Threat Actors Target Law Firms with GootLoader and SocGholish Malware
Article Link: https://securityaffairs.com/142888/cyber-crime/law-firms-gootloader-socgholish-malware.html
- Law firms have been targeted in two distinct malicious cyber campaigns, with the first known as “GootLoader” and the second being “SocGholish” or “FakeUpdates”, depending on the source.
- The GootLoader campaign starts with bad actors abusing search engine optimization (SEO) to present compromised websites to users looking for specific information, such as contracts or agreements. These forums host a ZIP archive containing malicious .js files, which are used to establish persistence and drop a Cobalt Strike binary in the memory of devices.
- The SocGholish campaign operates as a watering hole attack where a common website for law firms to visit, such as a notary public’s website, is already compromised and used as a distribution hub of loader malware, like SocGholish.
- Something to note, these malware infections aren’t leading to ransomware deployments, despite the ability for ransoms to occur. As such, researchers suggest these campaigns are more likely instances of cyber espionage with the attackers having political motivations.
- Link to eSentire’s Report: https://www.esentire.com/blog/hackers-attack-employees-from-six-law-firms-with-the-gootloader-and-socgholish-malware-using-fake-legal-agreements-and-malicious-watering-hole-s-reports-esentire
Vulnerabilities of Years Past Haunt Organizations, Aid Attackers
Article Link: https://www.helpnetsecurity.com/2023/03/03/known-exploitable-vulnerabilities/
- According to Tenable, known vulnerabilities that already have patches available are the primary vehicle for cyberattacks.
- As noted in the report, the number one group of most-frequently exploited vulnerabilities represents a large pool of known vulnerabilities, dating back to between 2017 and 2021.
- The other four top vulnerabilities identified by Tenable include Log4j (2021), Follina (2022), Atlassian Confluence (2022), and Exchange Server Proxy Shell (2021).
- Link to Tenable’s Report: https://www.tenable.com/press-releases/tenable-research-known-vulnerabilities-pose-greatest-threat
New Cyberattack Tactics Rise Up as Ransomware Payouts Increase
Article Link: https://www.csoonline.com/article/3689014/new-cyberattack-tactics-rise-up-as-ransomware-payouts-increase.html
- According to Proofpoint, in addition to common techniques like phishing and ransomware, bad actors are expanding to other methods, like telephone-oriented attack delivery (TOAD), MFA bypass messages, and adversary-in-the-middle (AitM) attacks for access.
- Proofpoint specifically noted that they monitor over 600,000 TOAD attacks daily with attackers encouraging victims to call fraudulent call centers.
- Link to Proofpoint’s Report: https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-2023-state-phish-report-threat-actors-double-down-emerging-and-0
Cyberattackers Double Down on Bypassing MFA
Article Link: https://www.darkreading.com/threat-intelligence/cyberattackers-double-down-bypassing-mfa
- As companies increasingly require stronger versions of security for their employees and customers, attackers are getting better at bypassing MFA, resulting in a steady stream of compromises.
- A variety of attacks used by bad actors to bypass MFA include MFA flooding and fatigue, session hacking and pass-the-cookie attacks, and proxy attacks or adversary-in-the-middle (AitM) attacks.
- To defend against the latest attacks, companies should deploy phishing-resistant MFA, which consists of something you own, such as a hardware key, and something you are, such as biometric data.
- Link to Oort’s Report: https://oort.io/blog/introducing-the-2023-state-of-identity-security-report
DNS Abuse: Advice for Incident Responders
Article Link: https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-responders/
- The DNS Abuse Techniques Matrix published by FIRST provides answers on what DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate, or prevent potential DNS abuse techniques.
- The document outlines 21 DNS abuse techniques, such as DNS spoofing and DNS cache poisoning, and provides information for stakeholders that could assist in incident response, like registrars and hosting providers, to develop a matrix for when potentially malicious DNS activity occurs.
- The matrix doesn’t include techniques that attackers may use in conjunction with DNS abuse techniques, nor does it currently cover all existing policy-related, governmental, and judicial avenues incident responders can explore while dealing with DNS abuse.
- Link to FIRST’s Matrix: https://www.first.org/global/sigs/dns/
Google: Gmail Client-Side Encryption Now Publicly Available
Article Link: https://www.bleepingcomputer.com/news/security/google-gmail-client-side-encryption-now-publicly-available/
- Gmail client-side encryption (CSE) is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. However, the feature is not yet available to users with personal Google Accounts, as well as for Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, Nonprofits, and legacy G Suite Basic and Business customers.
- Gmail CSE ensures that any sensitive data sent as part of the email’s body and attachments (including inline images) will be unreadable and encrypted before reaching Google’s servers. Although, the email header (subject, timestamps, and recipients list) won’t be encrypted.
- Additionally, unlike traditional end-to-end encryption, private encryption keys used by Gmail CSE are potentially accessible by partnered external encryption key services. Likewise, corporate-level decryption is possible for content to be scanned by secure email gateways and security software.
CISA Releases Free “Decider” Tool to Help with MITRE ATT&CK Mapping
Article Link: https://www.bleepingcomputer.com/news/security/cisa-releases-free-decider-tool-to-help-with-mitre-attandck-mapping/
- CISA has released “Decider,” an open-source tool that helps defenders and security analysts quickly generate MITRE ATT&CK mapping reports. CISA also released a video, fact sheet, and blog to accompany the new tool.
- The tool asks user-guided questions about the observed adversary activity and generates the corresponding MITRE ATT&CK report. For example, a question might be “What is the adversary trying to do?” to which a possible answer is “Gain an initial foothold within the environment,” which corresponds to the Initial Access tactic.
- The defender can use the generated MITRE ATT&CK report to develop targeted defense tactics or export it in common formats and share it with others in the industry to prevent the proliferation of the identified threat.
- Link to CISA’s Full Announcement: https://www.cisa.gov/news-events/alerts/2023/03/01/cisa-releases-decider-tool-help-mitre-attck-mapping
How Security Leaders can Effectively Manage Gen Z Staff
Article Link: https://www.csoonline.com/article/3689013/how-security-leaders-can-effectively-manage-gen-z-staff.html
- Gen Z refers to people born between the mid-to-late 1990s and 2010, making them between the ages of 11 and 28. While a number of people in this generation have already joined the workforce, there appears to be only a small portion of Gen Z already in the specialized workforce of technology, with more set to join soon.
- As the article highlights, members of Gen Z have, among other things, been raised in a connected world and lived through a variety of unique world events during formative years of their lives. Several commonalties among Gen Z employees include that they generally try to find employers that match their ethos and they often need to know the “why” before getting a job done.
- The article noted several strategies for CISOs to work effectively with and retain Gen Z employees. These include actively focusing on shared values, being open minded to alternative working styles and schedules, and helping members of Gen Z grow through sharing knowledge or lessons with them via peer training and paid training.
