#NSBCS.069 - Need to know basis: why all cyber expert roles are not the same

Cyber Regulatory & Dispute Advisory
Written By Shane Bell

Source: NSB Cyber

 

Need to know basis: why all cyber expert roles are not the same

Cyber experts play a pivotal role in incident response.

A highly technical mindset, curated in moments of actual or potential crisis, a translator for the non-technical audience, fast, accurate, reliable, trust-worthy, calm……. you get the idea. A highly valuable member of the team for CISOs and CEOs alike.

This requirement hasn't changed. So what has?

The audience is the short answer.

Recent legal decisions relating to significant cyber events in Australia, particularly the access to incident response reporting, is driving changes to the role of a cyber expert.

An incident report prepared by a cyber expert as part of incident response is a critical artefact in the successful management of a cyber event. These reports, when written well, are often highly detailed, highly technical reports and serve a primary purpose of distilling a huge amount of forensic work into a sequence of critical elements that answer the who, what, where, when and how of any incident. They can also get into the detail on what to remediate to avoid future issues.

Highly valuable information for a broad audience.

So, will the recent legal decisions (this isn't a legal blog and we will not be interpreting the legal aspects!) see a shift in the engagement of cyber experts? Is there a place for two experts, and not just one, on every incident? How could this work?

One expert that is focused on the initial incident, identifying the facts of what has happened and outlining them as quickly and accurately as possible. Another expert that is engaged for the dominant purpose of the legal process, a role that can delve into the nuance and detail of the incident, interpret aspects from a position of expertise and support an overarching, legal risk driven process that has become crucial to most, if not all, cyber events.

Time will tell if this is the new normal.

One thing is for certain, the cyber incident report has become one of the most critical incident artefacts produced, and because of this, organisations would do well to retain some capable cyber experts (separate to their SOC or MSSP DFIR teams) that know how to work as part of a broader, legal risk driven process.

Catch up on our past Signals blog posts here.

What we read this week

  • Microsoft Patch Tuesday released - Microsoft’s April 2025 Patch Tuesday, released on 09 April 2025, addresses 134 vulnerabilities, including one actively exploited zero-day, CVE-2025-29824, within the Windows Common Log File System Driver. This flaw allows local attackers to escalate privileges to SYSTEM level. Microsoft attributed the zero-day vulnerability to RansomEXX ransomware gang. The update also resolves 11 critical remote code execution (RCE) vulnerabilities among a total of 31 RCEs, alongside 49 elevation of privilege, 9 security feature bypass, 17 information disclosure, 14 denial of service, and 3 spoofing vulnerabilities. Patches for Windows 10 (x64/32-bit) and LTSB 2015 are not yet available. Organisations are encouraged to assess their exposure and apply patch according to their prioritisation.

  • Emerging trend: Precision-Validation Phishing- Phishing actors have adopted a new evasion tactic dubbed "Precision-Validated Phishing," which displays fake login forms exclusively to pre-targeted, high-value email addresses. Unlike traditional broad-spectrum phishing, this method leverages real-time email validation—via third-party verification services or custom JavaScript—to filter out non-valid targets, redirecting them to benign sites like Wikipedia. Documented by Cofense, this approach disrupts conventional security research, as fake or test credentials fail to reveal phishing content, hampering automated crawlers and sandboxes. Some campaigns further require victims to input validation codes sent to their inboxes, complicating detection. This evolution challenges traditional email security tools, necessitating advanced behavioural analysis and real-time intelligence to counter it effectively.

  • Ghost Tap: Cybercriminals Exploit NFC in Sophisticated Mobile Payment Fraud - Cybercriminals are increasingly exploiting Near Field Communication (NFC) technology through mobile payment platforms like Apple Pay and Google Wallet, employing a sophisticated tactic dubbed "Ghost Tap." This method begins with phishing campaigns where victims encounter fraudulent websites mimicking legitimate services—such as delivery companies or online retailers—prompting them to input card details and one-time passcodes (OTPs). These credentials are then linked to illicit wallet accounts across numerous smartphones, enabling contactless payments without physical cards. Kaspersky notes the industrial scale of these attacks, with fraudsters using specialised software to craft digital card replicas, often delaying transactions for weeks to avoid detection. The Ghost Tap technique leverages tools like NFCGate to relay NFC data in real-time over encrypted connections to mules, who conduct purchases or ATM withdrawals. This relay’s technical precision—preserving signal integrity across distances—evades traditional detection, as payment terminals register transactions as authentic, leaving minimal evidence tracing back to the threat actors**.**

  • Delayed Disclosure and Debate Over Oracle Breach Response - Oracle is facing backlash over its handling of a cybersecurity incident disclosed on 20 March 2025, when a hacker claimed to have breached Oracle Cloud servers, offering millions of records from over 140,000 tenants for sale, including encrypted/hashed credentials. Initially, Oracle denied any breach of its Cloud systems, but as leaked data—deemed authentic by security firms—surfaced, it privately admitted a compromise of obsolete, non-Oracle Cloud Infrastructure (OCI) servers. Written notifications began on 07 April, asserting no OCI breach or usable password exposure. Critics, including experts Max Solonski and Kevin Beaumont, have slammed Oracle’s delayed, unclear response, noting potential risks despite encryption and questioning the breach’s scope and data recency.

  • Huntress Exposes Post-Exploitation Tactics in CrushFTP Vulnerability Attacks - Cybersecurity firm Huntress has detailed post-exploitation activities following the exploitation of a recently disclosed CrushFTP vulnerability, CVE-2025-31161, which enables authentication bypass. Discovered by Outpost24, the flaw’s disclosure sparked controversy, with CrushFTP developers criticising security firms for enabling in-the-wild attacks since 30 March. Huntress observed attackers targeting four firms—three via a shared MSP—in marketing, retail, and semiconductor sectors. Post-exploitation involved installing legitimate tools like AnyDesk and MeshAgent for persistent access, alongside credential harvesting via SAM/System registry dumps. A Telegram bot-linked DLL suggests telemetry collection. Though attack origins remain unclear, Huntress provided IOCs to aid detection. CISA has since listed the flaw in its KEV catalogue.

References
https://cybersecuritynews.com/microsoft-patch-tuesday-april-2025/
https://www.bleepingcomputer.com/news/security/phishing-kits-now-vet-victims-in-real-time-before-stealing-credentials/
https://cybersecuritynews.com/hackers-hiding-nfc-carders/
https://www.securityweek.com/oracle-faces-mounting-criticism-as-it-notifies-customers-of-hack/
https://www.securityweek.com/threat-actors-set-up-persistent-access-to-hosts-hacked-in-crushftp-attacks/
Shane Bell
Previous

#NSBCS.070 - Pig Butchering Scams: More Than Just Fake Crypto Investments
Next

#NSBCS.068 - From the desk of the CCO | Culture is the Strategy