#NSBCS.050 - 50 Signals Strong: NSB’s Chronicles of Cyber

Cyber DefenceCyber Regulatory & Dispute AdvisoryCyber ResilienceCyber Response & RecoveryCyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

#NSBCS.050 - 50 Signals Strong: NSB’s Chronicles of Cyber

As we celebrate our 50th signal, we want to take a moment to reflect on the journey we've embarked upon together. Over the past 49 signals, we've explored a diverse range of topics in the ever-evolving world of cybersecurity. From emerging threats and cutting-edge technologies to regulatory changes and best practices, our signals have aimed to keep you informed and prepared for the challenges that lie ahead in the digital landscape.

Throughout this journey, we've delved into critical areas such as AI-powered cyber threats, the importance of zero-trust architecture, the rise of quantum computing in cybersecurity, and the growing significance of privacy regulations like GDPR and CCPA. We've also highlighted the increasing sophistication of ransomware attacks, the need for robust cloud security measures, and the crucial role of employee training in maintaining a strong security posture. Our aim has always been to blend expert analysis with actionable advice, empowering you to fortify your organisation’s defences and adapt to the fast-changing threat landscape.

Key Insights from Our Past Signals:

  • The integration of AI in both cyber defence and attack strategies is reshaping the security landscape, necessitating more adaptive and predictive defence measures.

  • Zero-trust architecture is becoming essential in an era of distributed workforces and cloud-based services, underscoring the shift from perimeter-based security to continuous verification.

  • Quantum computing poses both opportunities and significant threats to current encryption methods, compelling organisations to consider quantum-resilient cryptographic solutions.

  • Privacy regulations are driving fundamental changes in data handling and protection practices, making compliance a core business requirement.

  • Ransomware attacks are evolving rapidly, targeting critical infrastructure and employing double extortion tactics that increase pressure on victims to comply.

  • Cloud security requires a shared responsibility model, where continuous monitoring and strategic alignment between service providers and clients are key to safeguarding assets.

  • Human error remains a significant factor in security breaches, emphasising the need for ongoing and comprehensive employee education and simulated training exercises.

As we look forward to our future signals, we remain committed to providing you with valuable insights, strategic foresight, and actionable intelligence. The cybersecurity landscape continues to evolve at an unprecedented pace, presenting both challenges and opportunities. We'll be here to guide you through the complexities, emerging trends, and innovative solutions that shape our digital world. Thank you for being an essential part of this journey. Here’s to the next 50 signals and beyond, as we continue to navigate the frontlines of cybersecurity together! #nostepsbackward

To find out more about NSB Cyber’s Origin Story, our Consulting Values and Services, head here.

What we read this week

  • Windows Infected with Backdoored Linux VMs in New Phishing Attacks - A new phishing campaign named "CRON#TRAP" is targeting Windows systems by installing Linux virtual machines (VMs) with embedded backdoors, enabling threat actors to infiltrate corporate networks. These phishing emails masquerade as a survey from "OneAmerica" and include a ZIP file that installs a QEMU-based Linux VM disguised as a legitimate Windows process. This VM, called "PivotBox," uses the Chisel tool for network tunneling, allowing secure command-and-control (C2) communication. The backdoor can establish persistence by auto-starting on reboot and deploying SSH keys for continuous access.

  • Alleged Snowflake Hacker Detained in Canada at DOJ's Request - Canadian authorities have arrested Alexander "Connor" Moucka, suspected of orchestrating a series of significant data breaches involving Snowflake accounts, following a request from United States officials. The breaches affected approximately 165 organisations, including AT&T, Ticketmaster, Advance Auto Parts, and Santander, compromising vast amounts of sensitive data. Investigations revealed that hackers exploited stolen login credentials, some dating back to 2020, to access these accounts. Snowflake confirmed that its platform's security was not compromised, attributing the breaches to the use of valid but stolen credentials.

  • DocuSign Abused to Deliver Fake Invoices - Cybercriminals are exploiting DocuSign's APIs to send fraudulent invoices that bypass email security measures, according to a report by Wallarm. By creating legitimate DocuSign accounts, attackers craft templates resembling requests from reputable brands and dispatch them to unsuspecting recipients. These emails, originating directly from DocuSign's platform and devoid of malicious links or attachments, often evade spam and phishing filters. The fraudulent invoices typically request signatures authorising payments to the attackers' accounts. The persistence of this campaign over several months suggests the use of automated processes, likely leveraging DocuSign's APIs for efficiency.

  • Microsoft SharePoint RCE Bug Exploited to Breach Corporate Network - A critical remote code execution (RCE) vulnerability in Microsoft SharePoint, identified as CVE-2024-38094, was exploited to breach a corporate network. Despite being patched in July, attackers used this flaw to gain initial access and move laterally across the network, remaining undetected for two weeks. Rapid7’s investigation revealed that attackers installed Huorong Antivirus to disable security defenses, facilitating further exploits. Tools like Mimikatz, Impacket, and scheduled tasks were then employed for credential harvesting, remote access, and persistence. Admins are urged to apply the SharePoint update immediately to prevent exploitation.

  • Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack - A critical zero-click vulnerability has been discovered in Synology's default photo application on their network-attached storage (NAS) devices, potentially exposing millions of users to attacks. This flaw allows attackers to gain root access without user interaction, enabling data theft, backdoor installation, or ransomware deployment. The vulnerability affects both BeeStation and DiskStation models, commonly used by individuals, businesses, and critical infrastructure sectors. Researchers identified numerous internet-connected Synology NAS devices susceptible to this exploit, including those used by law enforcement and various industries. Synology has released a critical patch; however, since these devices lack automatic update capabilities, users must manually apply the update to secure their systems.

References
https://www.bleepingcomputer.com/news/security/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks/
https://therecord.media/alleged-snowflake-hacker-detained-in-canada
https://www.securityweek.com/docusign-apis-abused-to-deliver-fake-invoices/
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-rce-bug-exploited-to-breach-corporate-network/
https://www.wired.com/story/synology-zero-click-vulnerability/
Shane Bell
Previous

#NSBCS.051 - Caught in the Net: How to Stay Ahead of Phishing Attacks
Next

#NSBCS.049 - Bridging the Cybersecurity Poverty Line: A Balancing Act for Businesses