General Worldwide activity:

1st: Tackling the New Cyber Insurance Requirements: Can Your Organization Comply?

Overview: With cyberattacks around the world escalating rapidly, insurance companies are ramping up the requirements to qualify for a cyber insurance policy. Ransomware attacks were up 80% last year, prompting underwriters to put in place a number of new provisions designed to prevent ransomware and stem the record number of claims. Among these are a mandate to enforce multi-factor authentication (MFA) across all admin access in a network environment as well as protect all privileged accounts, specifically machine-to-machine connections known as service accounts. But identifying MFA and privileged account protection gaps within an environment can be extremely challenging for organizations, as there is no utility among the most commonly used security and identity products that can actually provide this visibility.

Breakdown: With all the ransomware activity over the last few years and that massive dollar amounts attached to those attacks, an expansion of requirements to acquire cyber insurance is a no brainer. From discussions I have had with other infosec pros, the applications for cyber insurance have gone from a couple page forms with basic questions to massive documents upwards of 75–80 pages requesting intricate details of IT/security programs and all the controls put in place to ensure a bit of protection for the insurance provider. Insurance companies hate to pay out premiums, retain top legal teams and are happy to spend money to save money by denying payouts if they find a reason to do so after an attack has happened. IT and Infosec professionals need to stay on top of the general changes related to the cyber insurance industry. Their teams will be involved when a breach occurs, and not knowing the details can make it a very painful process to get help in recovery and making things whole again down the road.

2nd: Malicious Google ads sneak AWS phishing sites into search results

Overview: A new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal your login credentials. The campaign was discovered by Sentinel Labs, whose analysts observed the malicious search results on January 30, 2023. The bad ads ranked second when searching for “aws,” right behind Amazon’s own promoted search result. The malicious Google ads take the victim to a blogger website (“us1-eat-a-w-s.blogspot[.]com”) under the attackers’ control, which is a copy of a legitimate vegan food blog. The site uses ‘window.location.replace’ to automatically redirect the victim to a new website that hosts the fake AWS login page, made to appear authentic.

Breakdown: We have seen these attacks develop over the last couple months from open-source software repos to Google Ads serving up malware in many different forms. Here is the latest in the line of attacks and a good technical breakdown of the process the attackers used to ensnare victims. The report does contain both TTPs and IOCs you could use to do some tailored threat hunting in your environment if you feel like you have seen any anomalous activity lately on your network that might match up with this attack activity.

3rd: U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks

Overview: In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation. The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix). “Current members of the TrickBot group are associated with Russian Intelligence Services,” the U.S. Treasury Department noted. “The TrickBot group’s preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services.”

Breakdown: Sanctions are a useful tool available to countries looking to bring details to light on both the historical and on-going attacker activity they are seeing if they can get far enough into attribution to be able to pin the activity on certain individuals. In most cases, these sanctions will never lead to an actual arrest because certain countries do not follow-through, even with evidence handed to them, or they choose to ignore it. The usefulness is really to put both those specific individuals on notice (burn them publicly) and the countries in question that are supporting them in this activity that someone else knows what they are doing and to destroy any assumed anonymity. The actual info released, because it is backed by nation states, can also contain a wealth of interesting details for anyone in infosec that is interested in the ways in which nation state level/APT groups function on a daily basis.

4th: NIST Picks IoT Standard for Small Electronics Cybersecurity

Overview: After a search that took several years, the National Institute of Standards and Technology (NIST) has chosen Ascon to be the standard to protect data generated by exploding ranks of lightweight electronics that make up the Internet of Things (IoT). NIST will publish the full standard later in 2023, the organization says. The Ascon group of algorithms can provide protection under the electronic constraints of small technology like medical devices, stress detectors on roads and bridges, and keyless entry fobs for cars, according to NIST. “The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation,” NIST computer scientist Kerry McKay said in the announcement of the selection. “These algorithms should cover most devices that have these sorts of resource constraints.”

Breakdown: Due to the nature of many IoT devices being cheap to purchase and made as cheaply as possible in the largest quantities, security is often barely an afterthought in the design and production process, if it is even considered at all. With the explosion of IoT devices in general, especially their potential to be used in Operational Technology programs just as much as traditional IT because of cheap costs and the need to “connect everything to the internet for remote monitoring”, real IoT security standards and taking security of the devices seriously is extremely important. It’s also past due and several years behind. Like cloud security moving forward, the traditional security perspective of protect things inside the network fails when more and more systems are not just contained within the walls of the company office.

5th: 3 Overlooked Cybersecurity Breaches

Overview: Here are three of the worst breaches, attacker tactics and techniques of 2022, and the security controls that can provide effective, enterprise security protection for them.

Breakdown: It is always a good idea to look back historically at the beginning of the new year on activity that happened in the previous year once more details on the real cause and effects are available for review. This article does a great job discussing activity from 2022 that may not have been as hyped in the news but still has the chance to teach us a lot about general protective measures that would benefit everyone.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 02/06 to 02/10/2023