Spear phishing attacks launched by hackers linked to Russia are using documents (both real and fake) from governments and NGOs to attack organizations that typically work with them.

The hacking group is referred to as APT28, also as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, UAC-028.

The same adversary has used Israel-Hamas conflict related information to spread the HeaLace backdoor software, and spear-phishing attacks against organizations in Ukraine and Poland, with the intention to plant malware such as Masepie, Oceanmap, and Seelhook.

In addition, it has leveraged vulnerabilities in Microsoft Outlook (CVE-2023-23397) to steal NTLMv2 hash values, and use that for further attacks.

In the meantime, the IMF reported that multiple email accounts of its employees were compromised. It is not clear whether this is the result of the above mentioned attack or  related to another Russia-linked hacking group referred to as Midnight Blizzard. This groups has been using password spray attack to compromise Exchange Online (part of the Microsoft Office 365 service suite) accounts. 

The attackers used the "serch-ms:" URI protocol in Microsoft Windows to download malware stored on WebDAV servers they control. 

#APT28 #spearphishing #passwordspray #malware 

Graphical representation of Known Exploited Vulnerabilities

Courtesy of the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) Catalog (https://lnkd.in/gkx3wJQy) and of Dutch painter Piet Mondrian ...  

VC investments in cybersecurity cools off in Q2 of 2022

The cybersecurity startup market has cooled in recent months amid a broader tech slowdown:

• PitchBook stated that infosec market funding was $3.2b in Q2 2022, down 45% from Q1. Exits fell to 13 in Q2 2022 -- their lowest level since 2018.
• Separately, DataTribe reported that median valuations for cyber startups fell to $12m in Q2, down 33% from $18m in Q1.

From a broader perspective:

• The cyber market's long-term prospects remain strong -- the global cybersecurity market is projected to grow at a 13.4% CAGR through 2029.
• The industry is now inundated with vendors -- most venture-backed, many cash-flow negative. Scores of these new vendors will have layoffs/merge/fail. Some tips to manage this turmoil for enterprise customers:
• Create a 2x2 with “Criticality to our Ops” vs. “Financial Viability” as the axes -- plot your vendors.
• Focus on high-risk vendors & ask leadership (not the sales reps): “What’s your monthly cash burn?” and “How much money is in your account?”
• Start scenario-planning on what you would do if “Vendor X” cuts staff, gets bought or shutters.

Nokia's equipment is powering Putin’s surveillance apparatus

 

• Despite stopping sales in Russia, Nokia’s equipment continues to power Moscow’s digital surveillance apparatus:
• For 5+ years, Nokia provided equipment to link the System for Operative Investigative Activities (SORM) to MTS, Russia’s largest telecom provider:
• FSB -- Russia’s main intelligence service -- uses SORM to listen in on phone conversations & it is being used to crack down on domestic dissent against the invasion of Ukraine.
• Nokia acknowledged providing the equipment & stated that Russian law required it to make products enabling Russian telecoms to connect with SORM.
• Nokia executives first pled innocence. When confronted with internal docs, they suggested that if they had not served the FSB, then Huawei would have.

 

• The FBI issued a warning to crypto investors about the risks of decentralized finance (DeFi) platforms:
• Between Jan. & March 2022, cybercriminals stole $1.3 billion in cryptocurrencies -- almost 97% of which came from DeFi platforms.
• Unlike traditional banks, DeFi platforms aren’t backed by govt insurance policies, meaning investors have little recourse to recover hacked/stolen funds.

• Fraud, illicit transactions & hacks are pervasive in the crypto market -- hackers now manipulate DeFi platforms’ own governing mechanisms to steal funds:
• DeFi systems incurred $10.5 billion in criminal losses in 2021.
• 99% of hacked cryptocurrencies in Q1 2022 were stolen as a result of software exploits.

Mailchimp hacked to target cryto customers

 

Hackers gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Then the hackers targeted users of the Trezor hardware cryptocurrency wallets.

Users of such wallets received emails that the wallet company suffered a data breach and were prompted to reset their hardware wallet PINs by downloading malicious software that allowed the hackers to steal the cryptocurrency stored in the wallet. 

Latest report on cost of breaches

 

In a recent survey conducted by IBM, based on data from 550 global organizations across 17 sectors that experienced data breaches between March 2021-2022, the average cost of a breach was $4.35 million. By industry sector:

 

• Healthcare: $10.1m
• Financial: $6.0m
• Pharmaceuticals: $5.0m
• Technology: $5.0m
• Energy: $4.7m
• Industrial: $4.5m
• Education: $3.9m
• Transportation: $3.6m
• Retail: $3.3m
• Public Sector: $2.1m

The numbers from last year's IBM survey were: 

• Healthcare: $9.2m
• Finance: $5.7m
• Pharmaceuticals: $5m
• Technology: $4.9m
• Energy: $4.7m
• Services: $4.7m
• Industrial: $4.2m
• Global average: $4.2m
• Entertainment: $3.8m
• Education: $3.8m
• Transportation: $3.8m