1. Cybercriminals Recruit English Speakers for Business Email Compromise
- Administrative and technical security controls have helped to reduce the effects of business email compromise (BEC). However, as a result, some BEC threat actors struggle to develop compelling phishing email messages for English corporate audiences. According to security researchers, said threat actors are now recruiting native English speakers in mass to help improve the effectiveness and believability factor of their BEC scams.
- The English-speaking recruits are often required to create email messages, review email communications for spelling and grammatical errors, and manage the negotiation aspect of a BEC campaign.
- Although little technical knowledge is required to execute a BEC attack, threat actors target English speakers with experience working in a corporate job who understand the work culture in corporate America. In exchange, a percentage of profits from the BEC campaign is promised.
Expert Commentary: The recruitment of English-speakers is nothing new in the cybercriminal world. Because most cyberattacks originate in non-English-speaking parts of the world, certain cultural connotations are easily discovered by trained eyes. Thus, reducing the likelihood and impact of a malicious campaign. In an attempt to leverage corporate knowledge and native English-speaking abilities, security experts discovered that threat actors attempt to poach employees of organizations they wish to attack. All in all, as ransomware attacks increase, so will the risk of insider threats within the corporate computing environment.
2. U.S. House Of Representatives Debate Cybersecurity Breach Notification Requirements
- The subcommittee on Cybersecurity, Infrastructure Protection, and Innovation at the U.S. House of Representatives began debating aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The House breach reporting bill would mandate organizations operating and managing U.S. critical infrastructures to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of valid confirmation.
- Unlike previous data breach notification bills debated and passed in the U.S. Senate (carrying a 24-hour security incident reporting mandate), the Cyber Incident Reporting for Critical Infrastructure Act of 2021 does not entail specific penalties for violations.
- Specific clauses in the House breach reporting bill would shield organizations from legal damages resulting from voluntarily reporting cyber incident information to CISA. In addition, the bill would give CISA the authority to publish quarterly reports based on the data gathered from reported cyber incidents – the quarterly publications will offer cybersecurity threat awareness guidance and training to incident responders.
Expert Commentary: Learning from FireEye’s transparency during the SolarWinds hack, federal and state governments raced to enact laws mandating public and private companies to report security incidents that have the potential to impact U.S. critical infrastructures. As it relates to U.S. cybersecurity interests, it is a positive action that U.S. lawmakers have decided to no longer separate national cybersecurity concerns into federal vs. private efforts. The eagerness to view cybersecurity concerns as a joint and collaborative effort is a step in the right direction.
3. Attackers Are Selling Internet Bandwidth Information For Passive Income
- Commercializing extra internet bandwidth is very lucrative to users; therefore, such a business model attracts attackers’ attention, looking to exploit unused internet bandwidth for financial gain.
- According to security researchers, cybercriminals have been increasingly targeting internet connections by leveraging internet-sharing proxyware platforms, including Honeygain and Nanowire, to siphon the internet bandwidth of individuals and organizations.
- Like the crypto-jacking trend, an attacker drops malware into a legitimate proxyware client software installed onto a victim’s machine. Whenever the proxyware software runs on the victim’s machine, it registers a rogue account (attackers often register several rogue accounts to increase their operational capabilities), which is used to collect payment for the unauthorized sale of a victim’s internet bandwidth. In addition, using the pre-created proxyware account(s), an attacker can facilitate the sale of a victim’s internet bandwidth without their knowledge.
Expert Commentary: The use of proxyware platforms to illegally steal and sell a user’s internet bandwidth is a security threat that is also an issue in the crypto world. While threat actors are not just focused on stealing bandwidth information, security experts also observed them installing cryptocurrency mining operations and info-stealers with the stolen internet bandwidth,
4. Dropper-As-A-Service Tactics Leveraged To Compromise Thousands Of Systems
- Dropper-as-a-Service (DaaS), a trending attack tactic used by cybercrime newbies to transfer malware onto thousands of target systems. Like a vehicle, a ‘dropper’ is used to transport, run, and execute malicious code under the disguise of a legitimate tool.
- Typically, DaaS is leveraged by large attack groups that pay to have their malware distributed across specific target networks. DaaS actors usually use a network of legitimate websites to deliver malware droppers onto a target machine. Then, they infect the back-end infrastructure of multiple websites and install malicious codes that perform a drive-by download.
- Security researchers discovered that most DaaS actors are relatively inexperienced cybercriminals with limited technical skills – some of which typically charge only $2.00 to drop 1,000 malware across an entire network.
Expert Commentary: Known as part of the “malware industrial complex,” DaaS joins other thriving ________-as-a-Service business practices across the software industry, including DDoS-as-a-Service (DDoSaaS) and Ransomware-as-a-Service (RaaS), to help threat actors operationalize attack tactics, techniques, and procedures with the help of a subscription-based model.
5. Leaked Attackers’ Playbook Provides Insight Into The Conti Ransomware Group’s Tactics
- A disgruntled affiliate of the Conti ransomware group leaked the group’s active attack playbook, which details attack methods and thorough instructions that allow amateur actors to deploy ransomware attacks against valuable targets.
- Some of the tactics shared in the attacker playbook include how to acquire a systems administrator’s access after compromising a target network, using simple social media (LinkedIn) reconnaissance techniques to pinpoint individuals who could have privileged access. In addition, the playbook details use case instructions for attack tools such as PowerShell framework, Cobalt Strike (red-teaming) framework, Mimikatz framework, and more.
- Although most of the leaked Conti ransomware group’s attack playbook instructions are Russian, U.S.-based security researchers translated them. In addition, they discovered multiple tutorial videos aimed at teaching affiliates how to take advantage of SQL server vulnerabilities, exploit Active Directory, and tutorial videos on how to perform open-source reconnaissance using manual and automated methods.
Expert Commentary: Although the Conti ransomware group may have likely revamped their attack playbook after leaked, specific foundational attack tactics, techniques, procedures, and tools will remain the same. Therefore, the leaked version of their playbook provides a rare opportunity for cybersecurity defenders to ensure that they have the compensating controls and proactive logic to mitigate and defend against specific behaviors mentioned in the playbook. Additionally, while ransomware groups decide on a target using different metrics, it is clear that corporate red team tools, including Metasploit, are constantly being leveraged by attackers to deploy lethal cyber-attacks.