Optery’s Post

Great report from Google Cloud's Mandiant threat intelligence team. One of easiest and cost efficient ways CISOs and their teams can be proactive in guarding against social engineering attacks is to remove employee PII from data broker websites. These sites make crafting up a social engineering attack as simple as a Google search. It's a win win that benefits both the company and the employee personally. #socialengineering #cybersecurity #ciso

Unveiling the Stealthy Tactics: How Cyber Adversaries Snatch Credentials from Your Browser and How to Fortify Your Defense🔒 Imagine an intruder gaining control of a user's system—unrestricted access to execute commands. What's their next target? You guessed it right—hunting for more credentials! And where's the first stop in this malicious quest? The treasure trove of saved credentials in the victim's web browser. Web browsers, in an effort to enhance user experience, store passwords in an encrypted format within specific files on the system. Each browser has a designated location for these files, such as Google Chrome's AppData\Local\Google\Chrome\User Data\Default\Login Data. Despite encryption, attackers can decrypt and obtain the original passwords. Here's a glimpse into the common attack flow: Attack Flow: Infiltration of a user's device. Navigation to the browser's 'credential store' path. Accessing the credential file (an SQLite file). Executing a SQL query to extract the encrypted password. Passing the encrypted password to Windows Data Protection API. Retrieving the decrypted password. Utilizing the stolen credentials to move laterally or elevate privilege. In real-time attacks, especially in ransomware incidents, this process is often automated through infostealer malware, resulting in lightning-fast theft and transmission of credentials to the attacker's server. How can SOC analysts counter this? Recognize the serious risk of employees storing work passwords in browsers. On managed devices, consider disallowing password storage in browsers. Detect and monitor non-browser processes attempting to read credential store files, signaling potential suspicious activity. Implement endpoint protection and anti-malware capable of identifying infostealer activity. In the event of confirmed browser credential theft, swift incident response is crucial. Isolate the system from the network promptly, and invalidate stolen credentials or tokens. If this added some value, follow me at Raghav Tiwari for more such content! Ignore Hashtags! #CyberSecurityInsights #BrowserSecurity #DefendAgainstCyberThreats #InfoSecAwareness #CredentialProtection #CyberDefenseStrategies #SecurityAwareness #IncidentResponse #StayCyberSafe #FollowForMoreInsights

It's important to be aware of the security threats facing businesses in today's digital world. 💻 Recently, Okta, a cloud-based identity management platform, warned of social engineering attacks targeting super administrator privileges. 🚨 The attacks involve an individual impersonating an IT admin, requesting privileged access on behalf of a company executive, or asking for assistance with a password reset. 🔑 Okta recommends that companies create policies and procedures to protect their data and accounts. 🔒 They also recommend enabling multi-factor authentication, which can help to verify a user's identity and help protect against malicious account takeovers. 🔐 By taking the appropriate steps, businesses can protect themselves against social engineering attacks and better secure their data. 🔃 #SocialEngineering #SecurityThreats #MultiFactorAuthentication

Unveiling FlawedAmmyy: A Close Look at its Notorious Activities and Capabilities 🕵️♂️💻 In the realm of cybersecurity, FlawedAmmyy stands as a formidable threat, its activities and capabilities shrouded in mystery and danger. Let's dive deep into this notorious RAT (Remote Access Trojan) and uncover its secrets. #FlawedAmmyy #Cybersecurity #RAT 🔍 Exploring FlawedAmmyy's Activities: FlawedAmmyy operates in the shadows, silently infiltrating systems and granting unauthorized access to cybercriminals. Its malicious activities range from data exfiltration to remote control of compromised machines. With each clandestine move, it jeopardizes the security and privacy of individuals and organizations alike. 💻 Unveiling its Capabilities: This insidious RAT boasts a plethora of capabilities, allowing attackers to execute commands remotely, exfiltrate sensitive data, and maintain persistent access to compromised systems. Its modular design enables customization, making it a versatile tool in the hands of cybercriminals. 🕵️♂️ The Elusive KGB Connection: Speculation abounds regarding FlawedAmmyy's origins, with whispers of potential ties to the infamous KGB. While concrete evidence remains elusive, the sophistication of its operations suggests the involvement of well-resourced entities, adding an air of intrigue to its menacing presence. ⚖️ Legal Action Against FlawedAmmyy: Victims of FlawedAmmyy infections have legal avenues to pursue justice. From reporting incidents to law enforcement agencies to filing civil lawsuits against perpetrators, taking legal action is crucial in holding cybercriminals accountable for their actions and seeking restitution for damages. 🛡️ Defending Against FlawedAmmyy: To defend against FlawedAmmyy and similar threats, organizations must adopt a multi-layered cybersecurity approach. This includes deploying robust endpoint protection, implementing network segmentation, conducting regular security audits, and developing comprehensive incident response plans. In conclusion, FlawedAmmyy represents a significant cybersecurity threat, its activities veiled in secrecy and danger. By shedding light on its nefarious operations, organizations can better prepare themselves to defend against its insidious attacks. Stay vigilant, stay secure. 🛡️🔒 #CyberSecurity #StaySafe #FlawedAmmyy #DigitalThreats 🛡️💻🔒 Learn More: https://lnkd.in/djrdxPUw

https://lnkd.in/gSuHhAiH Hackers Acquire Corporate Logins From SMS #Phishing And Support Desk Calls A financially driven threat group, UNC3944 has frequently employed phone-based #socialengineering and SMS phishing attacks to gain credentials and escalate access to target organizations. The #hacking group has been observed to target a wide range of #businesses, including #hospitality, #retail, #media and #entertainment, #financialservices, and #telecommunication and #business process outsourcer (#BPO) firms. According to #Mandiant, due to the group’s geographic diversity, it has shown a larger concentration on stealing huge amounts of confidential data for extortion and they appear to be familiar with Western commercial practices. Additionally, UNC3944 has routinely used freely accessible tools, legal software, and #malware that can be purchased on #darknet forums. #cloudsecurity #cyberawareness #informationsecurity #riskmanagement #cybersecurityawareness #asis #ciso #securityawareness #globalsecurity #cybersecurity #technology #homelandsecurity #security #RAS #rso #threatintelligence #darkweb #helpdesk #ITsupport #cloud

"These threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module SIM swap attacks, to obtain credentials, install remote access tools, and or or bypass multi-factor authentication MFA." https://lnkd.in/gxGxdzgb #cybersecurity #threats #attacks #socialengineering #scatteredspider #industrialcyber #icssecurity #ics

The researchers said in a Mandiant (now part of Google Cloud) report that a group known as UNC3944’s tactic is to contact corporate help desks and claim to be employees having network access trouble and need their passwords reset or a new multi-factor authentication #MFA code. Once in an IT network they escalate their access privileges until they can launch #malware, steal data or install #ransomware. In addition, UNC3944 often achieves privilege escalation by targeting password managers or privileged access management systems. The report has suggested to stop using SMS text as a MFA verification option, block external access to Microsoft Azure and Microsoft 365 administration features, and require video verification of a help desk caller who wants a password reset. The help desk should verify the face of the user by comparing it to an internal system or security badge system where a photo of the user is stored. Additionally, the help desk should make sure the user shows a form of ID on the video call, like a driver’s license. Mandiant has observed the group’s targeting has broadened beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services. https://lnkd.in/ggn4eUPT Saya University ❤️ #GoSaya #cyberattack #socialengineering #humanrisk #cybersecurityawareness #サイバーセキュリティ #サイバーセキュリティ教育  #サイバー攻撃 #標的型メール攻撃 Jonathan Hiroshi Rossi Yoshitaka Kashiwagi Crystal Lopez

𝗢𝗽𝗜𝘀𝗿𝗮𝗲𝗹, also referred to as #OpIsrael, is a yearly synchronized cyber attack in which hacktivists direct their efforts towards Israeli governmental and private websites using 𝗗𝗗𝗼𝗦 𝗮𝘁𝘁𝗮𝗰𝗸𝘀 and other techniques. This campaign was instigated by Anonymous hackers in 2013, aligning with 𝗛𝗼𝗹𝗼𝗰𝗮𝘂𝘀𝘁 𝗥𝗲𝗺𝗲𝗺𝗯𝗿𝗮𝗻𝗰𝗲 𝗗𝗮𝘆, and has persistently occurred on an annual basis ever since. 𝗖𝗼𝗺𝗺𝗼𝗻 𝗔𝘁𝘁𝗮𝗰𝗸 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀 * Distributed Denial of Service (DDoS) Attacks occur when a server or network is flooded with excessive traffic, disrupt services, cause downtime, and lead to financial losses for the targeted organizations. * Hacktivists may takeover social media accounts associated with Israeli organizations or public figures to disseminate propaganda, spread misinformation, or promote their ideological agenda. * Website Defacement involves hackers gaining unauthorized access to a website's server and altering its content to display messages, images, or slogans reflecting the attackers' views. * Social Engineering Methods involves manipulating individuals to reveal confidential information or take actions that jeopardize security. * Data Breach attacks aim to steal sensitive data from Israeli organizations, including government agencies, businesses, or individuals, and then leak this information publicly. These data breaches can expose confidential information, compromise privacy, and damage the reputation of the targeted entities. 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀 ✅ Set up firewalls and routers to block harmful traffic linked to DDoS attacks. ✅ Ensure that all systems software is regularly updated with the latest security patches. ✅ Implementation of strong authentication mechanisms, such as multi-factor authentication (MFA) or CAPTCHA. ✅ Employ email filtering and anti-phishing software to automatically detect and prevent malicious emails that include phishing links, malware attachments, or fraudulent requests. ✅ Regularly train employees on security awareness to teach them about common social engineering tactics like phishing emails, pretexting, and baiting. ✅ Apply robust access controls and least privilege principles to control access to sensitive data exclusively to authorized individuals who need it for their job tasks. ✅ Deploy data loss prevention (DLP) solutions to monitor and enforce policies governing the use, storage, and transmission of sensitive data. ✅ Set up account recovery options, such as recovery email addresses or phone numbers, to regain access to social media accounts lockout. 𝗥𝗲𝗺𝗲𝗺𝗯𝗲𝗿, 𝗰𝘆𝗯𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝘀 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲’𝘀 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆. 𝗟𝗼𝗼𝗸𝗶𝗻𝗴 𝗳𝗼𝗿 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻? Visit our website https://cytechint.com/ to learn about our comprehensive cyber security solutions designed to safeguard organizations of all sizes. #OpIsrael #Cybersecurity #OnlineSafety #DataProtection

For cybersec folks, helpful write-up by Mandiant/Google linked below regarding the high level "attack chain" that may have( in part) been involved in the in recent MGM Resorts Breach. TLDR / take-aways from the front of the chain: Make sure to think through social engineering resiliency at your service desk lines esp. around 2FA support assistance (e.g. bypass code issuance) as well as educating users about spotting SMS phishing "smishing" threats in BYOD mobile space. "A hallmark of UNC3944 incidents is the use of smishing messages sent to employees of targeted organizations for stealing valid credentials. In the majority of cases where we identified the initial access vector, UNC3944 obtained access to the victim environment after a successful smishing attack. After obtaining credentials, the threat actors have also impersonated employees on calls to victim organizations' service desks in an attempt to obtain multi factor authentication (MFA) codes and/or password resets. During these calls, the threat actor provided verification information requested by the help desk employees, including usernames, employee IDs, and other types of personally identifiable information (PII) associated with employees. Notably, the threat actors often asked the service desk support to repeat the question and paused for significant lengths before answering, likely due to the threat actor looking through notes or attempting to search for the answer to the question posed." https://lnkd.in/gBTd_6V5 #cybersecurity #attackchain #ttps

Traditional multi-factor authentication is not enough for BPO contact centers. Researchers at Stanford University found that 88% of security breaches had an element of human error. The same research determined that 25% of breaches resulted from social engineering or phishing emails. Continuous MFA is entirely unphishable as no keys or codes can be handed to an attacker in the event of a phishing attempt, making phishing-resistant biometric MFA the next big requirement in contact center security. #identitysecurity #biometrics #contactcentersolution https://lnkd.in/eZbCr3jj