This report aims to provide insight into key Information Security Risks within the current threat landscape. We include reported instances where such threats have occurred, the associated Threat Actors and recently produced statistics highlighting the potential impact these threats may have on organisations and individuals alike.
Phishing
Cybercriminals Weaponize Graphics Files in Phishing Attacks
- Cybercriminals are increasingly using graphics files to spread malware and malicious links as part of their email phishing. The purpose of these graphics files is to bypass typical endpoint and mail protection tools, which may not detect malware under this guise.
- Specifically, the attackers are using the graphics file format “Scalable Vector Graphics” (SVG), which contains Extensible Markup Language (XML)-like text instructions to create vector-based images on an endpoint device.
- Recommendation: It is recommended that companies take measures such as Attachment Scanning, URL Inspection, as well as IDS or IPS deployment.
Authentication Bypassing
Astaroth Phishing Kit Bypasses 2FA Using Reverse Proxy Techniques
- A phishing toolkit known as “Astaroth” is now being used on some cybercrime platforms. This toolkit allegedly has the ability to bypass Two-Factor Authentication for Gmail, Yahoo, Office 365 and a number of other platforms.
- Astaroth’s mode of operation is to place itself between the user and between legitimate login pages, thus enabling it to obtain usernames, passwords, and 2FA tokens without detection. This allows the attackers to hijack authenticated sessions and bypass further security measures.
- Recommendation: It is recommended that organisation’s continue to monitor their network and applications in real-time, and consider implementing Intrusion Detection or Prevention tools.
Ransomware-as-a-Service
US, UK and Australia Sanction Russian Bulletproof Hoster Zservers
- The UK has announced sanctions against Zservers, a Bulletproof Hosting Provider (BPH) who have been helping ransomware gang Lockbit to proliferate their ransomware-as-a-service operations.
- As a BPH, Zservers have provided takedown-proof, and anonymous third-party web hosting to a number of cybercrime gangs. This has enabled Lockbit and other gangs to direct their efforts towards critical infrastructure in countries like the US, the UK and Australia.
- Recommendation: Organisations are advised to ensure they have a robust data backup regime, take frequent backups of data and systems, and store those backups in a non-live environment. Companies are also advised to document and test an incident response plan. This will allow them to easily retrieve their latest backup if they suffer a Ransomware attack and restore their data and systems in a quick and efficient manner.
AI-Based Attacks
AI-Powered Social Engineering: Ancillary Tools and Techniques
- As Social Engineering continues to evolve, the attackers are increasingly using AI tools to enhance their social engineering and phishing attacks.
- One way the attackers are doing this is by using AI-based voice cloning. This allows the attackers to create voice records based on another person’s voice, or in some cases to talk to their victims directly.
- When preparing for a social engineering attack, cybercriminals are also using AI to swiftly gather information about their victims using Open-Source Intelligence (i.e information available via social media and other publicly accessible platforms).
- To address the risk of voice cloning, OpenAI has recommended banking institutions phase out voice-based authentication. Other organisations may wish to consider doing the same.
- Recommendation: To address the risk of AI-based reconnaissance, organisations are advised to ensure their users are aware of the nature of AI-based phishing and require them to verify all communications to ensure they are authentic.
Distributed Denial-Of-Service Attacks
Gcore DDoS Radar Reveals 56% Year on Year Increase in DDoS Attacks
- According to statistics recently shared by Gcore, a leading security solutions provider, 2024 showed a significant increase in the number of Distributed-Denial-of-Service (DDoS) Attacks. When compared to Q3–Q4 of 2023, the number of DDoS attacks have risen by 56%. Furthermore, there has been a 17% increase in the total number of attacks compared with Q1-Q2 2024.
- The technology industry is a key target for DDOS attacks at present, due to their vast computational power. This is something the attackers have observed can be used to enhance their attacks. Additionally, a DDOS attack on a technology-based company can result in multiple organisations facing a Supply-Chain Attack subsequently.
- Recommendation: It is recommended that organisations consider investing in solutions that can detect potential DDOS attacks, such as Firewall Detection, or IPS/IDS solutions.
Nation State Threats
Russian Hackers Target Microsoft 365 Accounts with Device Code Phishing
- Russian cybercriminals are now targeting Microsoft 365 accounts using “device code authentication phishing”. This is an advanced form of spear-phishing in which the attackers impersonate individuals from government and research organisations. This is used to socially-engineer victims into providing specific Microsoft authentication codes. This then allows the attackers to have long-term access to the user’s account.
- It has been said that the attackers (two of whom is believed to be the Midnight Blizzard and CozyLarch gangs) conduct these attacks by inviting the target to a virtual meeting, access apps and data as an external M365 user, or by joining a chatroom with the user on a secure chat tool.
- Recommendation: To address the risk of a nation-state attack, it is recommended that organisations use web and email filtering tools to block or monitor access attempts or communications from countries deemed suspicious. Organisations must also continue to remind their users of the evolving nature of phishing and social engineering attacks.
For more information on how any of the current threats may impact your organisation or for information on our range of Privacy, Security and Pentesting consultancy services, contact the team for a no obligation conversation on info@istormsolutions.co.uk or call 01789 608708
