Monthly Archives: September 2021

FamousSparrow APT: SparrowDoor Backdoor

I. Targeted Entities

  • Hotels
  • Governments
  • Private organizations
  • Engineering companies
  • Law firms

II. Introduction

A cyberespionage group known as FamousSparrow has emerged, targeting governments, private organizations, and hotels around the globe with a custom backdoor called SparrowDoor.

III. Background Information

According to ESET, SparrowDoor is an advanced persistent threat (APT) with the ability to rename or delete files; create directories; shut down processes; send information such as file attributes, file size, and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell. SparrowDoor also has a kill switch to remove persistence settings and all SparrowDoor files from a victim’s machine.

FamousSparrow used a remote code execution (RCE) called ProxyLogon to deploy SparrowDoor via the exploitation of vulnerable internet-facing web applications. ESET researchers believe that FamousSparrow exploited well-known RCE vulnerabilities in Microsoft Exchange, Microsoft SharePoint, and Oracle Opera (which is used for hotel management), which were used to drop various malicious samples.

Once a machine is compromised, FamousSparrow infects the machine with a range of custom tools. ESET analysis says that the custom tools include: a Mimikatz variant for lateral movement; a small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials; Nbtscan, a NetBIOS scanner for identifying files and printers across a LAN; and a loader for the SparrowDoor backdoor. Researchers also noted that the loader installs SparrowDoor via DLL search order hijacking.

The malware loads itself by exposing itself to DLL search-order hijacking. Specifically, the legitimate executable, Indexer.exe requires the library K7UL.dll to operate. The victim operating system looks for the DLL file in the directories in the prescribed load order. Because the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking.

The malware is able to set persistence and establish encrypted TLS connections to a command-and-control sever on port 433. Furthermore, the malware is able to achieve privilege escalation by adjusting the access token of the SparrowDoor process to enable a legitimate Windows utility, SeDebugPrivilege, that is used to debug processes on computers other than one’s own. After that, SparrowDoor finds and sends the victim’s local IP address, a Remote Desktop Services session ID associated with the backdoor process, username, and computer name to the command-and-control server and waits for commands in return. This is in order to start the spying campaign.

FamousSparrow primarily targets hotels, but ESET has found FamousSparrow in other sectors. Notably governments, international organizations, engineering companies, and law firms. Attacks have also been seen globally, with attacks happening in Brazil, Canada, Israel, France, Guatemala, Lithuania, Saudia Arabia, South Africa, Taiwan, Thailand, and the United Kingdom.

IV. MITRE ATT&CK

  • T1588.005 – Obtain Capabilities: Exploits
    FamousSparrow utilizes RCE vulnerabilities in Microsoft Exchange, Sharepoint, and oracle Opera.
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell
    FamousSparrow uses Windows cmd.exe to download and install SparrowDoor.
  • T1027 – Obfuscated Files or Information
    SparrowDoor encrypts the MpSvc.dll and config files utilizes with a XOR function.
  • T1543.003 – Create or Modify System Process: Windows Service
    SparrowDoor is hidden within a fake Windows service called WSearchIndex.
  • T1134.002 – Access Token Manipulation: Create Process with Token
    Using the CreateProcessAsUserA API SparrowDoor is able to use tokens to create new processes.
  • T1082 – System Information Discovery
    SparrowDoor collects user and computer names in addition to RDP session and machine-specific drive information.
  • T1083 – File and Directory Discovery
    SparrowDoor can examine files on infected machines.
  • T1573.001 – Encrypted Channel: Symmetric Cryptography
    C2 communication is carried out using XOR keys.

V. Recommendations

  • Ensure Antivirus Software is Updated
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Enable Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the products that are being used.

VI. IOCs

The links below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/tuz87dop8aiua88m62hw9yl1il5dmio6

VII. References

(1) Seals, Tara. “FamousSparrow APT Wings in to Spy on Hotels, Governments.” Threatpost English Global, September 23, 2021. https://threatpost.com/famoussparrow-spy-hotels-governments/174948/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural Hagverdiyev

2021-10-08T17:35:46-04:00September 24, 2021|
Read More

Governor DeSantis Appoints Executive Director McConnell to Florida Cybersecurity Advisory Council

Earlier this week, Governor Ron DeSantis announced the appointment of seven individuals to the Florida Cybersecurity Advisory Council, including Cyber Florida Executive Director Mike McConnell, VADM, USN, Ret., former director of US National Intelligence and the National Security Agency.

Created by recently passed House Bill 1297, the Florida Cybersecurity Advisory Council is tasked with helping state agencies protect their information technology resources from cyber threats and incidents by assisting the Department of Management  Services in establishing and implementing cybersecurity best practices.

Other members of the Florida Cybersecurity Advisory Council include:

  • Jaromy Kuhl – Professor and Dean, University of West Florida
  • Pedro Allende – Former Deputy Assistant Secretary for Infrastructure, Risk and Resilience Policy, U.S. Department of Homeland Security
  • Linda Reid – Vice President of Security, Walt Disney Company
  • Eli Dominitz – Founder and Chief Executive Officer, Q6 Cyber
  • Jason Raymond – Vice President and Chief Information Security Officer, GuideWell and Florida Blue
  • Benjamin Miron – Vice President of Infrastructure and Cybersecurity, NextEra Energy

To learn more, visit https://www.flgov.com/

2022-01-04T19:08:37-05:00September 23, 2021|
Read More

Episode 1: Roger A. Grimes, KnowBe4’s data-driven defense evangelist


Roger A. Grimes, KnowBe4’s data-driven defense evangelist

Can a piece of dust on your touchscreen compromise your data? The answer is yes. We learn how from No Password Required Podcast guest Roger A. Grimes, KnowBe4’s data-driven defense evangelist, whose mission is to educate others about cybersecurity issues that can compromise computers.

2021-09-24T12:24:48-04:00September 22, 2021|
Read More

Staying Secure on Mobile Devices

Cell phones have come a long way in the past two decades. From the first PDA to flip-phones, technological progress seemed to be slow and steady until the market was disrupted in 2007. Once smart phones were on the scene, everything about mobile devices rapidly changed. Nowadays, mobile devices are at an all-time high for popularity and functionality. Unfortunately, this meteoric rise in capabilities and access has led to a corresponding increase in cybersecurity risks and threats. With a tool as broadly used as cell phones, almost the entire population is at risk.

Cybercriminals have been targeting mobile devices at an unprecedented rate. Threat actors have exploited the fact that the extensive capabilities associated with mobile devices equate to personal computers. Threats that were once relegated to enterprise workstations now plague the mobile ecosystem, causing great financial loss each year. With cybersecurity, knowledge is power. We hope that this blog can expose readers to the threats and preventative measures in mobile device usage.

In order to better understand ways to protect oneself from these risks, we need to take a look at some of the threats that face the everyday mobile device user.

Malware for Mobile Devices

Most mobile devices contain application stores with a “closed ecosystem.” This method of obtaining new software allows certification teams to verify the integrity of applications before allowing users to download. In theory, this process would prevent all but the most subtle malware from infecting non-jailbroken devices. The reality is that this process is overwhelmed by the sheer quantity of applications, updates, and re-releases on the respective application stores. This ecosystem is closed only in the sense that profits must be shared with the providing host. Malware can and will make its way onto application stores.

Unsecured Wi-Fi and Mobile Access

Wi-Fi is rarely as safe as most people believe, especially in regard to mobile devices. By constantly being “on the move”, mobile devices are faced with a unique challenge of interacting with a huge array of mobile hotspots and wireless access points. Disregarding the more advanced risks associated with poorly configured wireless access, a major threat to all mobile users is the risk of a “Man in the Middle Attack.” This attack is essentially somebody spoofing the access point that you intended to connect to and reading (and potentially editing) all unencrypted traffic that is being sent or received on your device.

Phishing Attacks

Phishing attacks have reached a critical mass for severity. At a certain point, an attack method becomes so successful and easy to execute that other, more advanced attacks begin to fall out of favor. Phishing is extra relevant to mobile devices due to the “on the go” nature of mobile device usage. Our assumption is that the average person is less careful when clicking links on mobile since they believe that their phones are immune to viruses. While a large portion of malware in emails might not affect the mobile devices, there are still countless other risks associated with phishing that apply to mobile devices.

Spyware and Mobile Botnets

Spyware is a form of malware that monitors activity on a device and reports back to a centralized location. Spyware is extremely common on less-than-reputable mobile applications due to the fact that it can go unnoticed while delivering constant data to cybercriminals. This data can then be used to do things such as form malicious advertisement campaigns, take over accounts, or perform corporate espionage. This similar type of attack can actually infect your device with software that allows attackers to perform their attacks using your mobile device resources, generally called a mobile botnet.

Stolen Devices

The most obvious “attack” of all – simply stealing a mobile device – presents a massive cybersecurity threat. Many users find PINs and Passwords inconvenient and cumbersome, allowing attackers to gain easy access to a device that they have stolen. All sorts of data and nefarious actions can be taken with stolen mobile devices.

Now that we have looked at some of the most common attacks, what can we do to protect against these threats?

Watch What You Download

When downloading applications from sanctioned sources, be sure to check reviews and version update notes. Excessive permissions are also a cause for concern – if your timer application requires access to core system files, there may be a problem. Try to download apps that are “popular,” with a high number of downloads and positive reviews. This will not help against all spyware and malware, but it should reduce the risk. Never use jailbroken devices or unofficial application sources unless you are extremely familiar with the risks and willing to do extra research and invest into security software. Mobile Anti-Virus is gaining popularity – these tools can help provide an additional layer of defense but should never be a replacement for common sense.

Use Familiar Networks

Traveling with a mobile device is a given. Be sure to triple-check all connections that you are trusting with your device – wireless access point spoofing attacks often impersonate popular connection locations such as airports or hotels. If you notice something strange about the signal quality, naming convention, or even number of available networks then it is best to ask a staff member what the proper network is for connectivity. When utilizing public Wi-Fi, never type any credentials into websites or applications that are not encrypted.

Use Passwords, PINS, and Multi-Factor Authentication

We understand the fact that passwords, PINs, and MFA can be a nuisance. But the amount of time spent recovering from a successful attack or stolen device can greatly outweigh the entire sum of extra time spent entering a PIN on your device. Keeping devices locked can greatly reduce the risks associated with a stolen device. Equally important is keeping your accounts secured with Multi-Factor Authentication. Your phone will generally be your “second factor,” so keep it safe.

Keep Your Phone Up to Date

Patches, patches, patches. Keeping a device patch can generally feel like an endless battle with slow downloads and inconvenient restarts. However, the reason patches are deployed is generally to fix bugs that can lead to massive security risks. Keeping a device updated reduces the chances of falling victim to an attack by a staggering amount. Check your app stores and system settings for updates on a regular basis to stay ahead of the attackers.

Learn How to Detect Phishing

Awareness is the best prevention. Phishing will likely be the most drastic threat faced by most mobile device users. When a company or personal email receives a phishing attack, there are a few signs that you can look for in order to reduce your chances of falling victim. Check that you are familiar with the contact and sender – if the address doesn’t look right, it probably isn’t right. Look for typos or grammar mistakes within the emails as these are very common in phishing. Most importantly – never click a link or reply to an email without taking the time to verify the details surrounding the email. Security awareness training is available through a huge variety of sources – look into phishing awareness to help prevent yourself from falling victim to this extremely common attack.

Mobile devices are powerful tools that have enabled drastically improved productivity within organizations. With proper usage and dedicated cybersecurity awareness, these devices can be a safe and efficient tool. Practice proper cybersecurity hygiene and avoid taking shortcuts when utilizing your phone.


We are pleased to share this guest post from Scarlett Cybersecurity, a Florida-based leading cybersecurity provider whose mission is to simplify cybersecurity for organizations of all sizes. To learn more about Scarlett Cybersecurity, visit www.scarlettcybersecurity.com.

2022-10-27T11:06:04-04:00September 13, 2021|
Read More

Preparing for a Ransomware Attack – 10 Tips

Criminals have always targeted financial chokepoints. In the past, this was in the form of storage facilities and transports of valuable items. Nowadays, reliance on technology and data for business operations has created a “single point of failure” for most organizations. Information System outages can completely inhibit even the most basic operations.

Ransomware is a targeted form of malware that aims to “lock” data and systems within an environment in order to extort a payment. This attack method has grown into a criminal industry of its own, complete with support staff, payment portals, and malware engineers. By targeting organizations of all sizes and industries, ransomware has become a persistent and existential operational threat. Unfortunately, there is no known method to 100% prevent ransomware from affecting an organization. The best thing an organization can do to reduce the impact of ransomware is the implementation of a comprehensive cybersecurity plan, ranging from prevention to response.

1. Preventative Cybersecurity Controls

Perhaps the most well-known cybersecurity practice on this list is also one of the most important. By preventing ransomware from running on systems, there is very little need for recovery. No single control will be completely effective against all strains of ransomware, and standard Anti-Virus is fighting an uphill battle to remain relevant as cybercriminal tactics expand.

Example Tools and Services:

  • Anti-Virus Software
  • Endpoint Detection and Response Solutions
  • Application Whitelisting Solutions

2. Detecting Ransomware

Detection of ransomware can be critical in the early stages of spreading. Often, ransomware is delivered via phishing emails or other malicious files that contain “first level” drops which callout to a home-server for the final malware package. Detection during these early phases can prevent a complete network encryption. Solutions that rely on detecting ransomware early usually require urgent manual remediation before the threat actors expand their hold.

Example Tools and Services:

  • Security information and event management (SIEM)
  • Security Operations Center (SOC)
  • Endpoint Detection and Response Solutions
  • Dark Web Scanning and Assessments (Detect Leaked Data and Passwords)

3. Incident Response Planning

Incident response planning is usually underemphasized in a system security plan. Protecting the network can only get an organization so far. An attacker only has to get lucky once. Whenever the worst does occur, best practice dictates that a plan should be in place. Every organization is not expected to have the skills, team, and resources to deal with a cybersecurity incident. However, having a pre-defined contact (outsourced) and budget to deal with these events should be at the top of any disaster planning agenda.

Example Tools and Services:

  • Internal Incident Response Team
  • Outsourced Incident Response “on retainer”
  • Established Incident Response Guidance

4. Disaster Recovery and Disaster Recovery Services

Disaster recovery services are different than simple backups. Disaster recovery planning and services are the “next level” of backup, emphasizing rapid business operation recovery in the event of a disaster such as ransomware. These services often utilize specialized tools that enable remote hosting and rapid temporary infrastructure deployment in order to immediately resume business operations while the incident response takes place.

Example Tools and Services:

  • Internal Disaster Recovery Planning with backup infrastructure
  • Disaster Recovery as a Service (Outsourced)

5. Centralized Management of Assets

Centrally managing assets is a key aspect to complete cybersecurity and IT posture. By monitoring asset health (drive status, CPU usage, account activity, etc.), IT staff can detect anomalies indicative of a threat. Remote management capabilities enable incident responders to rapidly audit devices and control endpoints where needed. Without central management of devices, ransomware is much more difficult to deal with on an emergency timeline.

Example Tools and Services:

  • Remote Monitoring and Management Tool
  • Outsourced IT and Cybersecurity Management
  • Specialized Endpoint Security Solutions with Central Management

6. Defense-in-Depth Security Planning

Comprehensive security planning relies on a principle known as Defense-in-depth. By segmenting networks and implementing robust and redundant controls around each sensitive asset in a variety of categories, organizations can ensure that systems are protected by a diverse suite of controls. Ransomware would then need to breach several layers of defenses in order to successfully propagate.

Example Tools and Services:

  • Internal Risk Map and System Security Plan
  • Outsourced Cybersecurity Services
  • Detailed Network Map with Projected Threat Vectors

7. Threat Intelligence Feeds

Knowing the current threats facing an industry can be a significant advantage when evaluating risk. Certain ransomware groups target specific industries such as finance, construction, government, education, healthcare, etc. By staying informed on the tactics, techniques, and procedures (TTP) utilized within groups targeting an industry, relevant controls can be utilized and configured to prevent these attacks.

Example Tools and Services:

  • Custom Threat Intelligence Feed
  • Outsourced Threat Intelligence
  • Internal or Outsourced Managed Cybersecurity

8. Cybersecurity and IT Audits

Audits are key to detecting gaps within a cybersecurity posture. Whether these audits are performed by an external or internal party, their importance cannot be overemphasized. A comprehensive picture of an organization’s network can reveal glaring holes in policy or controls, enabling an effective plan of action to be created.

Example Tools and Services:

  • Annual Third-Party Cybersecurity Audit
  • Vulnerability Scans and Penetration Tests

9. Monitored and Aggressive Patching

Aggressive patching of critical security flaws in applications and operating systems is one of the most effective steps that can be taken to reduce the risk of a ransomware attack. Very often, ransomware exploits a recently discovered vulnerability in a system to spread rapidly within a network. By monitoring the patch status of devices and pushing patches on an aggressive timeline, the worming behavior of ransomware can be stopped cold.

Example Tools and Services:

  • Remote Monitoring and Management Solutions
  • Managed Cybersecurity and Patching Services
  • Automated Windows Patching and Compliance

10. Cyber Insurance

If an organization were to follow all of the recommendations above and still get affected by an irreversible ransomware attack, cyber insurance would be they key to avoiding financial ruin. These insurance agencies provide coverage based on assessed risk and will help recover from the financial effects of a successful attack.

Due Diligence

Through all these recommendations, one overall question should rise to the front of any organization’s leadership: Are we doing everything we can to prepare for ransomware? Attacks are happening on an unprecedented scale, specifically affecting critical government infrastructure and small businesses. It is no longer optional – take the necessary steps now to prepare for a ransomware attack before it is too late.


We are pleased to share this guest post from Scarlett Cybersecurity, a Florida-based leading cybersecurity provider whose mission is to simplify cybersecurity for organizations of all sizes. To learn more about Scarlett Cybersecurity, visit www.scarlettcybersecurity.com.

2022-01-06T17:52:17-05:00September 13, 2021|
Read More

Cyber Florida and New America Launch Cyber Citizenship Hub for K-12 Educators

Cyber Florida and New America have launched CyberCitzenshipEducation.org, a free online portal that contains 100 resources for teaching K-12 students about misinformation, disinformation, social media platforms, and other related topics. The hub, which launched on August 16, offers lesson plans, games, instructional materials, and other resources to help not only K-12 teachers, but also librarians, instructional technologists, and others seeking instructional materials to help students develop resilience to misinformation and disinformation.

This new hub was created in part of the Cyber Citizenship Education Initiative, a partnership among Cyber Florida, the Florida Center for Instructional Technology, New America, and the National Association for Media Literacy Education to help educate and prepare future voters to be responsible, cyber-savvy citizens. Since its inception, the project has focused on supporting educators in PreK-12 schools to arm students with “cyber citizenship” skills, skills at the intersection of media literacy, civics and citizenship, and cybersecurity awareness. While the hub is currently hosted by OERCommons, a custom platform is under construction that will launch later this year.

Learn more about this initiative on our Cyber Citizenship Education page.

2022-01-04T19:08:53-05:00September 13, 2021|
Read More

The Path to a Federal Cybersecurity Job Webinar


September 14, 11:30 am: Cyber students: interested in learning more about how to get a federal cybersecurity job? This free Zoom webinar will provide an overview of the hiring processes of several key security agencies as well as helpful tips for applying. Speakers from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security (DHS), and the Office of Personnel Management (OPM) will share a brief overview of their agency’s hiring processes to help you prepare to apply for federal cyber jobs!

REGISTER NOW
2023-01-19T13:58:03-05:00September 12, 2021|
Read More

FIN7 Windows 11 Alpha Campaign

FIN7 Windows 11 Alpha Campaign

I. Targeted Entities

  • Technology Industry
  • Windows Users
  • General Public

II. Introduction

Using infected Microsoft Word documents, cybercrime group FIN7 has begun targeting the newly released Windows 11.[1] As reported by the researchers at Anomali, six new documents were seen circulating recently involving the use of JavaScript-based macros intended for the Windows 11 Alpha.[1] Researchers noted that the campaign appeared to primarily target a California-based company called Clearmind.[1] FIN7 is an Eastern European threat group that primarily targets U.S.-based companies.[3]

III. Background Information

Infection appears to use a standard attack vector where users are shown a document containing a decoy image. This image displays information stating that the image was made with Windows 11 Alpha.[1] The image asks the user to “Enable Editing and Content” to begin the next phase of the attack.[3] The VBScript is obfuscated with junk comments.[3] Researchers found that a hidden table contained encoded values that, when deciphered with a XOR cipher, revealed a key and table of languages.[3] The code performs checks to look for several Eastern-European languages in the included table that, if detected, will cause the table to be deleted and stop operation.[3]

It’s important to note that the script will also cease operations if a VM is detected or if the system doesn’t have more than 4GB of RAM available.[3] If enough checks pass then the system drops a file called word_data.js into the TEMP folder.[3] The JavaScript backdoor appears to share functionality with other backdoors used by the threat group in the past.[3] The script then reaches out to a domain to pass the host IP and DNS information.[3] The backdoor can allow attackers to deliver any payload they want to the target machine, and represents a foothold for future attacks.[2]

IV. MITRE ATT&CK

  • T1059.005 – Command and Scripting Interpreter: Visual Basic
    FIN7 used VBS scripts to help perform tasks on the victim’s machine.
  • T1059.007 – Command and Scripting Interpreter: JavaScript
    FIN7 used JavaScript scripts to help perform tasks on the victim’s machine.
  • T1204.002 – User Execution: Malicious File
    FIN7 lures victims to “Enable Editing and Enable Content,” which would execute malicious files in the document.
  • T1047 – Windows Management Instrument
    FIN7 may abuse Windows Management Instrumentation (WMI) to achieve execution.
  • T1140 – Deobfuscate/Decode Files or Information
    FIN7 uses a hidden table inside the .doc file.
  • T1027 – Obfuscated Files or Information
    FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.
  • T1497 – Virtualization/Sandbox Evasion
    If a VM is detected, the script is killed.
  • T1497.001 – Virtualization/Sandbox: System Checks
    The script used by FIN7 checks for Virtual Machines and if detected, stops running.
  • T1087.002 – Account Discovery: Domain Account
    The script will check for specific domains.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The links below have been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/te8lijr921avv32tnb8tmquzmdlskvt8

VII. References

(1) Seals, Tara. “Fin7 Capitalizes on Windows 11 Release in Latest Gambit.” Threatpost English Global threatpostcom. Accessed September 9, 2021. https://threatpost.com/fin7-windows-11-release/169206/.

(2) Ilascu, Ionut. “Watch out for New Malware Campaign’s ‘Windows 11 Alpha’ Attachment.” BleepingComputer. BleepingComputer, September 4, 2021. https://www.bleepingcomputer.com/news/security/watch-out-for-new-malware-campaign-s-windows-11-alpha-attachment/.

(3) Threat Research, Anomali. “FIN7 Using Windows 11 Alpha-Themed Docs to Drop JAVASCRIPT Backdoor.” Anomali. Accessed September 9, 2021. https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, and Tural Hagverdiyev.

2021-10-08T17:36:58-04:00September 10, 2021|
Read More

Ransomware Group Publishes Airline Customer Data

Ransomware Group Publishes Airline Customer Data

I. Targeted Entities

  • Bangkok Airways Customers

II. Introduction

Last Thursday, the LockBit ransomware gang blasted Bangkok Airways with a cyberattack and allegedly stole 103 gigabytes worth of files. The gang then published the data for the public to see, two days after the airline failed to pay the ransom.

III. Background Information

A whopping 103 GB of compressed files containing private data from Bangkok Airways was on the brink of being breached and released to the public. Included in the private data were passengers’ names, family names, nationality, gender, phone numbers, email addresses, other contact information, passport information, historical travel information, partial credit card information, and special meal information.[2] After a recent attack on the powerful consulting company, Accenture, Lockbit 2.0 claims they were able to sneak their way into the credentials that were used for the later attacks of Bangkok Airways and Ethiopian Airlines. However, Accenture is dismissing these claims made by the ransomware gang as false due to the key efforts of isolating the two servers upon the detection of presence of threat actors.[2] Lockbit 2.0 is identical to its ransomware counterparts DarkSide and REvil, which also utilize an affiliate model to rent its ransomware platform. It is recommended for customers of Bangkok Airways to contact their banks, change compromised passwords, and keep an eye out for suspicious calls and/or emails.

IV. MITRE ATT&CK

  • T1486 – Data Encrypted for Impact
    REvil utilizes ransomware attacks to encrypt target data
  • T1083 -File and Directory Discovery
    REvil utilizes code that scans and compiles a list of directories on the target network.

V. Recommendations

  • Phishing Awareness Training
    Bangkok Airways advised customers to be aware of possible phishing attempts due to the latest data leak. Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/5q8x1ifunz9jb2dh1p8zg06w67fvzezm

VII. References

(1) Vaas, Lisa. “LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files.” Threatpost English Global, September 1, 2021. https://threatpost.com/lockbit-publishes-bangkok-air-files/169101/.

(2) Vaas, Lisa. “LockBit Gang to Publish 103GB of Bangkok Airways Customer Data.” Threatpost English Global, August 30, 2021. https://threatpost.com/lockbit-bangkok-airways-breach/169019/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural, Hagverdiyev, Ipsa Bhatt.

2021-10-08T17:38:21-04:00September 3, 2021|
Read More

Fourth Great Power Competition Conference

The University of South Florida (USF) and the U.S. Department of Defense Near East South Asia (NESA) Center for Strategic Studies today announced a high-profile lineup of speakers from the U.S. military, federal government, and academia who will appear at a free, open to the public virtual conference on September 22-23 to share their unique insights and perspectives on 9/11 and how it changed our nation’s role and strategy on the global stage.

Registration is now open for The 4th Great Power Competition Conference—themed, “Two-Decade 9/11 Anniversary: Gathering Wisdom from Experience ”—at https://go.gpc-conference.org/Sept2021. The event is part of an ongoing series of conferences to foster a broader understanding of the challenges facing the United States in the 21st century from competitors such as Russia, China, and Iran.

Attendees will hear inside stories from people intimately involved on the day of the event and its immediate aftermath, discussing how the United States had to pivot its focus, strategy, and tactics in the region to respond to this new and urgent threat.

In addition to Keynote Speaker General K. Frank McKenzie, Jr., Commander of US Central Command, the speaker lineup includes Michael Morell, President Bush’s daily intelligence briefer at the time of 9/11 who was with him throughout that day on Air Force One; Admiral Thad W. Allen, 23rd Commandant of the United States Coast Guard who oversaw the evacuation of New York Harbor; General David H. Petraeus, who commanded the NATO International Security Assistance Force in Afghanistan; Frances Townsend, Homeland Security Advisor to President Bush; MSG Scot Neil, a retired Green Beret who was among the first troops on the ground in Afghanistan; former National Security Advisor H.R. McMaster; and many others who bring riveting insight and thoughtful commentary on how this event changed the Great Power Competition.

2023-01-19T13:57:51-05:00September 2, 2021|
Read More

Hosted by the University of South Florida
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620
outreach@cyberflorida.org
813-974-2604

Office meetings by appointment only

CONTACT US

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.