Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to […]

The post Exploiting GOG Galaxy XPC service for privilege escalation in macOS appeared first on Security Intelligence.

https://securityintelligence.com/posts/exploiting-gog-galaxy-xpc-service-privilege-escalation-macos/

With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are – serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why […]

The post Empowering cybersecurity leadership: Strategies for effective Board engagement appeared first on Security Intelligence.

https://securityintelligence.com/posts/empowering-cybersecurity-leadership-strategies-for-effective-board-engagement/

Attackers seem to innovate nearly as fast as technology develops. Day by day, both technology and threats surge forward. Now, as we enter the AI era, machines not only mimic human behavior but also permeate nearly every facet of our lives. Yet, despite the mounting anxiety about AI’s implications, the full extent of its potential […]

The post AI vs. human deceit: Unravelling the new age of phishing tactics appeared first on Security Intelligence.

https://securityintelligence.com/posts/ai-vs-human-deceit-unravelling-new-age-phishing-tactics/

Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a […]

The post Critically Close to Zero(Day): Exploiting Microsoft Kernel Streaming Service appeared first on Security Intelligence.

https://securityintelligence.com/posts/critically-close-to-zero-day-exploiting-microsoft-kernel-streaming-service/

This post was made possible through the contributions of Bastien Lardy and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The […]

The post X-Force uncovers global NetScaler Gateway credential harvesting campaign appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/

Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still […]

The post “Authorized” to break in: Adversaries use valid credentials to compromise cloud environments appeared first on Security Intelligence.

https://securityintelligence.com/adversaries-use-valid-credentials-compromise-cloud-environments/

IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. […]

The post Email campaigns leverage updated DBatLoader to deliver RATs, stealers appeared first on Security Intelligence.

https://securityintelligence.com/posts/email-campaigns-leverage-updated-dbatloader-deliver-rats-stealers/

IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian […]

The post New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware appeared first on Security Intelligence.

https://securityintelligence.com/posts/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/

How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response […]

The post X-Force releases detection & response framework for managed file transfer software appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-releases-detection-response-framework-managed-file-transfer-software/

Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, […]

The post Databases beware: Abusing Microsoft SQL Server with SQLRecon appeared first on Security Intelligence.

https://securityintelligence.com/posts/databases-beware-abusing-microsoft-sql-server-with-sqlrecon/

Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek […]

The post Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub appeared first on Security Intelligence.

https://securityintelligence.com/threat-intelligence-adversary-insights-forefront-x-force-research-hub/

The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and […]

The post MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis appeared first on Security Intelligence.

https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/

This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker […]

The post Attacker exploits vulnerability in Active Directory Certificate Services to take control of domain appeared first on Security Intelligence.

https://securityintelligence.com/posts/attacker-exploits-vulnerability-in-active-directory-certificate-services/

In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations […]

The post BlotchyQuasar: X-Force Hive0129 targeting financial intuitions in LATAM with a custom banking trojan appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/

In this post, we’ll review a simple technique that we’ve developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon. Picture this — you’re on a red team engagement and your phish went through, your initial access payload got past EDR, your beacon is now living […]

The post Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution appeared first on Security Intelligence.

https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/

Despite Conti shutdown, operators remain active and collaborative in new factions In IBM Security X-Force, we have been following the crypters used by the Trickbot/Conti syndicate, who we refer to as ITG23, since 2021 and demonstrated the intelligence that can be revealed through tracking their use in a blog we published last May. One year […]

The post The Trickbot/Conti Crypters: Where Are They Now? appeared first on Security Intelligence.

https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10’s tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. […]

The post ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK) appeared first on Security Intelligence.

https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/

No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. […]

The post Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It appeared first on Security Intelligence.

https://securityintelligence.com/posts/poor-communication-data-breach-cost-how-to-avoid/

Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures […]

The post Ransomware Renaissance 2023: The Definitive Guide to Stay Safer appeared first on Security Intelligence.

https://securityintelligence.com/ransomware-renaissance-definitive-guide-2023/

This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat […]

The post BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration appeared first on Security Intelligence.

https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/

When ChatGPT and similar chatbots first became widely available, the concern in the cybersecurity world was how AI technology could be used to launch cyberattacks. In fact, it didn’t take very long until threat actors figured out how to bypass the safety checks to use ChatGPT to write malicious code. It now seems that the […]

The post ChatGPT Confirms Data Breach, Raising Security Concerns appeared first on Security Intelligence.

https://securityintelligence.com/articles/chatgpt-confirms-data-breach/

Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy […]

The post Expert Insights on the X-Force Threat Intelligence Index appeared first on Security Intelligence.

https://securityintelligence.com/posts/expert-insights-x-force-threat-intelligence-index/

This blog was made possible through contributions from Christopher Caridi.  IBM Security X-Force recently discovered a new malware family we have called “Domino,” which we assess was created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7. Former members of the Trickbot/Conti syndicate which X-Force tracks as ITG23 […]

The post Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor appeared first on Security Intelligence.

https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a […]

The post X-Force Identifies Vulnerability in IoT Platform appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-identifies-vulnerability-iot-platform/

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While […]

The post X-Force Prevents Zero Day from Going Anywhere appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere/

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption […]

The post Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours appeared first on Security Intelligence.

https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as […]

The post When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule appeared first on Security Intelligence.

https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams […]

The post Defining the Cobalt Strike Reflective Loader appeared first on Security Intelligence.

https://securityintelligence.com/posts/defining-cobalt-strick-reflective-loader/

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands […]

The post Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023 appeared first on Security Intelligence.

https://securityintelligence.com/posts/2023-x-force-threat-intelligence-index-report/

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put […]

The post Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers appeared first on Security Intelligence.

https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos […]

The post Kronos Malware Reemerges with Increased Functionality appeared first on Security Intelligence.

https://securityintelligence.com/kronos-malware-reemerges-increased-functionality/

On September 19, 2022, an 18-year-old cyberattacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of […]

The post An IBM Hacker Breaks Down High-Profile Attacks appeared first on Security Intelligence.

https://securityintelligence.com/posts/an-ibm-hacker-breaks-down-high-profile-attacks/

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but […]

The post Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP” appeared first on Security Intelligence.

https://securityintelligence.com/posts/dissecting-exploiting-tcp-ip-rce-vulnerability-evilesp/

In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated […]

The post Self-Checkout This Discord C2 appeared first on Security Intelligence.

https://securityintelligence.com/posts/self-checkout-discord-c2/

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware […]

The post A View Into Web(View) Attacks in Android appeared first on Security Intelligence.

https://securityintelligence.com/posts/view-into-webview-attacks-android/

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT […]

The post Beware of What Is Lurking in the Shadows of Your IT appeared first on Security Intelligence.

https://securityintelligence.com/posts/beware-lurking-shadows-it/

Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National Cybersecurity Alliance (NCSA) found that Gen Zers have higher cyber incident victimization rates than previous […]

The post How to Embed Gen Z in Your Organization’s Security Culture appeared first on Security Intelligence.

https://securityintelligence.com/posts/gen-z-cybersecurity-culture/

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows […]

The post Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism appeared first on Security Intelligence.

https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or […]

The post Containers, Security, and Risks within Containerized Environments appeared first on Security Intelligence.

https://securityintelligence.com/posts/containers-security-risks-containerized-environments/

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this […]

The post RansomExx Upgrades to Rust appeared first on Security Intelligence.

https://securityintelligence.com/posts/ransomexx-upgrades-rust/

On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.  Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.  It was one of the most […]

The post How the DNSChanger Shutdown Changed Cybersecurity appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-dnschanger-shutdown-changed-cybersecurity/

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, […]

The post Defending Education from Cyber Threat Attackers appeared first on Security Intelligence.

https://securityintelligence.com/posts/defending-education-cyber-threat-attackers/

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that “it doesn’t get PC viruses”. But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has […]

The post How the Mac OS X Trojan Flashback Changed Cybersecurity appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-mac-trojan-flashback-changed-cybersecurity/

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that “it doesn’t get PC viruses”. But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has […]

The post How the Mac OS X Trojan Flashback Changed Cybersecurity appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-mac-trojan-flashback-changed-cybersecurity-2/

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing […]

The post Overcoming Distrust in Information Sharing: What More is There to Do? appeared first on Security Intelligence.

https://securityintelligence.com/articles/overcoming-distrust-information-sharing/

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions […]

The post What Hurricane Preparedness Can Teach Us About Ransomware appeared first on Security Intelligence.

https://securityintelligence.com/posts/hurricanes-preparedness-ransomware/

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends […]

The post Charles Henderson’s Cybersecurity Awareness Month Content Roundup appeared first on Security Intelligence.

https://securityintelligence.com/posts/charles-henderson-cybersecurity-awareness-month/

Cyberattacks seldom happen when it’s convenient. In fact, it’s relatively common for them to occur on weekends or holidays — threat actors capitalize on the fact that there is fewer staff on site, and those who are there are focused on the coming weekend or time off. It’s also not uncommon for attacks of this […]

The post What Drives Incident Responders: Key Findings from the 2022 Incident Responder Study appeared first on Security Intelligence.

https://securityintelligence.com/posts/key-findings-2022-incident-responder-study/

There are two kinds of companies in the world: those that have been breached by unethical hackers, and those that have been breached and don’t know it yet. Hackers are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise […]

The post How to Keep Your Secrets Safe: A Password Primer appeared first on Security Intelligence.

https://securityintelligence.com/posts/how-to-keep-secrets-safe-password-primer/

“New and improved” is the refrain of progress, but new technology doesn’t always turn out to be an improvement. In the case of the evolution from Web2 to Web3, a former hacker revealed how recent changes have created an all-new avenue of potential attack. Recent updates were intended to tighten security. “Due to blockchain technology […]

The post The Dangerous Flaws of Web3 Security, According To a Former Hacker appeared first on Security Intelligence.

https://securityintelligence.com/articles/dangerous-flaws-web3-according-to-hacker/

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a […]

The post Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 appeared first on Security Intelligence.

https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a […]

The post How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell appeared first on Security Intelligence.

https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/

As a cybersecurity writer, I’m more aware than the average person of the security risks with any connected device. So when I sat in my new car for the first time and saw all the different ways it linked to my phone or my home WiFi, more than a few red flags went up. I […]

The post What You Should Know About the Honda Key Fob Vulnerability appeared first on Security Intelligence.

https://securityintelligence.com/articles/what-to-know-honda-key-fob-vulnerability/

Ransomware gangs are major players in the cybersecurity space, especially in recent years. ZDNet reported that ransomware gangs increased their payments by over 311% from 2019 to 2020, with totals for all groups exceeding $350 million in 2020. Ransoms continued rising in 2021. Unit 42, a threat research team at Palo Alto Networks, found that […]

The post Why Do Ransomware Gangs Keep Coming Back From the Dead? appeared first on Security Intelligence.

https://securityintelligence.com/articles/why-how-ransomware-gangs-come-back/

Over the course of two decades, I’ve seen Incident Response (IR) take on many forms. Cybercrime’s evolution has pulled the nature of IR along with it — shifts in cybercriminals’ tactics and motives have been constant. Even the cybercriminal psyche has completely rebirthed, with more collaboration amongst gangs and fully established ransomware enterprises running. When […]

The post To Cybersecurity Incident Responders Holding the Digital Front Line, We Salute You appeared first on Security Intelligence.

https://securityintelligence.com/posts/cybersecurity-incident-responders-digital-frontline/

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m […]

The post Does Follina Mean It’s Time to Abandon Microsoft Office? appeared first on Security Intelligence.

https://securityintelligence.com/articles/follina-vulnerability-abandon-microsoft-office/

The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading.  Many of the vulnerabilities in the report are […]

The post A Response Guide for New NSA and CISA Vulnerabilities appeared first on Security Intelligence.

https://securityintelligence.com/articles/response-guide-nsa-cisa-vulnerabilities/

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM […]

The post Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments appeared first on Security Intelligence.

https://securityintelligence.com/posts/new-report-finds-businesses-introducing-security-risk-cloud-environments/

In 2019, Google released a synthetic speech database with a very specific goal: stopping audio deepfakes.  “Malicious actors may synthesize speech to try to fool voice authentication systems,” the Google News Initiative blog reported at the time. “Perhaps equally concerning, public awareness of “deep fakes” (audio or video clips generated by deep learning models) can […]

The post We’re Entering the Age of Unethical Voice Tech appeared first on Security Intelligence.

https://securityintelligence.com/articles/entering-age-unethical-voice-tech-deepfakes/

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure […]

The post Raspberry Robin and Dridex: Two Birds of a Feather appeared first on Security Intelligence.

https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/

The search to find the mastermind of the attacker group Lapsus$ led to a home outside Oxford, England. The suspected leader was a 16-year-old. He helped take down some of the world’s biggest companies, including Microsoft, from his mother’s house. The BBC reported the teen is alleged to have earned $14 million from his attacks. […]

The post How and Why Do Teens Become Cyber Criminals? appeared first on Security Intelligence.

https://securityintelligence.com/articles/why-teens-become-cyber-criminals/

Major cyberattacks since 2019 jolted the U.S. government and software industry into action. The succeeding years have seen executive orders, new funding, two summits and a newfound resolve. Because of those attacks, the federal government aims to fix the open-source software security threat altogether. But what has really come of these efforts in the last […]

The post How Cybersecurity Policy Has Changed Since the SolarWinds Attack appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-cybersecurity-policy-changed-since-solarwinds-attacks/

Search engine optimization (SEO) is a long game. Improving your website to rank higher on search engine results pages helps you attract more traffic. Plus, it helps build a trustworthy reputation. But, some people want to take shortcuts by using what’s known as black hat SEO. If this happens, your business could pay the price. […]

The post Black Hat SEO: Is Someone Phishing With Your Site Domain? appeared first on Security Intelligence.

https://securityintelligence.com/articles/black-hat-seo-phishing-with-your-site-domain/

If there is one type of cyberattack that can drain the color from any security leader’s face, it’s ransomware. A crippling, disruptive, and expensive attack to recover from, with final costs rarely being easy to foretell. Already a prevalent threat, the number of ransomware attacks rose during the pandemic and nearly doubled in the year […]

The post The Ransomware Playbook Mistakes That Can Cost You Millions appeared first on Security Intelligence.

https://securityintelligence.com/posts/ransomware-playbook-mistakes-cost-you-millions/

You’ve heard all about shadow IT, but there’s another shadow lurking on your systems: Internet of Things (IoT) devices.  These smart devices are the IoT in shadow IoT, and they could be maliciously or unintentionally exposing information. Threat actors can use that to access your systems and sensitive data, and wreak havoc upon your company. […]

The post Beyond Shadow IT: Expert Advice on How to Secure the Next Great Threat Surface appeared first on Security Intelligence.

https://securityintelligence.com/articles/secure-shadow-it-tiktok-secengineer/

In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and […]

The post CISA or CVSS: How Today’s Vulnerability Databases Work Together appeared first on Security Intelligence.

https://securityintelligence.com/articles/cisa-cvss-which-vulnerability-database/

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat […]

The post From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers appeared first on Security Intelligence.

https://securityintelligence.com/from-ramnit-to-bumblebee-via-neverquest/

IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely […]

The post Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High appeared first on Security Intelligence.

https://securityintelligence.com/posts/healthcare-data-breaches-costliest/

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape […]

The post X-Force 2022 Insights: An Expanding OT Threat Landscape appeared first on Security Intelligence.

https://securityintelligence.com/posts/expanding-ot-threat-landscape-2022/

Today, many leading industries and modern enterprises have switched from processing and acting on data stored in databases to data in flight. How? Through real-time applications. One way to enable this is WebSocket, but it comes with vulnerabilities as well.  What Is WebSocket? Real-time applications operate within an immediate time frame; sensing, analyzing and acting […]

The post How to Remediate a Cross-Site WebSocket Vulnerability appeared first on Security Intelligence.

https://securityintelligence.com/posts/how-to-remediate-cross-site-websocket-vulnerability/

An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies […]

The post How to Compromise a Modern-Day Network appeared first on Security Intelligence.

https://securityintelligence.com/posts/how-to-compromise-modern-day-network/

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise […]

The post Controlling the Source: Abusing Source Code Management Systems appeared first on Security Intelligence.

https://securityintelligence.com/posts/abusing-source-code-management-systems/

For threat actors, phishing embodies the holy trinity of goals: easy, effective and profitable. It’s no wonder that the 2022 X-Force Threat Intelligence Index reports that phishing was the top method used by attackers to breach an organization. Of all the attacks that X-Force remediated in 2021, attackers used phishing in 41% of them. Because […]

The post Fishy Business: What Are Spear Phishing, Whaling and Barrel Phishing? appeared first on Security Intelligence.

https://securityintelligence.com/articles/what-is-spear-phishing-whaling-barrel-phishing/

The metaverse is a hot topic, and it’s easy to see why. It promises a 3D model of the internet, where virtual reality (VR) and mixed reality offer endless escapism. It provides a place parallel to the physical world where you can live a rich digital life: hang out with friends, shop for real or […]

The post Cybersecurity and the Metaverse: Patrolling the New Digital World appeared first on Security Intelligence.

https://securityintelligence.com/posts/metaverse-cybersecurity-concerns/

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on […]

The post Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program appeared first on Security Intelligence.

https://securityintelligence.com/posts/black-hat-2022-how-to-build-threat-hunting-program/

The average cost of a data breach reached an all-time high of $4.35 million this year, according to newly published 2022 Cost of a Data Breach Report, an increase of 2.6% from a year ago and 12.7% since 2020.

The post What’s New in the 2022 Cost of a Data Breach Report appeared first on Security Intelligence.

https://securityintelligence.com/posts/whats-new-2022-cost-of-a-data-breach-report/

More than a year ago, a ransomware attack made the news across the nation. The Colonial Pipeline Company announced on May 7, 2021, that the DarkSide Ransomware-as-a-Service group, based in eastern Europe, had hit it. The FBI has since confirmed DarkSide, which has since shut down, as the threat actors. What’s changed about U.S. cyber […]

The post U.S. Cybersecurity Policy Has Changed Since the Colonial Pipeline Attack appeared first on Security Intelligence.

https://securityintelligence.com/articles/cybersecurity-policy-changed-since-colonial-pipeline-attack/

It was considered the “largest ever” internet attack in 2002. This distributed denial of service attack hit seven of the 13 servers at the top of the internet’s domain name system hierarchy. Now, 20 years later, its origins remain mysterious, but its methods and size still make it stand out. It isn’t the largest by […]

The post 20 Years Ago in Cybersecurity: Massive DDoS Attack Hits the Roots of the Internet appeared first on Security Intelligence.

https://securityintelligence.com/articles/20-years-cybersecurity-largest-ever-ddos-attack/

After decades of playing defense, the United States government went on the offense in the past few years against global state-sponsored cyber attackers. U.S. Cyber Command conducted “hunt forward” operations recently in 16 countries, including in Ukraine, as part of a policy set in 2018.  This policy involves partnering with foreign countries on finding cyber […]

The post What Cybersecurity Teams Can Learn From the US Cyber Command’s ‘Hunt Forward’ appeared first on Security Intelligence.

https://securityintelligence.com/articles/what-cybersecurity-teams-learn-us-cyber-command-hunt-forward/

This post was written with contributions from Andrew Gorecki, Camille Singleton and Charles DeBeck. May and June bring warm weather, backyard barbecues and, in recent years, an uptick in ransomware attacks. Why? “It’s possible workers are distracted because the sun is out and kids are out of school,” said Charles DeBeck, a former senior strategic […]

The post 5 Essential Steps for Every Ransomware Response Plan appeared first on Security Intelligence.

https://securityintelligence.com/posts/5-essential-steps-every-ransomware-response-plan/

Endpoint Detection and Response: How To Choose the Right EDR Solution A rise in remote work trends has led to a rapid increase and interconnectivity of endpoints and data in recent years. This ‘next normal’ way of working comes with its own set of security challenges – from the rise in sophisticated and automated attacks […]

The post What Is Endpoint Detection and Response? appeared first on Security Intelligence.

https://securityintelligence.com/posts/what-is-endpoint-detection-response/

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and […]

The post Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine appeared first on Security Intelligence.

https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine/

Attackers are known to pore over a company’s website and social channels. Perhaps they spot a mention of an upcoming charity event. Who runs the charity? What does their email signature look like? What’s the color and size of the charity’s logo?    This kind of information is priceless to attackers. From there, attackers can craft […]

The post Why Phishing Is Still the Top Attack Method appeared first on Security Intelligence.

https://securityintelligence.com/posts/why-phishing-still-top-attack-method/

The majority of C-suite executives are confident in their organization’s protection against ransomware attacks. At least, that’s what a recent research report from ISC2 shows. In fact, just 15% express a lack of confidence. Does this confidence take into account the nearly 53% rise in double extortion ransomware attacks between January and February? Are the […]

The post The C-Suite Is Optimistic About Ransomware. Are They Right? appeared first on Security Intelligence.

https://securityintelligence.com/articles/c-suite-optimistic-about-ransomware/

Attackers are known to pore over a company’s website and social channels. Perhaps they spot a mention of an upcoming charity event. Who runs the charity? What does their email signature look like? What’s the color and size of the charity’s logo?    This kind of information is priceless to attackers. From there, attackers can craft […]

The post Why Phishing Is Still the Top Attack Method appeared first on Security Intelligence.

https://securityintelligence.com/posts/why-phishing-still-top-attack-method/

The metaverse, artificial intelligence (AI) run amok, the singularity … many far-out situations have become a dinner-table conversation. Will AI take over the world? Will you one day have a computer chip in your brain? These science fiction ideas may never come to fruition, but some do point to existing security risks. While nobody can […]

The post Real Security Concerns Are Scarier Than Doomsday Predictions appeared first on Security Intelligence.

https://securityintelligence.com/articles/metaverse-nft-doomsday-predictions-ai-cybersecurity/

What’s the best way to stop ransomware? Make it riskier and less lucrative for cyber criminals. Nearly all intruders prefer to collect a ransom in cryptocurrency. But it’s a double-edged sword since even crypto leaves a money trail. Recovering ransomware payouts could lead to a sharp decline in exploits. Ransomware is still today’s top attack […]

The post Recovering Ransom Payments: Is This the End of Ransomware? appeared first on Security Intelligence.

https://securityintelligence.com/articles/recovering-ransomware-payment/

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware […]

The post Countdown to Ransomware: Analysis of Ransomware Attack Timelines appeared first on Security Intelligence.

https://securityintelligence.com/posts/analysis-of-ransomware/

This post was written with contributions from Chris Caridi and Kat Weinberger. IBM Security X-Force has been tracking the activity of Black Basta, a new ransomware group that first appeared in April 2022. To date, this group has claimed attribution of 29 different victims across multiple industries using a double extortion strategy where the attackers […]

The post Black Basta Besting Your Network? appeared first on Security Intelligence.

https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights.  This year, a new industry took the infamous top spot: […]

The post Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report appeared first on Security Intelligence.

https://securityintelligence.com/articles/lessons-learned-top-cyberattacks-x-force/

IBM Security X-Force researchers have continually analyzed the use of several crypters developed by the cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The results of this research, along with evidence gained from the disclosure of internal ITG23 chat logs (“Contileaks”), provide new insight into the connections and cooperation […]

The post ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups appeared first on Security Intelligence.

https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence […]

The post New DOJ Team Focuses on Ransomware and Cryptocurrency Crime appeared first on Security Intelligence.

https://securityintelligence.com/articles/doj-ransomware-crypto/

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the […]

The post X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021 appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-top-10-cybersecurity-vulnerabilities-2021/

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the […]

The post X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021 appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-top-10-cybersecurity-vulnerabilities-2021/

Through continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails […]

The post Hive0117 Continues Fileless Malware Delivery in Eastern Europe appeared first on Security Intelligence.

https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/

This post was written with contributions from IBM Security’s Sameer Koranne and Elias Andre Carabaguiaz Gonzalez. Operational technology (OT) — the networks that control industrial control system processes — face a more complex challenge than their IT counterparts when it comes to updating operating systems and software to avoid known vulnerabilities. In some cases, implementation […]

The post Where Everything Old is New Again: Operational Technology and Ghost of Malware Past appeared first on Security Intelligence.

https://securityintelligence.com/posts/operational-technology-ghost-malware-past/

One of my favorite parts about talking to cybersecurity professionals is asking how they landed in the industry. Few tell me about a straight path to their career, like attending college or earning a certification. Most launch into an interesting tale of their non-traditional career paths. When I share these stories, I’m often asked how […]

The post Top 5 Cybersecurity Podcasts to Follow in 2022 appeared first on Security Intelligence.

https://securityintelligence.com/articles/top-5-cybersecurity-podcasts-2022/

On March 1, 2022, ESET reported a third destructive data wiper variant used in attacks against Ukrainian organizations dubbed as CaddyWiper. CaddyWiper’s method of destruction is by overwriting file data with “NULL” values. This is the fourth sample of malware IBM Security X-Force has released public content for which has been reportedly targeted systems belonging […]

The post CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations appeared first on Security Intelligence.

https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/

Cybersecurity is an ongoing battle, and the latest figures from penetration testers prove that the fight is far from over. According to Positive Technologies, 93% of all networks are open to breaches due to common vulnerabilities. However, there are proactive steps business owners can take to stay on the right side of that ratio. Take […]

The post 93% of Organizations Have Network Vulnerabilities: Here’s How to Beat the Odds appeared first on Security Intelligence.

https://securityintelligence.com/articles/93-of-organizations-have-network-vulnerabilities-heres-how-to-beat-the-odds/

On February 24, 2022, ESET reported another destructive wiper detected at a Ukrainian government organization dubbed as IsaacWiper. This is the third sample of malware IBM Security X-Force has analyzed which has been reportedly targeting systems belonging to Ukrainian organizations.  IBM Security X-Force obtained a sample of the IsaacWiper ransomware and has provided the following […]

The post New Wiper Malware Used Against Ukranian Organizations appeared first on Security Intelligence.

https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/

Last year, many organizations stopped talking about when the workforce would be back full-time in the office. Instead, they focused on how we build a hybrid work model for the future. 2021 was active and interesting – for lack of a better word. There’s a lot to say in terms of cyber crime in general […]

The post Expert Insights: What’s Next for Ransomware? appeared first on Security Intelligence.

https://securityintelligence.com/articles/expert-what-next-ransomware/

IBM Security X-Force researchers have discovered a revamped version of the Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. The Trickbot Group, which X-Force tracks as ITG23, is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and initially […]

The post Trickbot Group’s AnchorDNS Backdoor Upgrades to AnchorMail appeared first on Security Intelligence.

https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/

This post was written with contributions from IBM Security X-Force’s Christopher Del Fierro, Claire Zaboeva and Richard Emerson. On February 23, 2022, open-source intelligence sources began reporting detections of a wiper malware — a destructive family of malware designed to permanently destroy data from the target — executing on systems belonging to Ukrainian organizations. IBM […]

The post IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine appeared first on Security Intelligence.

https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/

For the third year in a row, ransomware was the top attack type globally in 2021, despite some successes last year by law enforcement to take down ransomware groups. This was among the top findings of IBM Security’s latest research published in the tenth annual X-Force Threat Intelligence Index, a comprehensive overview of the global […]

The post Ransomware Resilience Tops Findings in X-Force Threat Intelligence Index 2022 appeared first on Security Intelligence.

https://securityintelligence.com/posts/2022-x-force-threat-intelligence-index-ransomware-resilience-tops-findings/

Malware authors use various techniques to obfuscate their code and protect against reverse engineering. Techniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in malware samples. This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation […]

The post TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware appeared first on Security Intelligence.

https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The […]

The post Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data appeared first on Security Intelligence.

https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/

This post was written with contributions from IBM X-Force’s Limor Kessem and Charlotte Hammond. The cyber crime gang that operates the TrickBot Trojan, as well as other malware and ransomware attacks, has been escalating activity. As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through […]

The post TrickBot Bolsters Layered Defenses to Prevent Injection Research appeared first on Security Intelligence.

https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/

“You won’t know you have a problem unless you go and look.” Neil Wyler, who is known as ‘Grifter’ in the hacker community, made that statement as a precursor to an unforgettable story. An organization hired Grifter to perform active threat hunting. In a nutshell, active threat hunting entails looking for an attacker inside an […]

The post The Best Threat Hunters Are Human appeared first on Security Intelligence.

https://securityintelligence.com/posts/best-threat-hunters-human/

You’d have to look far and wide to find an IT professional who isn’t aware of (and probably responding to) the Log4Shell vulnerability. The Operational Technology (OT) sector is no exception, yet the exact exposure the vulnerability poses to OT technology is yet to be fully uncovered. The vulnerability was first made public earlier this […]

The post Log4Shell Vulnerability Risks for OT Environments — and How You Can Better Protect Against Them appeared first on Security Intelligence.

https://securityintelligence.com/posts/log4shell-vulnerability-security-risks-ot-environments/

How many times have you heard the popular information security joke: “It’s always DNS”? It means that every time there’s a problem you can’t figure out, you will dig until you reach the conclusion that it’s always DNS. But DNS is also where a lot of issues can be caught early, and it should be […]

The post Zero Trust and DNS Security: Better Together appeared first on Security Intelligence.

https://securityintelligence.com/posts/zero-trust-dns-security/

In March 2021, IBM Security X-Force observed an attack on an Asian airline that we assess was likely compromised by a state-sponsored adversary using a new backdoor that utilizes Slack. The adversary leveraged free workspaces on Slack, a legitimate messaging and collaboration application likely to obfuscate operational communications, allowing malicious traffic, or traffic with underlying […]

The post Nation State Threat Group Targets Airline with Aclip Backdoor appeared first on Security Intelligence.

https://securityintelligence.com/posts/nation-state-threat-group-targets-airline-aclip-backdoor/

IBM Security is following a recent disclosure regarding an Apache vulnerability in the Log4j Java library dubbed Log4Shell (or LogJam). X-Force Exchange has further details on the exploit. Millions of applications use the Java-based Log4j library to log activity, including several prominent web services. Apache has issued a patch with an update to the latest […]

The post Update on Apache Log4j Zero-Day Vulnerability appeared first on Security Intelligence.

https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/

Today’s reality means that organizations need to be constantly vigilant against security breaches. Having a robust incident response plan in place is vital. IBM Security X-Force is a team dedicated to delivering the latest threat intelligence, research and analysis reports that help you manage risk in your organization. This monthly malware roundup offers a summary […]

The post X-Force Threat Intelligence: Monthly Malware Roundup appeared first on Security Intelligence.

https://securityintelligence.com/posts/x-force-threat-intelligence-monthly-malware-roundup/

IBM Security X-Force Incident Response (IR) has responded to hundreds of ransomware incidents across every geography and industry. As we have taken time to analyze these incidents, a clear pattern has emerged. Although we observe dozens of ransomware groups in operation across the globe, many with multiple affiliate groups working under them, most ransomware actors […]

The post Understanding the Adversary: How Ransomware Attacks Happen appeared first on Security Intelligence.

https://securityintelligence.com/posts/how-ransomware-attacks-happen/

Nethanella Messer and James Kilner contributed to the technical editing of this blog. IBM Trusteer researchers continually analyze financial fraud attacks in the online realms. In recent research into mobile banking malware, we delved into the BrazKing malware’s inner workings following a sample found by MalwareHunterTeam. BrazKing is an Android banking Trojan from the overlay […]

The post BrazKing Android Malware Upgraded and Targeting Brazilian Banks appeared first on Security Intelligence.

https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/

In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order […]

The post Call to Patch: Zero Day Discovered in Enterprise Help Desk Platform appeared first on Security Intelligence.

https://securityintelligence.com/posts/zero-day-discovered-enterprise-help-desk/

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The […]

The post A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers appeared first on Security Intelligence.

https://securityintelligence.com/posts/new-cybersecurity-executive-order-critical-infrastructure-suppliers/

According to the 2021 X-Force Threat Intelligence Index, scanning for and exploiting vulnerabilities was the top infection vector of 2020. Up to one in three data breaches stemmed from unpatched software vulnerabilities. Take a look at this list of vulnerabilities or design flaws with no official Microsoft fix. In any case, one in three might […]

The post How to Deal With Unpatched Software Vulnerabilities Right Now appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-to-deal-with-unpatched-software-vulnerabilities-2/

IBM Security X-Force researchers have recently reverse-engineered Prometheus ransomware samples as part of ongoing incident response operations. X-Force has found that samples that infected organizational networks featured flawed encryption. This allowed our team to develop a fast-acting decryptor and help customers recover from the attack without a decryption key. While rare, ransomware developers can make […]

The post From Thanos to Prometheus: When Ransomware Encryption Goes Wrong appeared first on Security Intelligence.

https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/

Contributed to this research: Adam Laurie and Sameer Koranne. Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT […]

The post The Weaponization of Operational Technology appeared first on Security Intelligence.

https://securityintelligence.com/posts/weaponization-operational-technology/

In an advisory released on October 24, Microsoft announced ongoing campaigns it has attributed to the Nobelium state-sponsored threat group. IBM X-Force tracks this group as Hive099. If the name sounds familiar, that’s because it is the same group that targeted SolarWinds in 2020. The U.S. government has identified Nobelium as part of Russia’s foreign […]

The post Nobelium Espionage Campaign Persists, Service Providers in Crosshairs appeared first on Security Intelligence.

https://securityintelligence.com/posts/nobelium-espionage-campaign-persists/

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed […]

The post Detections That Can Help You Identify Ransomware appeared first on Security Intelligence.

https://securityintelligence.com/posts/detections-help-identify-ransomware/

Cybersecurity experts fill our days with terminology from warfare, including jargon such as red team versus blue team. The concept of ‘red team’ has its origin in wargaming. The red team plays an opposing force and attempts to bypass the barriers of the defending or blue team.   These exercises are not about winning or […]

The post When Is an Attack not an Attack? The Story of Red Team Versus Blue Team appeared first on Security Intelligence.

https://securityintelligence.com/articles/red-team-versus-blue-team-attack/

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They’re not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. […]

The post How to Report Scam Calls and Phishing Attacks appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-to-report-scam-calls-phishing-attacks/

IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti […]

The post Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds appeared first on Security Intelligence.

https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/

In terms of database security, any bad practice is dangerous. Still, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently deemed some behavior as “exceptionally risky.” Are your teams engaged in these high-risk practices? What can you do to mitigate the risk of a data breach? As per CISA, “The presence of these Bad Practices […]

The post CISA Names 3 ‘Exceptionally Dangerous’ Behaviors to Avoid appeared first on Security Intelligence.

https://securityintelligence.com/articles/cisa-three-exceptionally-dangerous-behaviors-to-avoid/

Ransomware is an expensive cybercrime and getting more so all the time. Payouts have risen massively in the past few years. But while ransomware payment amounts make headlines, the real costs go far beyond what’s paid to the attackers.  How Ransomware Works Now Ransomware has always been a problem. But in recent years, attackers have […]

The post The Real Cost of Ransomware appeared first on Security Intelligence.

https://securityintelligence.com/articles/real-cost-of-ransomware/