lines Sues CrowdStrike for July Outage:** Delta Air Lines filed a lawsuit against CrowdStrike in the U.S. state of Georgia, accusing the cybersecurity vendor of breach of contract and negligence after a major outage in July caused 7,000 flight cancellations, disrupted travel plans of 1.3 million customers, and cost the carrier over $500 million. "CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," it said. "If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed." CrowdStrike said "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
*   **Meta Announces Secure Way to Store WhatsApp Contacts:** Meta has announced a new encrypted storage system for WhatsApp contacts called Identity Proof Linked Storage (IPLS), allowing users to create and save contacts along with their usernames directly within the messaging platform by leveraging key transparency and hardware security module (HSM). Until now, WhatsApp relied on a phone's contact book for syncing purposes. NCC Group, which carried out a security assessment of the new framework and uncovered 13 issues, said IPLS "aims to store a WhatsApp user's in-app contacts on WhatsApp servers in a privacy-friendly way" and that "WhatsApp servers do not have visibility into the content of a user's contact metadata." All the identified shortcomings have been fully fixed as of September 2024.
*   **CISA, FBI Investigating Salt Typhoon Attacks:** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China. The development comes amid reports that the Salt Typhoon hacking group broke into the networks of AT&T, Verizon, and Lumen. The affected companies have been notified after the "malicious activity" was identified, CISA said. The breadth of the campaign and the nature of information compromised, if any, is unclear. Multiple reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News have claimed that Salt Typhoon used their access to telecommunications giants to tap into phones or networks used by Democratic and Republican presidential campaigns.
*   **Fraudulent IT Worker Scheme Becomes a Bigger Problem:** While North Korea has been in the news recently for its attempts to gain employment at Western companies, and even demanding ransom in some cases, a new report from identity security company HYPR shows that the employee fraud scheme isn't just limited to the country. The company said it recently offered a contract to a software engineer claiming to be from Eastern Europe. But subsequent onboarding and video verification process raised a number of red flags about their true identity and location, prompting the unnamed individual to pursue another opportunity. There is currently no evidence tying the fraudulent hire to North Korea, and it's not clear what they were after. "Implement a multi-factor verification process to tie real world identity to the digital identity during the provisioning process," HYPR said. "Video-based verification is a critical identity control, and not just at onboarding."
*   **Novel Attacks on AI Tools:** Researchers have uncovered a way to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator, making it possible for threat actors to not only apply watermarks to any image, but also remove watermarks from images generated by the tool. The issue has been patched by AWS as of September 13, 2024. The development follows the discovery of prompt injection flaws in Google Gemini for Workspace, allowing the AI assistant to produce misleading or unintended responses, and even distribute malicious documents and emails to target accounts when users ask for content related to their email messages or document summaries. New research has also found a form of LLM hijacking attack wherein threat actors are capitalizing on exposed AWS credentials to interact with large language models (LLMs) available on Bedrock, in one instance using them to fuel a Sexual Roleplaying chat application that jailbreaks the AI model to "accept and respond with content that would normally be blocked" by it. Earlier this year, Sysdig detailed a similar campaign called LLMjacking that employs stolen cloud credentials to target LLM services with the goal of selling the access to other threat actors. But in an interesting twist, attackers are now also attempting to use the stolen cloud credentials to enable the models, instead of just abusing those that were already available.

**🔥 Resources & Insights****🎥 Infosec Expert Webinar**

**Master Data Security in the Cloud with DSPM**: Struggling to keep up with data security in the cloud? Don't let your sensitive data become a liability. Join our webinar and learn how Global-e, a leading e-commerce enabler, dramatically improved their data security posture with DSPM. CISO Benny Bloch reveals their journey, including the challenges, mistakes, and critical lessons learned. Get actionable insights on implementing DSPM, reducing risk, and optimizing cloud costs. Register now and gain a competitive edge in today's data-driven world.

**🛡️Ask the Expert**

**Q:** What is the most overlooked vulnerability in enterprise systems that attackers tend to exploit?

**A:** The most overlooked vulnerabilities in enterprise systems often lie in IAM misconfigurations like over-permissioned accounts, lax API security, unmanaged shadow IT, and poorly secured cloud federations. Tools like Azure PIM or SailPoint help enforce least privilege by managing access reviews, while Kong or Auth0 secure APIs through token rotation and WAF monitoring. Shadow IT risks can be reduced with Cisco Umbrella for app discovery, and Netskope CASB for enforcing access control. To secure federations, use Prisma Cloud or Orca to scan settings and tighten configurations, while Cisco Duo enables adaptive MFA for stronger authentication. Finally, safeguard service accounts with automated credential management through HashiCorp Vault or AWS Secrets Manager, ensuring secure, just-in-time access.

**🔒 Tip of the Week**

**Level Up Your DNS Security:** While most people focus on securing their devices and networks, the Domain Name System (DNS)—which translates human-readable domain names (like example.com) into machine-readable IP addresses—is often overlooked. Imagine the internet as a vast library and DNS as its card catalog; to find the book (website) you want, you need the right card (address). But if someone tampered with the catalog, you could be misled to fake websites to steal your information. To enhance DNS security, use a privacy-focused resolver that doesn't track your searches (a private catalog), block malicious sites using a "hosts" file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). Additionally, enable DNSSEC to verify the authenticity of DNS records (verify the card's authenticity) and encrypt your DNS requests using DoH or DoT (whisper your requests so no one else can hear).

**Conclusion**

And there you have it – another week's worth of cybersecurity challenges to ponder. Remember, in this digital age, vigilance is key. Stay informed, stay alert, and stay safe in the ever-evolving cyber world. We'll be back next Monday with more news and insights to help you navigate the digital landscape.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#amazon