ncsc - X-Industry - Red Sky Alliance2024-03-29T05:22:03Zhttps://redskyalliance.org/xindustry/feed/tag/ncscStar Blizzard - Successful Spear-Phishing Attackhttps://redskyalliance.org/xindustry/star-blizzard-successful-spear-phishing-attack2024-01-08T17:00:00.000Z2024-01-08T17:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12347854862,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12347854862,RESIZE_400x{{/staticFileLink}}" alt="12347854862?profile=RESIZE_400x" width="250" /></a>The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in numerous global geographical areas of interest for information-gathering activity.</p>
<p>The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost undoubtedly subordinate to the Russian Federal Security Service (FSB) Centre 18.<a href="#_ftn1">[1]</a></p>
<p>The industry has previously published details of Star Blizzard. This advisory draws on <a href="https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/">that body of information</a>.</p>
<p>This advisory raises awareness of Star Blizzard's spear-phishing techniques to target individuals and organizations. This activity will continue through 2023/24.</p>
<p><strong>Targeting profile</strong></p>
<ul>
<li>Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.</li>
<li>Targets in the UK and US appear to have been most affected by Star Blizzard activity, however, activity has also been observed against targets in other NATO countries and countries neighboring Russia.</li>
<li>During 2022, Star Blizzard's activity expanded further to include defence-industrial targets and US Department of Energy facilities.</li>
</ul>
<p><strong>Outline of the attacks </strong>- The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.</p>
<p>Research and preparation - Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. [<a href="https://attack.mitre.org/techniques/T1589/">T1589</a>; <a href="https://attack.mitre.org/techniques/T1593/">T1593</a>]</p>
<p>Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [<a href="https://attack.mitre.org/techniques/T1585/001/">T1585.001</a>] and have used supposed conference or event invitations as lures. </p>
<p>Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo, and Proton mail, in their initial approach [<a href="https://attack.mitre.org/techniques/T1585/002/">T1585.002</a>], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.</p>
<p>To appear authentic, the actor also creates malicious domains resembling legitimate organizations [<a href="https://attack.mitre.org/techniques/T1583/001/">T1583.001</a>].</p>
<p>Microsoft Threat Intelligence Center (MSTIC) provides a <a href="https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/">list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog</a>, but this is not exhaustive.</p>
<p>Preference for personal email addresses - Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.</p>
<p>Building a rapport - Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now started to build trust. They often establish benign contact on a topic they hope will engage their targets. There is often some correspondence between the attacker and the target, sometimes over an extended period, as the attacker builds rapport.</p>
<p>Delivery of malicious link - Once trust is established, the attacker uses typical phishing tradecraft and shares a link [<a href="https://attack.mitre.org/techniques/T1566/002/">T1566.002</a>], apparently, to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.</p>
<p>The malicious link may be a URL in an email message, or the actor may embed a link in a document [<a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a>] on <a href="https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/">OneDrive, Google Drive, or other file-sharing platforms</a>.</p>
<p>Star Blizzard uses the open-source framework EvilGinx in their spear-phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [<a href="https://attack.mitre.org/techniques/T1539/">T1539</a>; <a href="https://attack.mitre.org/techniques/T1550/004/">T1550.004</a>].</p>
<p>Exploitation and further activity - Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.</p>
<p>Star Blizzard then uses the stolen credentials to log in to a target’s email account [<a href="https://attack.mitre.org/techniques/T1078/">T1078</a>], where they are known to access and steal emails and attachments from the victim’s inbox [<a href="https://attack.mitre.org/techniques/T1114/002/">T1114.002</a>]. They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence [<a href="https://attack.mitre.org/techniques/T1114/003/">T1114.003</a>].</p>
<p>The actor has also used their access to a victim's email account to access mailing-list data and a victim’s contacts list, which they then use for follow-on targeting. They have also used compromised email accounts for further phishing activity [<a href="https://attack.mitre.org/techniques/T1586/002/">T1586.002</a>].</p>
<p><strong>Conclusion </strong>- Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success. Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.<a href="#_ftn2">[2]</a></p>
<p><a href="https://report.ncsc.gov.uk/">In the UK you can report related suspicious activity to the NCSC.</a></p>
<p>Information on effective defense against spear-phishing is included in the '<a href="https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns#section_6">Mitigation’ section</a> below.</p>
<p><strong>MITRE ATT&CK ®</strong></p>
<table width="100%">
<thead>
<tr>
<td width="15%">
<p><strong>Tactic</strong></p>
</td>
<td width="23%">
<p><strong>Technique</strong></p>
</td>
<td width="10%">
<p><strong>ID</strong></p>
</td>
<td width="50%">
<p><strong>Procedure</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="15%">
<p>Reconnaissance</p>
</td>
<td width="23%">
<p>Search Open Websites/Domains</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1593/">T1593</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses open-source research and social media to identify information about victims to use in targeting.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Reconnaissance</p>
</td>
<td width="23%">
<p>Gather Victim Identity Information</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1589/">T1589</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses online data sets and open-source resources to gather information about their targets.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Establish Accounts: Social Media Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1585/001/">T1585.001</a></p>
</td>
<td width="50%">
<p>Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Establish Accounts: Email Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1585/002/">T1585.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Acquire Infrastructure: Domains</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1583/001/">T1583.001</a></p>
</td>
<td width="50%">
<p>Star Blizzard registers domains to host their phishing framework.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Compromise Accounts: Email Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1586/002/">T1586.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Initial Access</p>
</td>
<td width="23%">
<p>Valid Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1078/">T1078</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses compromised credentials, captured from fake log-in pages, to log in to valid victim user accounts. </p>
</td>
</tr>
<tr>
<td width="15%">
<p>Initial Access</p>
</td>
<td width="23%">
<p>Phishing: Spear-phishing Attachment</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses malicious links embedded inemail attachments to direct victims to their credential-stealing sites.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Initial Access</p>
</td>
<td width="23%">
<p>Phishing: Spear-phishing Link</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1566/002/">T1566.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file- sharing site, which then direct victims to credential-stealing sites.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Defense Evasion</p>
</td>
<td width="23%">
<p>Use Alternate Authentication Material: Web Session Cookie</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1550/004/">T1550.004</a></p>
</td>
<td width="50%">
<p>Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Credential Access</p>
</td>
<td width="23%">
<p>Steal Web Session Cookie</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1539/">T1539</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Collection</p>
</td>
<td width="23%">
<p>Email Collection: Remote Email Collection</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1114/002/">T1114.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Collection</p>
</td>
<td width="23%">
<p>Email Collection: Email Forwarding Rule</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1114/003/">T1114.003</a></p>
</td>
<td width="50%">
<p>Star Blizzard abuse email-forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim's emails, even after compromised credentials are reset.</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Mitigation</strong></p>
<p>A number of mitigations will be useful in defending against the activity described in this advisory.</p>
<ul>
<li><strong>Use strong passwords</strong> - Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: <a href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email">Top tips for staying secure online: Use a strong and separate password for your email</a></li>
<li><strong>Use multi-factor authentication (MFA) to reduce the impact of password compromises </strong>- Also known as 2-factor authentication (2FA), 2 step verification (2SV) or two-step authentication. See NCSC guidance: <a href="https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services">Multi-factor authentication for online services</a> and <a href="https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv">Setting up 2-Step Verification (2SV)</a></li>
<li><strong>Protect your devices and networks by keeping them up to date</strong> - Use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC guidance: <a href="https://www.ncsc.gov.uk/collection/mobile-device-guidance/antivirus-and-other-security-software">Device Security Guidance: Antivirus and other security software</a></li>
<li><strong>Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion</strong> - You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address, rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: <a href="https://www.ncsc.gov.uk/guidance/phishing">Phishing attacks: defending your organisation</a> and the FBI Internet Crime Complaint Center (IC3): <a href="https://www.ic3.gov/Home/IndustryAlerts">Current Industry Alerts</a></li>
<li><strong>Enable your email providers’ automated email scanning features</strong> - These are turned on by default for consumer mail providers. See NCSC blog post: <a href="https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working">Telling users to 'avoid clicking bad links' still isn't working</a></li>
<li><strong>Disable mail-forwarding </strong>- Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.</li>
</ul>
<p><em> </em></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns">https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.msn.com/en-us/news/world/who-are-star-blizzard-russian-hacking-unit-accused-of-targeting-the-government/ar-AA1lcJAV">https://www.msn.com/en-us/news/world/who-are-star-blizzard-russian-hacking-unit-accused-of-targeting-the-government/ar-AA1lcJAV</a></p></div>US Space Industry & Espionagehttps://redskyalliance.org/xindustry/us-space-industry-espionage2023-09-05T16:00:00.000Z2023-09-05T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12217926867,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12217926867,RESIZE_400x{{/staticFileLink}}" width="250" alt="12217926867?profile=RESIZE_400x" /></a>The US intelligence community is warning the domestic space industry of the growing risk of espionage and satellite attacks from China, Russia, and other adversaries. In coordination with the FBI, the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations, the Office of the Director of National Intelligence released a warning about the growing threat of foreign intelligence entities (FIEs) as they continue to launch cyberattacks to gain access to the US space industry.<a href="#_ftn1">[1]</a></p>
<p>The US is the main driver of the global space economy's growth, projected to grow from $469 billion to $1 trillion by 2030. Because space is "fundamental to every aspect of our society, including emergency services, energy, financial services, telecommunications, transportation, and food and agriculture," foreign intelligence entities recognize how invaluable "US space-related innovation and assets" are in furthering new technologies, the group said in its joint statement. US space-related companies are at risk of "cyberattacks, strategic investment (including joint ventures and acquisitions), targeting key supply chain nodes and other techniques to gain access to the space industry.</p>
<p>Aside from global competition, there are national and economic security concerns regarding the threats to US space innovation. These include harming US corporate reputations by these foreign entities creating counterfeit products, siphoning intellectual property, collecting sensitive data, and even disrupting US satellite communications. In a presentation at Black Hat USA earlier this month, Johannes Willbold demonstrated how satellites can be hacked, proving that it's not as difficult as one might think.</p>
<p>Along with their joint statement, these counterintelligence agencies have also provided indicators for employees, contractors, and suppliers to understand the signs of foreign intelligence entities targeting them and opportunities for mitigation should organizations face any threats from these actors.</p>
<p>"If you believe your company's intellectual property has been targeted or is at risk of compromise, contact the Private Sector Coordinator at your local FBI Field Office," the NCSC stated in its notice:</p>
<p><a href="https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL">https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/FINAL</a></p>
<p>The warning advises companies to log anomalies, establish an insider-threat program to hunt out moles and be wary of requests to visit from foreign entities and of outreaches at conferences and online. It also warns about "unsolicited offers to establish joint ventures with companies tied to foreign governments or state-owned enterprises."</p>
<p><a href="{{#staticFileLink}}12217929055,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12217929055,RESIZE_584x{{/staticFileLink}}" width="428" alt="12217929055?profile=RESIZE_584x" /></a>China and Russia historically dismiss allegations that they have carried out hacking and other attempts to infiltrate or disrupt space systems. A spokesperson for China's embassy in Washington said the country has always pursued peaceful exploration of outer space and believes it should be used for the benefit of all humanity. The Russian embassy in Washington did not immediately respond to a request for comment.</p>
<p>The US is particularly keen to support small and midsize satellite companies that may not be aware of the scale and types of risks in play and to help them boost their own mitigation efforts and resilience, according to a US counterintelligence official who requested anonymity to share details.</p>
<p>Large satellite companies with existing links to the government have already been targeted too. Viasat Inc. suffered a 2022 cyberattack ahead of Russia's invasion of Ukraine that saw the company replace more than 45,000 modems across Europe and beyond. Starlink - part of Space Exploration Technologies Corp., known as SpaceX - has stated that it's faced jamming attacks as part of its effort to provide service to Ukraine.</p>
<p>THIS MONTH, the US Space Force unveiled a new targeting unit focused on adversaries in space and at ground stations and the threats they pose to US satellite systems in space.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.darkreading.com/vulnerabilities-threats/us-space-industry-more-prone-to-foreign-espionage-us-agencies-warn">https://www.darkreading.com/vulnerabilities-threats/us-space-industry-more-prone-to-foreign-espionage-us-agencies-warn</a></p></div>Ransomware Writers Are Missing Quality Assurancehttps://redskyalliance.org/xindustry/ransomware-writers-are-missing-quality-assurance2022-12-13T16:48:07.000Z2022-12-13T16:48:07.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10909400868,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10909400868,RESIZE_400x{{/staticFileLink}}" alt="10909400868?profile=RESIZE_400x" width="250" /></a>Recently, victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand simply because the ransomware is not able to decrypt files it just destroys them instead. Coded in Python, Cryptonite ransomware first appeared in October 2022 as part of a free-to-download open-source toolkit available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.</p>
<p>An analysis of Cryptonite by cybersecurity researchers has found that the ransomware only has "barebones" functionality and does not offer a means of decrypting files, even if a ransom payment is made. Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files and leaving no way of retrieving the data. But rather than this being an intentionally malicious act of destruction by design, researchers suggest that Cryptonite does this because the ransomware has been poorly put together.<br /> <br /> A basic design and what's described as a "lack of quality assurance (QA)" means the ransomware does not work correctly because a flaw in the way it has been written means if Cryptonite crashes or is just closed, it leaves no way to recover encrypted files. There is also no way to run it in decryption-only mode, so every time the ransomware is run, it re-encrypts everything with a different key. This means that, even if there were a way to recover the files, the unique key probably would work, leaving no way to recover the encrypted data. This demonstrates how ransomware's weak architecture and programming can quickly turn it into a wiper that does not allow data recovery.</p>
<p>Although researchers complain about the increasing sophistication of ransomware, they can also see that the over-simplicity and a lack of quality assurance can also lead to significant problems. It is still the victim of the ransomware attack that feels those problems, as they are left with no means of restoring their network even if they have made the ill-advised ransom payment. <br /> <br /> The case of Cryptonite ransomware also serves as a reminder that paying a ransom is never a guarantee that the cybercriminals will provide a decryption key or that it will work properly. Cyber agencies, including CISA, the FBI, and the NCSC, recommend against paying the ransom because it only encourages cyber criminals, particularly if they can acquire ransomware at a low cost or for free.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-12-09-2022">https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-12-09-2022</a></p>
<p>The positive news is that it is now harder for cybercriminals to get Cryptonite, as the source code has been removed from GitHub. In addition, the simple nature of the ransomware also means that it is easy for antivirus software to detect.</p>
<p>It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.</p>
<p>The following is what Red Sky Alliance recommends:</p>
<p>• All data in transmission and at rest should be encrypted.<br /> • Proper data backup and off-site storage policies should be adopted and followed.<br /> • Implement a 2-Factor authentication-company wide. <br /> • For USA readers, join and become active in your local Infragard chapter; membership is free. <a href="http://www.infragard.org">www.infragard.org</a> <br /> • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.<br /> • Institute cyber threat and phishing training for all employees, with testing and updating.<br /> • Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.<br /> • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.<br /> • Ensure that all software updates and patches are installed immediately.<br /> • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network.<br /> • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>• Reporting: https://www. redskyalliance. org/ <br /> • Website: https://www. wapacklabs. com/ <br /> • LinkedIn: https://www. linkedin. com/company/64265941</p>
<p>Weekly Cyber Intelligence Briefings:<br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>