Merlin Labs Memo -- Week of August 14-18
Beware Malicious QR Codes
A widespread phishing campaign ongoing since May 2023 has been targeting organizations in various industries, including a major US energy company, threat intelligence firm Cofense reports. Aimed at harvesting the Microsoft account credentials of the targeted organizations’ employees, the attacks rely on malicious QR codes embedded inside PNG images or PDF documents. The phishing links, Cofense explains, have been hidden in the QR codes.
The use of Bing URL redirects, coupled with hiding the phishing links in QR codes embedded in images or documents and with other obfuscation tactics, helped the malicious messages bypass security controls and land in the recipients’ inboxes.
According to Confense, despite being able to land in inboxes, phishing emails carrying QR codes might not be as efficient in finalizing the attack, as they require the user to scan the codes – typically by using a mobile phone – and follow the phishing link.
Our Take: A quick-response (QR) code is an optical image, and when scanned with a mobile device, it typically redirects you to a website in today’s world. This campaign by bad actors reminds us to stay vigilant. Follow these tips from the FBI on safely managing QR codes.
My take is to ask the question, do we have the visibility we need to detect and remediate against a phishing attack with QR codes embedded inside images or PDF documents? Most of us are finally at a point where we have full visibility to our desktops and servers but our mobile and email data is most likely one of the capabilities keeping us at “initial” and not in the “advanced” phase of our zero-trust maturity journey. - Tony Ko
More Reading:
CISA Calls for Revamped UEFI Security
The Universal Extensible Firmware Interface (UEFI) is what gets our computing devices started after they power up. If a threat gets into the UEFI, it’s almost impossible to get it out. And while the Linux family of operating systems does a good job of using public-key infrastructure (PKI) practices to secure themselves, there’s another major operating system that keeps missing the boat on secure-by-default practices as regards UEFI.
Our Take: With malware like BlackLotus targeting the UEFI, Microsoft still only offers a manual process for clearing it out. We need the automated process, and much faster than “an early 2024 timeframe”. I can’t ask my customers to accelerate their security automation when their operating system manufacturer isn’t on board with automation. CISA already had to apply moderate pressure to get Microsoft to adjust its logging licensing, I’m hoping that they can keep up the pressure so Microsoft eventually stops externalizing security costs to its customers. – Dean Webb
Additional Reading:
领英推荐
Cybersecurity Hygiene – Approaching Cyber Wellness just like Healthcare Wellness
While technology may have evolved over the last 30 years with today’s cloud-capable networks bearing little resemblance to the mainframe-centric, on-premise, hard-wired connections of yesterday, IT vulnerabilities and the adversarial tactics to exploit them have remained somewhat the same. Denial-of-service campaigns, attacks via email and exploitation of vulnerable applications are strategies that have stood the test of time as being effective means of breaching systems and exposing its data. Because businesses still obsess on time to market for new functionality at the expense of security and stability, the opportunity landscape for hackers is flourishing. While the continued state of vulnerabilities across our collective networks may be welcome news for cybersecurity organizations (there is a projected $133 billion global annual spend on information security and risk management solutions) – it’s really bad news for the rest of us – and signals a fundamental disconnect between what we really need versus what we are told will solve our problems. Like with our physical health, our focus should be on staying healthy instead of ignoring the basics of wellness and then treating all of the resulting symptoms of that negligence with the latest pill or procedure. – Via: Dark Reading
Our Take: ?I can’t emphasize enough how much I love this Dark Reading article. Every word in it resonated with me. Maybe it’s because my original career was as a practitioner in healthcare as a medical speech-language pathologist where I treated the often-devastating symptoms of things-gone-wrong in the brain, or maybe it’s because I’ve always viewed IT systems as being more closely aligned with the complexities of the human body than with other human-built things like buildings – but either way, the analogy just works. Perhaps it says more about human nature than anything that we seem to have no problem spending astronomical amounts of time and money trying to fix things that are broken but never seem to have the time or money to “shift left” and invest in the preventative measures in the first place. The author of the article suggests that prevention, detection, response and remediation are equivalent to cybersecurity’s basic food groups, each important best-leveraged in balanced and appropriate amounts. Brilliant in its simplicity. It’s the only real path to cyber resilience. Cybersecurity teams must work on shifting their cybersecurity worldview to one that acknowledges and embraces cyber hygiene best practices, and tackling NOC and SOC operations alike from a training, conditioning, and problem-prevention manner. While this is present in some amount in most of today’s operations, the facts suggest it needs to be done in a far more aggressive and intentional way than is today’s norm. From security and awareness training to continuous monitoring operations that include ongoing vulnerability scanning, encryption of all data, frequent backups, internal PEN testing, account and asset management, port and protocol monitoring, as well as situational awareness with regard to the ever-changing threat landscape – cybersecurity hygiene operations should be getting the majority of organization’s cybersecurity budgets and resource investments. Let’s stop dismissing cyber hygiene as an academic exercise and something that happens “as a given” and actually build our programs to reflect its importance. I’d be willing to bet that for most organizations, what they assume today is a given - is not and after all, you know what they say about an ounce of prevention... – Sarah Hensley, MS-SLP
Additional Reading:
CyberArk Tool Provides Help for Ransomware Victims
Ransomware involves the encryption of files so that their owners cannot use them. Ransomware attackers, however, frequently do not fully encrypt files. The two reasons behind that choice are evasion and expediency. Evasion because by making large numbers of writes to change a file, the ransomware tips its hand to defenses looking for exactly that. Expediency because encrypting only just enough of a file to make it unreadable is much faster than encrypting the entire file. This tactic is known as intermittent encryption, and it’s been around since 2020.?
While intermittent encryption has been running rampant for the last few years, researchers at CyberArk have made a discovery that makes that tactic less-optimal and possibly even ineffective. Files that have been hit with intermittent encryption show all the features of files that have been corrupted, and that forms the basis of a tool that can use data recovery techniques to restore files that have been intermittently encrypted.?
Our Take: The tool is called White Phoenix and the best part of it is that CyberArk made it free for use via GitHub, link below. More than that, the AI that is in CyberArk’s tool is itself a sign of a great trend in cybersecurity – the defenders are adopting AI faster than the attackers. How long this lasts, we don’t know, but we’re going to enjoy it as long as it does. Getting back to the tool itself, while it does not prevent the ransomware, it truly accelerates the recovery time for a ransomware incident when intermittent encryption is used. If attackers want to have White Phoenix-proof encryption, then they have to go the route of full encryption and risk their operation being busted via other defenses.?
And while we don’t have a silver bullet or magic wand that makes all of the ransomware threats go away, we do have tools that can help out. We can fight these things. There are more battles in front of us, but, ultimately, we can do things to defend ourselves that work and make it where the bad guys don’t profit from their activities. – Dean Webb
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!