News

September 9, 2021

Teacher Spotlight: Lorraine Grice

Lorraine Grice

Teacher: Lorraine Grice

School: Orange County Technical College

County: Orange

Meet Lorraine Grice, one of the exceptional teachers at Orange County Technical College! With over 35 years of dedicated service in Orange County Public Schools, Lorraine continues to defy burnout by embracing the ever-changing world of Information Technology with enthusiasm and curiosity.

Her journey began with the familiar clatter of a Royal Manual Typewriter, evolving into a dynamic career teaching Enterprise Desktop and Mobile Support Technology to high school students. Lorraine’s passion for technology and education is truly inspiring. She thrives on the challenge of equipping students with the critical cyber knowledge they need for the future.

Join us in celebrating Lorraine’s remarkable contributions and her unwavering commitment to lifelong learning and student success!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Lorraine Grice2024-12-20T09:48:35-05:00

Ernie Ferraresso Appointed to FL Cybersecurity Advisory Council

Cyber Florida Director Ernie Ferraresso

December 9, 2024—Tampa, Fla—Cyber Florida at USF is proud to announce Governor Ron DeSantis’ appointment of Director Ernie Ferraresso to the Florida Cybersecurity Advisory Council. This appointment highlights the state’s unwavering commitment to enhancing cyber defense and safeguarding critical infrastructure.

Ferraresso, a distinguished veteran of the United States Marine Corps, brings a wealth of experience and leadership to the council. As Cyber Florida’s director, he spearheads efforts to advance the state’s cybersecurity initiatives through education, outreach, research, and workforce development. Ferraresso also serves as a Senior Fellow at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, contributing to national strategies for securing vital systems against cyber threats.

“I am honored to join the Florida Cybersecurity Advisory Council and support the state’s mission to strengthen its defenses against evolving cyber threats,” said Ferraresso. “Cyber Florida’s commitment to collaboration and innovation aligns seamlessly with the council’s goals, and I look forward to contributing to a safer and more secure Florida.”

Ferraresso earned his bachelor’s degree from Barry University and has dedicated his career to addressing the challenges of cybersecurity and critical infrastructure protection. His expertise will help guide the council in shaping policies and strategies to bolster Florida’s cyber resilience.

The Florida Cybersecurity Advisory Council plays a pivotal role in providing guidance to protect the state’s critical systems and infrastructure, ensuring Florida remains at the forefront of cybersecurity preparedness.

Ferraresso is available for interviews through December 18, 2024. Please make arrangements through Cyber Outreach Manager Jennifer Kleman at [email protected]. For more information about Cyber Florida and its mission to advance cybersecurity in the state, visit https://cyberflorida.org/.

ABOUT CYBER FLORIDA AT USF

The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Ernie Ferraresso Appointed to FL Cybersecurity Advisory Council2024-12-10T09:28:11-05:00

No Password Required Podcast Episode 54 — Dr. Sunny Wear

No Password Required Podcast Episode 54 — Dr. Sunny Wear

Dr. Sunny Wear — Application pen tester, author, and bug bounty enthusiast

Dr. Sunny Wear began her career as a developer, spending countless hours maintaining others’ code—a humbling experience, as she describes it. Realizing she wanted a different path, a friend suggested exploring cybersecurity at just the right time. Together, they tackled the CISSP exam, which Dr. Sunny passed, igniting her passion for application penetration testing.

Now an accomplished author and proud bird mom, Dr. Sunny discusses her Burp Suite Cookbook, a practical guide to identifying, testing, and exploiting vulnerabilities in web applications and APIs.

The show begins with Jack Clabby of Carlton Fields, P.A., joined by resident cybersecurity expert Kayley Melton, analyzing the Star Health Insurance (India) data breach, where the company’s CISO has been accused of selling sensitive data for $43,000.

.

Follow Dr. Sunny on LinkedIn: Dr. Sunny

Follow Dr. Sunny on Twitter: Dr. Sunny

Learn more about Sunshine Solutions: Sunshine Solutions

No Password Required Podcast Episode 54 — Dr. Sunny Wear2024-12-10T08:01:28-05:00

LandUpdate808

I. Targeted Entities

  • Internet users

II. Introduction

LandUpdate808 is a malicious downloader that distributes malicious payloads disguised as fake browser updates. The downloader is usually hosted on malicious or compromised websites. LandUpdate808 was identified by the Center for Internet Security as a top ten observed malware in quarter three of 2024, landing as the second most prominent identified malware.

III. Additional Background Information

LandUpdate808 redirects website visitors to first download the loader for the fake update content. The redirect also adds a cookie to the targeted user which has been observed with the naming conventions “isDone” or “isVisited11”. The cookie’s value is set to true after the operation is successful. The cookie has an expiration date of four days and will cause the malware to skip over the previous steps if the cookie is detected. The fake update page is disguised as an out-of-date Chrome notification with a blue download button labeled “Update Chrome”. When clicked, the button will link to an “update.php” file. The payload has been observed as a JS, EXE, and MSIX file that changes file type frequently. Recent reporting has identified multiple domains being tied to the same IP address, a potential indicator that the LandUpdate808 operation is expanding operations.

IV. MITRE ATT&CK

  • T1592 – Gather Victim Host Information
    • Using the function getOS located in the request for the page loader, LandUpdate808 gathers basic host information such as IP address and operating system.
  • T1584 – Compromise Infrastructure
    • LandUpdate808 uses compromised domains as part of the malware’s delivery chain.
  • T1608 – Stage Capabilities
    • LandUpdate808 stages web resources that act as link targets in the delivery chain.
  • T1204 – User Execution
    • LandUpdate808 relies on the user to click on the fake Chrome update to download and execute the desired payload onto the system.

V. Recommendations

We recommend monitoring your network for the following indicators of compromise to identify if users have been potentially compromised by LandUpdate808 and the related payloads.

VI. IOCs (Indicators of Compromise)

Type Indicator
Domains – Malicious Payloads

netzwerkreklame[.]de
Domains – Malicious Payloads

digimind[.]nl
Domains – Malicious Payloads

monlamdesigns[.]com
Domains – Malicious Payloads sustaincharlotte[.]org
Domains – Malicious Payloads chicklitplus[.]com
Domains – Malicious Payloads espumadesign[.]com
Domains – Malicious Payloads owloween[.]com
Domains – Malicious Payloads Wildwoodpress[.]org
Domains – Malicious Payloads napcis[.]org
Domains – Malicious Payloads sunkissedindecember[.]com
Domains – Malicious Payloads rm-arquisign[.]com
Domains – Fake Update Page Code kongtuke[.]com
Domains – Fake Update Page Code uhsee[.]com
Domains – Fake Update Page Code  zoomzle[.]com
Domains – Fake Update Page Code elamoto[.]com
Domains – Fake Update Page Code ashleypuerner[.]com
Domains – Fake Update Page Code edveha[.]com
Domains – Initiated Requests for Content razzball[.]com
Domains – Initiated Requests for Content monitor[.]icef[.]com
Domains – Initiated Requests for Content careers-advice-online[.]com
Domains – Initiated Requests for Content ecowas[.]int
Domains – Initiated Requests for Content sixpoint[.]com
Domains – Initiated Requests for Content eco-bio-systems[.]de
Domains – Initiated Requests for Content evolverangesolutions[.]com
Domains – Initiated Requests for Content natlife[.]de
Domains – Initiated Requests for Content sunkissedindecember[.]com
Domains – Initiated Requests for Content fajardo[.]inter[.]edu
Domains – Initiated Requests for Content fup[.]edu[.]co
Domains – Initiated Requests for Content lauren-nelson[.]com
Domains – Initiated Requests for Content netzwerkreklame[.]de
Domains – Initiated Requests for Content digimind[.]nl
Domains – Initiated Requests for Content itslife[.]in
Domains – Initiated Requests for Content ecohortum[.]com
Domains – Initiated Requests for Content thecreativemom[.]com
Domains – Initiated Requests for Content backalleybikerepair[.]com
Domains – Initiated Requests for Content mocanyc[.]org

VII. References

Samala, A. (2024b, October 15). New Behavior for LandUpdate808 Observed. Malasada Tech. https://malasada.tech/new-behavior-for-landupdate808-observed/

Samala, A. (2024a, July 2). The LandUpdate808 Fake Update Variant. Malasada Tech. https://malasada.tech/the-landupdate808-fake-update-variant/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Benjamin Price

LandUpdate8082024-12-03T13:25:35-05:00

phaseZERO: Innovation Incubator Announced

phaseZERO

Cyber Florida at USF Announces phaseZERO: Innovation Incubator to Boost Cybersecurity Innovation in Florida

December 2, 2024—Tampa, Fla—Cyber Florida at USF is proud to announce the launch of phaseZERO: Innovation Incubator, an innovative seed fund initiative designed to support Florida-based researchers and emerging entrepreneurs in transforming cutting-edge cybersecurity ideas into thriving businesses. With a focus on commercializing cybersecurity innovations, strengthening critical infrastructure, and creating new opportunities, phaseZERO aims to establish Florida as a national leader in cybersecurity entrepreneurship.

Modeled after the Small Business Administration’s SBIR/STTR Phase I programs, phaseZERO addresses critical gaps in seed funding and provides expert mentorship, complementing existing statewide efforts like the Florida High-Tech Corridor, I-Corps, and local incubators and accelerators.

“This program is about removing barriers for innovators,” said Dr. Manish Agrawal, Cyber Florida at USF academic director at Cyber Florida and USF professor. “By providing funding and mentorship without taking equity, we’re enabling Florida’s entrepreneurs to focus on what matters most: building solutions that strengthen our cybersecurity resilience.”

Program Highlights

For this round of funding, phaseZERO will award up to $60,000 each to up to four emerging Florida companies (not to exceed $240,000 total) selected through a rigorous, three-stage evaluation process:

  • Stage 1: Applicants submit a completed application and a brief business plan for technical and business evaluation by a Cyber Florida Entrepreneur-in-Residence (EIR).
  • Stage 2: Selected applicants pitch their plans to an evaluation panel during a virtual event.
  • Stage 3: The evaluation panel selects awardees who receive funding in installments while working with an EIR to establish their business, secure further funding, and prepare for operations.

Funded companies gain access to Cyber Florida’s expansive network of state innovation ecosystem partners, including universities, accelerators, and industry leaders.

Timeline

  • Application Launch: December 2, 2024
  • Application Deadline: January 3, 2025
  • Pitch Event Invitations: January 10, 2025
  • Pitch Event: January 24, 2025

Through phaseZERO, Cyber Florida continues its mission to foster research partnerships, attract cybersecurity companies to Florida, and enable the creation of new ventures.

For more information about phaseZERO, application details, and how to get involved, visit cyberflorida.org/phasezero.

ABOUT CYBER FLORIDA AT USF
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida at USF, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate both current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

phaseZERO: Innovation Incubator Announced2024-12-02T13:37:28-05:00

Teacher Spotlight: Amber Jones

Amber Jones

Teacher: Amber Jones

School: Port St. Joe High School

County: Gulf

Amber Jones is an outstanding teacher in Gulf County, Florida. Amber is a dynamic force in cybersecurity education at Port St. Joe High School with 15 years of experience. As the technology teacher for grades 8 through 12, she brings innovation to life through her courses in digital information technology, gaming, and yearbook. Beyond the classroom, she leads as the eSports coach for both junior high and high school, inspires as the girls weightlifting coach, and guides as the senior class sponsor.

Amber’s impressive academic journey includes a degree in business information technology from Troy University and a master’s degree in educational leadership from Grand Canyon University. At home, she is a devoted mother to two wonderful daughters. Her husband plays a pivotal role at Port St. Joe High School as the athletic director and head coach for football, girls weightlifting, and softball.

Next year, Amber plans to bring her students to CyberLaunch 2025 to show off their skills and compete for some really cool prizes! We are so grateful for Amber’s contributions to both the students in Florida and the field of cybersecurity education!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Amber Jones2024-11-26T12:37:11-05:00

SocGholish Holds Top Spot as Leading Malware in Q3 2024

I. Targeted Entities

  • Fortune 500 Companies
  • Government Agencies

II. Introduction

According to The Multi-State Information Sharing and Analysis Center’s (MS-ISAC) monitoring services, SocGholish has retained its position as the most prevalent malware in Q3 2024, accounting for 42% of observed infections. SocGholish is a JavaScript-based downloader that spreads primarily through malicious or compromised websites that present fake browser update prompts to users. Once deployed, SocGholish infections can facilitate further exploitation by delivering additional malicious payloads.

III. Additional Background Information

SocGholish, also known as “FakeUpdates,” has emerged as the leading malware in Q3 2024. This malware has been active since 2018 and operates as a JavaScript-based downloader that exploits drive-by-download techniques to gain initial access. SocGholish primarily spreads through compromised websites, which present fake browser or software update prompts to unsuspecting users. When users download and run the updates, they execute a malicious payload that establishes communication with SocGholish’s command-and-control (C2) infrastructure.

The malware typically delivers its payload via direct download of JavaScript files or, less frequently, within obfuscated ZIP archives to evade detection. The attackers have continued to adapt, using techniques such as homoglyphs in filenames to bypass string-based detection methods. Once deployed, SocGholish conducts reconnaissance on infected systems, identifying users, endpoints, and potentially critical assets such as Active Directory domains. In about 10% of cases, the malware escalates to delivering second-stage payloads, including remote access tools (RATs) like Mythic, replacing previously popular choices like NetSupport.

SocGholish serves as an initial access broker, facilitating further exploitation by delivering additional malware, including ransomware variants such as LockBit and WastedLocker. Its activities are often precursors to larger attacks, making it a critical threat to monitor. Infections may involve domain trust enumeration and script-based data exfiltration, primarily executed in memory, complicating detection efforts. Organizations are advised to implement preventive measures, such as disabling automatic JavaScript execution, monitoring for unusual script activity, and swiftly isolating infected hosts to mitigate the impact of potential intrusions.

IV. MITRE ATT&CK

  • T1059.007 – Command and Scripting Interpreter: JavaScript
    SocGholish payload is executed as JavaScript, aiding in bypassing executable-based detections.
  • T1074.001 – Data Staged: Local Data Staging
    Sends output from whoami to a local temp file (e.g., rad<5-hex-chars>.tmp) for staging prior to exfiltration.
  • T1482 – Domain Trust Discovery
    Profiles compromised systems to identify domain trust relationships for lateral movement.
  • T1189 – Drive-by Compromise
    Distributed through compromised websites with fake update prompts, using drive-by-download techniques.
  • T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
    Exfiltrates data via HTTP directly to the C2 domain to avoid encrypted channels.
  • T1105 – Ingress Tool Transfer
    Downloads additional malware to infected hosts to deepen compromise and persistence.
  • T1036.005 – Masquerading: Match Legitimate Name or Location
    Disguises itself as legitimate files like AutoUpdater.js to mimic real software updates.
  • T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File
    Uses ZIP compression and Base-64 encoding to obfuscate JavaScript payloads and URLs.
  • T1566.002 – Phishing: Spearphishing Link
    Distributed via spear-phishing emails with links leading to compromised websites.
  • T1057 – Process Discovery
    Lists processes on targeted hosts to understand the environment.
  • T1518 – Software Discovery
    Identifies the victim’s browser to deliver the appropriate fake update page.
  • T1082 – System Information Discovery
    Collects system details, such as computer name, for context-specific targeting.
  • T1614 – System Location Discovery
    Uses IP-based geolocation to focus infections on North America, Europe, and parts of the Asia-Pacific region.
  • T1016 – System Network Configuration Discovery
    Enumerates domain name and Active Directory membership for potential privilege escalation.
  • T1033 – System Owner/User Discovery
    Uses whoami to obtain username information from compromised hosts.
  • T1204.001 – User Execution: Malicious Link
    Lures users into interacting with malicious links on compromised websites, triggering the malware.
  • T1102 – Web Service
    Uses Amazon Web Services to host second-stage servers, leveraging legitimate infrastructure.
  • T1047 – Windows Management Instrumentation (WMI)
    Employs WMI for script execution and system profiling to gather information stealthily.

V. Immediate Recommendations

  • Endpoint Detection and Response – Deploy EDR solutions to monitor and detect unusual behavior indicative of SocGholish activity, such as unexpected script execution or unauthorized C2 communications.
  • Restrict JavaScript Execution – Disable the execution of JavaScript on websites which are untrusted.
  • Regular Vulnerability Patching – Patch browsers, plugins, and other software regularly to reduce the risk of drive-by-download attacks.
  • Browser Hardening – Enforce browser settings to block pop-ups and auto-downloads from untrusted sources.
  • Anomalous Traffic Detection – Use network monitoring tools to detect and alert on unusual HTTP traffic patterns that may indicate SocGholish communication.
  • User Awareness Training – Regularly train employees on the risks of fake browser update prompts and how to identify phishing attempts.
  • Incident Response Plan (IRP) – Develop and test an incident response plan specifically addressing SocGholish-related threats, ensuring it includes steps for rapid isolation and containment.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP

83[.]69[.]236[.]128
IP

88[.]119[.]169[.]108
IP

91[.]121[.]240[.]104
IP 185[.]158[.]251[.]240
IP 185[.]196[.]9[.]156
IP 193[.]233[.]140[.]136
IP 31.184.254[.]115
Domain aitcaid[.]com
Domain 0qsc137p[@]justdefinition.com 
Domain advancedsportsandspine[.]com
Domain automotivemuseumguide[.]com
Domain brow-ser-update[.]top
Domain circle[.]innovativecsportal[.]com
Domain  marvin-occentus[.]net
Domain photoshop-adobe[.]shop
Domain pluralism[.]themancav[.]com
Domain scada.paradizeconstruction[.]com
Domain storefixturesandsupplies[.]com
Domain 1sale[.]com
Domain taxes.rpacx[.]com
Domain *.signing.unitynotarypublic[.]com
Domain *.asset.tradingvein[.]xyz
Domain Column 2 Value 23
Domain change-land[.]com

VI. Additional OSINT Information

SocGholish operates as a JavaScript-based malware loader that initially infects victims through compromised websites, presenting them with fake browser or software update prompts. Once users click to “update,” the malware executes a JavaScript payload, connecting back to the attacker’s command and control (C2) server to deliver additional payloads.

Image 1 of SocGholish Payload Delivery

Image 2 of SocGholish Payload Delivery

Image 3 of SocGholish Payload Delivery via Fake Google Alerts

Payload details:

  • Primary Payload: The initial JavaScript script collects system and user information, which it sends back to the C2 server, enabling the attacker to assess the target for further exploitation. This reconnaissance phase helps the malware operators determine the value of the target and the appropriate secondary payloads to deploy.
  • Secondary Payloads: SocGholish is known to deploy additional malware based on the information gathered. Historically, it used the NetSupport RAT for remote access but has evolved to favor other tools. Since 2022, SocGholish shifted its preference to more advanced payloads, including:
  • Cobalt Strike: This well-known post-exploitation tool allows attackers to conduct further reconnaissance, privilege escalation, and lateral movement within networks. However, recent reports show a transition to using Mythic, an alternative to Cobalt Strike.
  • Mythic: A versatile open-source command and control framework used for post-compromise operations, allowing attackers to load additional modules and control infected systems stealthily.
  • Reconnaissance and Lateral Movement: The secondary payload often includes commands for system discovery and Active Directory enumeration. Common tools used in this phase include nltest.exe for domain trust discovery and whoami for privilege reconnaissance.
  • Ransomware Associations: SocGholish has acted as an initial access broker, facilitating access for ransomware groups such as LockBit and WastedLocker. This handoff process enables ransomware operators to capitalize on SocGholish’s infiltration to execute ransom demands or further network disruption.

By delivering these targeted payloads, SocGholish operators can gain persistent access, conduct extensive reconnaissance, and potentially disrupt critical systems. These payloads make SocGholish not only a potent malware threat but also a significant enabler of larger ransomware and espionage campaigns across various industries.

VII. References

The Center for Internet Security, Inc (October 23, 2024) Top 10 Malware Q3 2024 https://www.cisecurity.org/insights/blog/top-10-malware-q3-2024

Red Canary (2024) SocGholish https://redcanary.com/threat-detection-report/threats/socgholish/

MITRE ATT&CK (March 22, 2024) SocGholish https://attack.mitre.org/software/S1124/

Blackpoint Cyber (June 21, 2024) AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion https://blackpointcyber.com/resources/blog/asyncrat-netsupportrat-vssadmin-abuse-for-shadow-copy-deletion-soc-incidents-blackpoint-apg/

Proofpoint (November 22, 2022) Part 1: SocGholish, a very real threat from a very fake update https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

ReliaQuest (January 30, 2023) SocGholish: A Tale of FakeUpdates https://www.reliaquest.com/blog/socgholish-fakeupdates/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker.

SocGholish Holds Top Spot as Leading Malware in Q3 20242024-11-25T10:41:29-05:00

Red Dragon Rising II: China in Cyberspace

Join as we once again convene some of the world’s leading scholars to discuss China’s power projection through cyberspace. Since this group last convened, the world has seen an explosion in the availability and use of artificial intelligence (AI) as well as an extension of the digital attack surface. Some questions they’ll ponder include: How might an AI capability enhance China’s security? What is China’s current cyberspace strategy and how might it be augmented by AI? Will AI make China more effective with cyber-enabled information operations, cyber espionage, and offensive cyber? How might China’s terrestrial ambitions be reflected in cyberspace? Don’t miss this opportunity to hear some of the top experts discuss cyberspace, China, and national security!

Moderator: Dr. Mark Grzegorzewski

Panelists:

Red Dragon Rising II: China in Cyberspace2025-01-06T10:12:26-05:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.