When KnowBe4 went public in April 2021, I got to know a select group of analysts that served as co-managers on our IPO. These professionals all know our industry very well and we spoke with them quarterly during our earnings conference call where we discussed the past 3 months and expectations for the future. One of these firms was Baird Equity Research and I am still on their mailing list, even though we went private this year as a Vista Equity Partners portfolio company.

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including Cactus ransomware and BlackSuit ransomware, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats.

The Iranian threat actor Charming Kitten is launching sophisticated spear phishing attacks to distribute a new version of its POWERSTAR malware, according to researchers at Volexity. “In the last few years, Volexity has observed threat actors dramatically increase the level of effort they put into compromising credentials or systems of individual targets,” Volexity says.

With the worldwide popularity of Android and its open-source software, hackers have an increased incentive and opportunity to orchestrate attacks. A Google search for “Android malware” brings up headlines like these, all from the past few days or weeks: SecurityScorecard recently analyzed a specific threat known as the AhMyth RAT (remote access trojan), which made headlines for infiltrating a popular screen recording app on the Google Play Store.

Security teams use tools like Microsoft Sentinel to aggregate their security events, alert on threat detection, and most importantly, orchestrate threat responses through a variety of automated playbooks. By providing both Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) functionality, Sentinel enables teams to respond to threats quickly and efficiently.

Malicious npm packages and their dangers have been a frequent topic of discussion — whether it’s hundreds of command-and-control Cobalt Strike malware packages, typosquatting, or general malware published to the npm registry (including PyPI and others). To help developers and maintainers defend against these security risks, Snyk published a guide to npm security best practices.

Ransomware is still present and growing across the threat landscape, to the extent that some organizations now include the cost of a ransomware attack in their annual budgets. Data from our Internet Security Report - Q4 2022 reveals that ransomware detections on endpoints rose by an alarming 627% in 2022 compared to the previous year. While ransomware does not discriminate by industry type, the report clearly shows the manufacturing sector was the most affected during 2022.

Ransomware accounts for one in every four breaches, and increasingly, it’s going after enterprise macOS users.

In recent months, a cybercrime group known as Blacktail has begun to make headlines as they continue to target organizations around the globe. The group was first spotted by the Unit 42 Team at Palo Alto Networks earlier this year. Since February, the group has launched multiple attacks based on their latest ransomware campaign labeled Buhti.

Unstructured data is a prime target for ransomware attacks, making it crucial for organizations to protect and manage it effectively. Currently, it is estimated that 80-90% of all data generated falls into the unstructured category, consisting of files and objects. Organizations rely on unstructured data to store sensitive information, intellectual property, and other invaluable corporate assets.

GraphQL has become a popular choice for building APIs in recent years. In projects using Typescript and Apollo Client, such as Rubrik’s, it is very helpful to map GraphQL schema to types and interfaces and one of the most popular tools for generating these types and interfaces based on a GraphQL schema is Apollo Codegen.

The NSA has published a guide about how to mitigate against attacks involving the BlackLotus bootkit malware, amid fears that system administrators may not be adequately protected against the threat. The BlackLotus UEFI bootkit made a name for itself in October 2022, when it was seen being sold on cybercrime underground forums for $5,000.

Kroll has analyzed incidents throughout Q1 2023 where drive-by compromise was the initial infection vector for GOOTLOADER malware. It is likely that the threat actors are utilizing SEO to drive individuals to either their own malicious website or to infected WordPress sites. These sites are then used to host documents that would be attractive to employees within the legal and professional services sectors.

Despite the security controls that OpenAI has imposed on ChatGPT to try to make it a secure space capable of assisting users in a variety of tasks, cybercriminals have managed to exploit this technology for malicious purposes. Recent research has shown that this generative artificial intelligence is capable of creating a new branch of polymorphic malware with relative ease. The main risk lies in ChatGPT's versatility, which allows it to create code that could easily be used for malware.

Read also: a cybercriminal charged in connection with LockBit ransomware operation, US offers up to $10 million for info on MOVEit hackers, and more.

Mac computers are becoming increasingly popular in business and enterprise applications. This growing adoption has had one negative side effect: Adversaries are increasingly targeting Macs, hoping that companies buy into the concept of macOS being immune to cyberattack. While macOS does provide advanced security features, these can be defeated by a determined attacker.

On May 24, 2023, industry and government sources detailed China-nexus activity in which the threat actor dubbed Volt Typhoon targeted U.S.-based critical infrastructure entities. CrowdStrike Intelligence tracks this actor as VANGUARD PANDA. Since at least mid-2020, the CrowdStrike Falcon® Complete managed detection and response (MDR) team and the CrowdStrike® Falcon OverWatch™ threat hunting team have observed related historical activity in multiple sectors.

In quick succession at the end of May into mid-June, software developer Progress released three advisories that any customers using its popular managed file transfer (MFT) solution MOVEit should immediately update to the latest release. In this time, they were made aware of three critical vulnerabilities, CVE-2023-34362 on May 31, CVE-2023-35036 on June 9, and CVE-2023-35708 on June 15.

Chinese hackers use DNS-over-HTTPS for Linux malware communication, a new Golang-based Skuld malware strand steals Discord and browser data from Windows PCs, and a massive phishing campaign uses 6,000 sites to impersonate brands.

Classifying new and unknown (zero-day) malware has always been a challenge in the security industry as new variants are discovered in the wild at an overwhelming rate.

In a recent development, Russian hackers have declared their intention to launch cyberattacks on the European financial system within the next 48 hours. The announcement was made late on Wednesday, June 14 and came through a video threat posted on the Mash Telegram channel, a very popular channel for Russian news. This operation appears to be a collaborative effort between the hacking groups KillNet, REvil, and Anonymous Sudan.

On June 14th, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC) along with its international cybersecurity partners released an advisory calling out the various indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) being leveraged by the LockBit ransomware operation over the past 3 years.

The recent conviction of a U.K. man for cyber crimes committed in 2018 brings to light a cyber attack where this attacker manually performed the “in-the-middle” part of an attack. We’ve all heard of a “Man-in-the-Middle” (MitM) attack – also more recently called a “Manipulator-in-the-Middle” attack.

Cybercrime has become a dominant concern for many businesses, as well as individuals. Cybercriminals will target any business, and any individual if they can realize a profit from their minimal efforts. One of the ways that criminals achieve their goals is through the use of malware that garners a fast profit, such as ransomware. More enterprising criminals will use more persistent malware, which enables them to return to the target for further victimization.

To identify malicious packages and protect yourself against them, you need to know what to look for. Here’s a simple guide. In January 2022, users of the popular open-source libraries “faker” and “colors” suddenly found their applications started to malfunction and display nonsensical data because they had been infected by a malicious package.

Here at Rubrik, we are rapidly progressing towards our initial FedRAMP® moderate authorization, and we are very excited to be listed as “In Process” on the FedRAMP Marketplace. This is an important milestone in delivering Rubrik’s data security platform to the U.S. federal government organizations.

Ransomware attacks are as pervasive as ever, with new data demonstrating just how impactful the attacks really are. If you’re one of the lucky few organizations that hasn’t fallen victim to a ransomware attack, consider yourself lucky. According to the 2023 Ransomware Trends Report from backup vendor Veeam, the vast majority of organizations (85%) have experienced a ransomware attack. And while that number is pretty shocking, that’s not the worst of it.

The purpose of the Netskope Threat Labs News Roundup series is to provide enterprise security teams an actionable brief on the top cybersecurity news from around the world. The brief includes summaries and links to the top news items spanning cloud-enabled threats, malware, and ransomware.

In a recent social-engineering attack targeting the hospitality sector observed by the ThreatSpike team, there appears to be a change in the tactics employed by the threat actor. The hospitality sector, where top-notch customer-service is expected, customer-facing employees are often lucrative targets for phishing, as detailed in our previous blog post.

My analysis of this year’s newly-released Verizon Data Breach Investigations Report begins with ransomware findings that point back to users as a big problem. If you only read one report each year to give you an idea of what’s going on with cyber attacks, it’s Verizon’s Data Breach Investigations Report (DBIR). Each year, analysts sort through tens of thousands of data breach incidents (some successful, some not) and identify the attack patterns.

On the surface, ransomware – malicious software designed to block access to a computer system until a sum of money is paid – appears to be off to yet another ruthless start in 2023 as one of the leading types of malware. Recent victims of public attacks in North America include industries such as health care, communication, education, and even government offices and municipalities.

Cybercrime continues to rise — the 2022 Internet Crime Report produced by the FBI's Internet Crime Complaint Center (IC3) revealed that the number of complaints it receives annually has more than doubled since 2018. The potential loss from cybercrime has also grown significantly – between 2021 and 2022, it rose from $6.9bn to $10.2bn.