Targeted phishing campaigns on the ongoing T-20 world cup tournament

Hackers are running a targeted phishing campaign around the ongoing T-20 World Cup

Cyber Security, Threat Intelligence / Prayukth K V

Hackers have decided to latch on to the excitement generated by the ongoing T-20 World Cup in Australia. Over the last two weeks, Sectrio’s threat research team intercepted/came across 20 emails that were targeted at senior executives from the government, manufacturing, oil and gas, healthcare, and utility sectors. From the data available, we can infer that most emails and WhatsApp messages were targeted against businesses or government entities based in India while Australia, Singapore, and South Africa were ranked 2nd, 3rd, and 4th respectively in terms of the volume of communication reported by recipients. Most emails claimed to know which team would eventually lift the trophy this month and encouraged recipients to use that knowledge to place bets with a leading sports betting agency in England. Once a recipient replies to an email, they are further asked to share personal information (which could be used to hack their online accounts or validate information already harvested from other sources) on the pretext of giving more information. Some of the recipients also received a link that takes them to a website infected with crypto-mining malware. How are the hackers ramping up their targeted phishing campaigns? While topical attacks based on trending sports and geo-political events are not new, this campaign run by hackers adds a new dimension to the problem of protecting businesses against involuntary insider activity that might lead to a compromise of data or credentials. Hackers are clearly ramping up their game in terms of identifying specific trends to use as well as specific targets within organizations to reach out to. While latching on to topics that are more likely to elicit a response, the scammers behind this campaign are also planning to harvest data for long-term targeting. In terms of targeting machines, the malware used was a new version of well-known crypto-mining malware called Nitrokod which has been around for a while now. First detected in 2019, this malware lured victims to download desktop versions of popular mobile apps. Once downloaded, the malware stays latent for a period of almost 45 days keeping a low signature by running multiple processes in the backend to hide its footprint. The actual infection is triggered much later. After a communication line is established with the hacker by the malware, information on the infected machine is passed on. By delaying the infection process, the malware avoids detection in sandbox environments. Sectrio’s threat research team is still evaluating the malware and we will be able to share more information on the new variant soon. We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now

Hackers are running a targeted phishing campaign around the ongoing T-20 World Cup Read More »

Cyber surveillance grids double up as cyberattack facilitation infrastructure

Cyber Security, Threat Intelligence / vikas.karunakaran

Large-scale domestic and international surveillance and activity-tracking grid operated by a large South East Asian country are also enabling its APT teams to strike deep into the digital territories of other countries. This country has invested extensively in promoting cost-effective surveillance technologies around the world using its diplomatic levers and economic dominance. Also Read: Complete Guide to Cyber Threat Intelligence Feeds The surveillance grid includes digital listening tools, smart cameras, vehicle, and asset tracking systems, and dual-use devices that are creating a significant digital catchment area for this country to gather a range of data. Lessons from a controlled domestic cyberspace This country maintains one of the largest domestic surveillance facilities in the world run with evolved AI, big data, and cross-platform activity tracking. With an active domestic industry that generates tools aiding the maintenance and management of this surveillance grid, this country has gained a strategic advantage in avoiding the use of imported tools that may open up this well-established grid to other actors. In the guise of promoting governance and domestic order, this surveillance grid is enabling not just data collection but also the trial of new and more stealthy data collection tools that facilitate much deeper penetration of target infrastructure in other countries while maintaining an undetectable digital footprint. This country uses its controlled domestic cyberspace to: Potential implications for businesses everywhere In addition to the possibility of data exfiltration at multiple levels, there is also a possibility of such data ending up in the hands of actors who might exploit it for carrying out disruptive cyberattacks or for ransom. Either way, this is bad news. With OT networks being open and vulnerable and IoT devices lacking adequate security, state-backed hackers associated with this surveillance grid could easily launch attacks or keep large volumes of internet users under surveillance to harvest valuable data. Long-term implications include: To secure your business against such attacks you need to improve your IT, OT, and IoT security practices and your overall security posture. With each passing day, hackers are becoming more brazen and disruptive and it is high time we become aware of their tactics and deploy countermeasures. Book a completely free session with our cybersecurity experts today to see what your business is missing. We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now See our solution in action through a free demo

Cyber surveillance grids double up as cyberattack facilitation infrastructure Read More »

Complete Guide to Cyber Threat Intelligence Feeds

Cyber Security, Threat Intelligence / Abhay S K

Cyber Threat Intelligence [CTI] Feeds – The devil is in the details Whether your firm is looking for a cybersecurity vendor to meet your needs or your employees are undergoing a training program, it is important to understand how cyber Threat Intelligence Feeds form the backbone of a cybersecurity action plan. So what are these threat intelligence feeds? Before that, let us understand what ‘threat intelligence’ is. In layman’s terms, threat intelligence can be defined as any data that helps in a better understanding of the cyber landscape and various threats associated with it. CTI feeds comprise data coming from a wide range of IoC (indicators of compromise) feeds like: The continuous stream of data from these feeds helps us understand the current state of the network, threats, and risks associated with it, and document various IoCs (Indicators of Compromise). It is these feeds that the SOC (Security Operation Center) continuously monitors and uses to identify any infiltrations, attempts, and attacks on the systems and the networks. With time and proper data evaluation, cyber threat intelligence feeds can be used to develop strategies to counter-attack cyber threats and understand hacker tactics, procedures, and techniques. In the due course of this blog post, we shall learn more about types, evaluation, features, benefits, and a lot more about cyber threat intelligence feeds. Types of Threat Intelligence Feeds – Data that forms the bricks Cyber threat intelligence feeds can be briefly classified into 4 types: While many choose to only list the top three, the ‘Technical Intelligence Feed’ plays a critical role if your cybersecurity vendor is serious about protecting your systems and network. 1. Strategic Threat Intelligence Feed: Often dubbed as a high-level intelligence feed, the Strategic TIF helps in understanding why a certain attack is carried out by the threat actors. Non-technical in nature, it is usually served to the c-suite of the company, helping them to better understand the reasons and intentions behind an attack. Analysts outside the cybersecurity field are often engaged to give a holistic perspective of the cyber-attack. Many cybersecurity experts believe that Strategic TIF can impact the high-level business decision makings of a company. Common sources for Strategic TIF include the following: Though the final product is non-technical, researchers and analysts go through tons of data, putting it through hundreds of analyses to suggest effective strategic intelligence. 2. Tactical Threat Intelligence Feed: Simply put, the Tactical TIF deals with the TTP (Tactics, Techniques, and Procedures) of the attackers. Often consumed by Network Operations Center (NOC) employees, Security Operations Center (SOC) employees, IT service managers, and cybersecurity architects, this type of cyber threat intelligence feeds help in analyzing the various tactics, techniques, and procedures deployed by the threat actors. These feeds comprise, but are not limited to human intelligence, data on malware attacks, cross-industry cybersecurity statistics, incident and attack reports, and other threat-related data. Using this data, a comprehensive process involving patching vulnerable systems, changing security merchandise, and improving defense mechanisms is carried out. 3. Operational Threat Intelligence Feed: The notion: “Perception without Conception is blind; Conception without Perception is empty”, is true when it comes to analyzing threats and risks of cyberspace. Without a proper context that involves the nature of the attack, type, timing, intent, and level of sophistication, it is difficult to arrive at a logical perception of how to protect key assets like data and infrastructure. Often experienced hackers and hacking groups interact in private chat rooms and away from analysts and security experts scouting the web. The researchers must keep track of online events, campaigns, and other cyber-attacks to find more valuable intelligence on hackers and their methods. Researchers and cybersecurity experts often face the problem of CAN: 4. Technical Threat Intelligence Feed: Despite its shorter period, the Technical TIF provides key insights into the tools, resources, and other variables a threat attacker has used. Often limited to a specific IoC (incident of compromise), the Technical TIF includes control channels, tools, command channels, IP addresses, hack checksum of malware, phishing email headers, and other technical data. Understanding and applying proper analysis to this feed helps in rapid response to threats. The Technical TIF is consumed by Incident Response and the Security Operation Center (SOC) teams. Most of this feed is read using a Machine Learning program and is fed directly into security systems and other installations. This helps in preventing many threats at their very source promptly. Evaluation of Threat Intelligence Feeds – The Lens that adds context to data! Cyber threat intelligence feeds truly provide critical information that can help companies mitigate cyber-attacks. But how does one evaluate a particular feed? Usually, the feeds come from internal and external intelligence: 1. Internal Intelligence 2. External Intelligence Evaluating the threat intelligence feed: Without adding context, cyber threat intelligence feeds are nothing but a bunch of data outputs. Context brings the intelligence from the feed. But how do we add one? What are the factors that we need to look at while evaluating a threat intelligence feed? Let’s learn. 1. Timely detection When it comes to cybersecurity, every second is critical during a cyber-attack. The faster a threat is identified, the greater can be the damage control. Even in the case of a threat intelligence feed, a real-time feed is priceless. It can often prevent many cyber-attacks. But currently, according to a survey from 24 cyber threat intelligence feeds and analyzing data of over 1.3 million indicators, the average delay was reported to be 21 days. Surprisingly, 56% of participants in a survey felt that threat intelligence becomes stale within a few minutes, and even seconds at times. Despite that, the participants saw it as a parameter that builds the reputation of the source. This no way means intelligence, and companies should keenly monitor for such false promises by their CTI feed providers. 2. Geographical Location Many CTI feeds show a strong bias towards a particular nation or a particular geographic region. Everyone knows that a threat actor sitting in Latin America can

Complete Guide to Cyber Threat Intelligence Feeds Read More »

By Industry

By Compliance

Business Needs

Services

Contact Us