Customer portal
Articles Tagged with

cyber threat intelligence

"Spot
Opinion, SME Cybersecurity

Spot the Scam: Recognising Phishing and Social Engineering Tactics

In an increasingly interconnected world, the reliance on digital communication has grown,
and with it, the threat posed by cybercriminals. Phishing and social engineering have emerged as two of the most effective tactics used to exploit both individuals and businesses. These scams come in various forms, from the well-known phishing emails to more sophisticated attacks such as vishing and quishing.

The prevalence of these scams can be attributed to their ability to prey on human psychology, manipulating emotions like fear, urgency, and trust. By recognising these tactics and understanding how they operate, you can better protect yourself and your business from falling victim to their traps. In this article, we will explore the most common phishing and social engineering methods, explain how they work, and offer practical steps to stay safe.

What is Phishing?

Phishing is a type of cyberattack that relies on deceptive emails, messages, or websites to steal sensitive information such as passwords, financial details, or even personal identity information. Despite years of warnings, phishing remains highly effective because scammers are constantly improving their techniques to make their communications look legitimate.

The fundamental goal of phishing is to trick the recipient into believing the communication is from a trusted source. These attacks can be highly convincing, often imitating well-known brands, financial institutions, or even government agencies. Below are some of the most common types of phishing attacks.

Types of Phishing

Email Phishing
One of the most widespread forms of phishing, email phishing involves sending fraudulent emails to a large number of people, hoping that at least a few will take the bait. These emails typically impersonate trusted organisations like banks or online services and contain messages designed to prompt action.

Example: You receive an email claiming that your Amazon account has been suspended due to suspicious activity. The email provides a link where you can “verify your account.” The link takes you to a fraudulent website that looks exactly like Amazon’s login page. If you enter your credentials, they are immediately stolen.

Signs of Email Phishing:

  • Generic greetings like “Dear Customer” instead of addressing you by name.
  • Urgent language pressuring you to act quickly (e.g. “Your account will be suspended unless you respond immediately”).
  • Suspicious attachments or links.

Spear Phishing
Spear phishing is a more targeted form of phishing, where the attacker personalises the email to a specific individual or organisation. These emails are usually crafted with great attention to detail, often including the target’s name, position, or other personal information, making them much harder to detect.

Example: A senior accountant at a company receives an email that appears to be from their CFO, asking for an urgent wire transfer. The email uses familiar language and refers to an ongoing project to make the request seem authentic.

How to Spot Spear Phishing:

  • Double-check the sender’s email address. Fraudulent emails often use a slight variation of a legitimate address.
  • Look for requests that seem unusual or out of character, even if they appear to come from someone you know.
  • If you’re unsure, always verify the request by contacting the person directly via phone or in person.

Clone Phishing
In this variation, the attacker creates an almost identical copy of a legitimate email that you have previously received. The attacker clones the original message but replaces the attachments or links with malicious ones.

Example: You received a legitimate email last week with an invoice from a supplier. Today, you get what seems like the same email, but the attachment has been replaced with malware. Because the email looks identical to the previous one, you may be tempted to open it without thinking twice.

How to Recognise Clone Phishing:

  • Look for small differences in the email’s language or layout, as attackers often miss minor details when cloning.
  • Always be cautious with attachments and links, especially if you weren’t expecting them.
  • Use a trusted antivirus program that scans attachments before you open them.

Whaling
Whaling is a highly targeted form of spear phishing, typically aimed at high-profile individuals within an organisation, such as CEOs or CFOs. These attacks are designed to steal sensitive corporate information or authorise fraudulent financial transactions.

Example: A CEO receives an email that appears to be from the company’s legal department, requesting confidential financial details in relation to a lawsuit. The email is crafted to be convincing, using legal jargon and mimicking the company’s internal communication style.

Defending Against Whaling:

  • Implement multi-factor authentication (MFA) to add an extra layer of security for high-level executives.
  • Train senior staff to recognise phishing tactics and encourage them to question unexpected requests for sensitive information.
  • Ensure that high-value financial transactions require multiple levels of approval.

What is Social Engineering?

While phishing often relies on digital communication, social engineering encompasses a broader range of tactics, many of which involve direct interaction with the target. The aim of social engineering is to manipulate individuals into revealing confidential information or performing actions that compromise their security. The success of social engineering lies in exploiting human emotions, such as trust, fear, and curiosity.

Common Social Engineering Techniques

Pretexting
Pretexting is a form of social engineering where the attacker fabricates a scenario to obtain sensitive information from the target. The scammer will often impersonate someone the victim knows or trusts, such as a co-worker, IT support, or a government official.

Example: An attacker calls an employee, pretending to be from the company’s HR department, and asks for personal details to “verify” their records. The employee, trusting the authority of HR, complies, unaware that they’re speaking to a scammer.

How to Spot Pretexting:

  • Be cautious when someone asks for personal or sensitive information over the phone or via email, even if they claim to be from a trusted source.
  • Verify the person’s identity by contacting them through official channels, such as a company phone directory.

Baiting
Baiting is a technique where the attacker offers something enticing to lure the victim into compromising their security. This can come in the form of free downloads, media files, or even physical devices left in public places.

Example: A USB drive labelled “Confidential: Company Financials” is left on a table in your office lobby. Out of curiosity, an employee plugs it into their computer to see what’s inside, unknowingly introducing malware into the company’s network.

Preventing Baiting Attacks:

  • Educate employees about the dangers of using unknown USB drives or downloading unsolicited files.
  • Install security software that can detect and block malware from external
    devices.

Quishing (QR Code Phishing)
Quishing is a newer form of phishing that involves the use of malicious QR codes. Scammers may distribute these QR codes via emails, posters, or other forms of media, encouraging victims to scan them with their phones. Once scanned, the victim is taken to a fraudulent website designed to steal personal information or install malware.

Example: You receive a flyer advertising a “free meal” at a popular restaurant if you scan the QR code to download the voucher. When you scan it, you are taken to a fake website that asks for your credit card information to claim the offer.

How to Defend Against Quishing:

  • Be cautious when scanning QR codes from unknown sources or unsolicited messages.
  • Use a mobile security app that can scan and verify QR code links before you visit them.

Vishing (Voice Phishing)
Vishing, or voice phishing, involves attackers making phone calls to their victims, posing as legitimate institutions like banks, government agencies, or tech support. They typically use scare tactics to convince the victim to share sensitive information over the phone.

Example: A scammer calls, claiming to be from your bank’s fraud department. They inform you of “suspicious activity” on your account and request that you confirm your account details and security PIN. In reality, they are gathering the information to steal your identity.

Signs of a Vishing Attack:

  • Callers pressuring you for immediate action or using scare tactics.
  • Requests for sensitive information like passwords, account numbers, or PINs.
  • Caller ID spoofing to make it appear as though the call is coming from a
  • legitimate organisation.

Smishing (SMS Phishing)
Smishing uses text messages as a vector to deliver phishing attacks. These messages often claim to be from trusted sources like banks, government bodies, or delivery services, urging the recipient to click on a link or provide information.

Example: You receive a text message stating that a parcel could not be delivered and that you need to click a link to reschedule the delivery. The link takes you to a fake website designed to steal your personal and financial information.

How to Avoid Smishing:

  • Be wary of unsolicited text messages, especially those containing links or requests for sensitive information.
  • Always navigate to official websites by typing the address into your browser, rather than clicking on links in text messages.

How to Recognise a Scam: Key Red Flags

Phishing and social engineering attacks are increasingly sophisticated, but there are still
some common signs that can help you spot them:

  1. Unfamiliar Senders: If you receive an email, text message, or phone call from someone you don’t recognise, especially if they are asking for sensitive information, take a step back and evaluate the situation. Scammers often impersonate people you trust, so verify their identity before acting.
  2. Suspicious Links: Hover over links in emails or messages before clicking them. This will reveal the actual URL you’re being directed to, which may be different from the displayed link. If the URL looks suspicious, don’t click it.
  3. Spelling and Grammar Mistakes: Many phishing emails and messages are poorly written, with noticeable spelling and grammar errors. While some attackers have improved their writing skills, it’s still common to spot these mistakes as a sign of a scam.
  4. Unusual Requests: Be cautious of emails, messages, or phone calls requesting urgent action, especially if they ask for personal or financial information. Always verify the request with the supposed sender through official channels.

Protecting Yourself and Your Business

While phishing and social engineering attacks continue to evolve, there are several proactive
steps you can take to protect yourself and your organisation:

  1. Employee Training: Regularly train your employees on the latest phishing and social engineering tactics. Ensure they understand the importance of vigilance and encourage them to report suspicious activity.
  2. Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security, requiring users to provide two or more forms of authentication to access sensitive accounts. This can help prevent attackers from accessing accounts, even if they’ve stolen a password.
  3. Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches. Many phishing attacks exploit vulnerabilities in outdated software.
  4. Incident Response Plan: Develop a robust incident response plan that outlines the steps to take if a phishing or social engineering attack occurs. This will help minimise damage and recover quickly from any breaches.
  5. Email Filtering and Firewalls: Use advanced email filtering tools to block phishing emails before they reach your inbox.

Conclusion

Phishing and social engineering attacks continue to be among the most effective cybercriminal tactics because they exploit the most vulnerable part of any security system—human psychology. By recognising the signs of these scams and implementing proactive security measures, you can significantly reduce the risk of falling victim to these attacks.

As cyber threats continue to evolve, awareness and education are critical. The more you know about phishing and social engineering tactics, the better equipped you’ll be to spot the scam before it’s too late. Empower your team, stay vigilant, and take action to protect both your personal and business information from cybercriminals.

Photos by Bernd 📷 Dittrich Zanyar Ibrahim ThisisEngineering Todd Cravens  stephen momot on Unsplash

"Cyberthreats
Opinion, Tips

Cyberthreats Infographic – what you need to know

Following our series of blog posts over the past few weeks, here is something that gives you a snapshot of what you need to know right now. In the form of an infographic, you can download the high res version here.

What other posts have we written that you will find useful?

Why cybersecurity matters for everyone – Cybersecurity Awareness Month

Creating a cybersecurity culture in your SME

10 Cybersecurity Best Practices Every SME Should Implement

Top 5 Cyber Threats Every SME Should Be Aware Of

Inside a Cyber Attack – Key Phases and Business Impact

Cybersecurity 101: What Every SME Needs to Know

Photo by Maxim Hopman on Unsplash

"Creating
Opinion, SME Cybersecurity

Creating a Cybersecurity Culture in Your SME

In today’s digital age, SMEs (small and medium-sized enterprises) face many of the same cybersecurity challenges as larger companies but often lack the resources to address them effectively. Building a robust cybersecurity culture is one of the most effective ways SMEs can safeguard their operations from cyber threats. This culture extends beyond simply having policies in place; it’s about embedding security into the very DNA of your organisation so that every employee, from top leadership to entry-level staff, understands their role in keeping the company secure.

A strong cybersecurity culture helps SMEs become more resilient in the face of evolving cyber threats. When all employees are committed to security best practices, it reduces the chance of falling victim to increasingly sophisticated attacks. It’s not just about securing devices and networks; a robust culture of security is about proactive vigilance, ongoing education, and creating an atmosphere where employees feel empowered to identify and report potential issues.

In this blog post, we’ll explore the steps needed to foster a cybersecurity culture within your SME, including ongoing training, leadership involvement, and creating a response plan. These measures will help ensure your business is more resilient to cyber threats.


Why Cybersecurity Culture Matters for SMEs

Creating a cybersecurity culture isn’t just about protecting sensitive data or meeting regulatory requirements; it’s about ensuring the longevity of your business. The reality is that SMEs are frequently targeted by cybercriminals because they often have fewer resources to defend themselves. According to the UK Government’s Cyber Security Breaches Survey 2024, 48% of SMEs reported experiencing a cybersecurity breach in the past 12 months, with the average cost of a breach totalling thousands of pounds. In addition to financial losses, these attacks can severely damage an SME’s reputation and disrupt business operations.

Creating a Cybersecurity Culture SOS Intelligence

Given the increasing digitisation of business processes, SMEs cannot afford to ignore cybersecurity. The misconception that only large enterprises are targeted by cybercriminals is no longer valid. Many SMEs hold sensitive data that can be valuable to attackers, including customer information, financial data, and intellectual property. Cybercriminals often see smaller companies as easy targets because they are assumed to have weaker defences.

Moreover, cybersecurity threats are constantly evolving. What worked in terms of defence a year ago may no longer be effective today. From phishing scams to ransomware attacks, cybercriminals continuously adapt their tactics to exploit vulnerabilities in an organisation’s infrastructure. This means SMEs must build a culture where cybersecurity awareness is ingrained in every employee’s mindset, ensuring the entire workforce remains vigilant and proactive about new and emerging threats.


Building the Foundation: Leadership Involvement

The first step in fostering a cybersecurity culture is ensuring that leadership is fully engaged in the process. Leadership sets the tone for the rest of the organisation, and without their buy-in, it will be difficult to get employees to take cybersecurity seriously. In fact, the commitment of senior management is often the deciding factor in whether a cybersecurity initiative is successful.

1. Lead by Example

Leaders must demonstrate a commitment to cybersecurity by participating in training and adhering to the same security policies as everyone else. When employees see management taking security seriously, they are more likely to follow suit. Moreover, when leaders show that they, too, are subject to the same protocols and scrutiny, it reduces the perception of cybersecurity being a burdensome requirement imposed solely on lower-level employees.

Creating a Cybersecurity Culture SOS Intelligence

For leadership, it’s essential to highlight how cybersecurity contributes to the company’s overall mission. For example, protecting sensitive customer data could be framed not only as a compliance obligation but also as a way to build trust and loyalty with customers. Additionally, security measures help protect the company from financial losses and reputational damage, which are critical to the business’s long-term sustainability. Leaders who emphasise this alignment between cybersecurity and business goals help reinforce its importance across the organisation.

2. Appoint a Cybersecurity Champion

If your SME doesn’t have the resources to hire a full-time Chief Information Security Officer (CISO), consider appointing a cybersecurity champion from within your organisation. This person will act as the point of contact for all security-related concerns, drive security initiatives, and help promote a culture of awareness. They can ensure that security is consistently discussed at meetings, initiate training opportunities, and spearhead efforts to improve company-wide adherence to cybersecurity protocols.

While your cybersecurity champion may not necessarily have deep technical expertise, their role is more about coordination and communication. They serve as the go-to person for employees with questions or concerns about cybersecurity and help reinforce security best practices in everyday business activities. Having someone in this role makes cybersecurity feel more accessible and reinforces the idea that everyone has a stake in the company’s security posture.


Employee Engagement: Ongoing Training and Education

One-off training sessions or annual security updates are no longer enough to keep employees aware of the latest threats. Cyber threats are constantly evolving, and so must your training initiatives. Ongoing education and engagement are essential to maintaining a cybersecurity culture. Regular training helps to address common human errors, such as falling for phishing scams or using weak passwords, which are frequently exploited by cybercriminals.

1. Tailor Your Training

The most effective training programmes are tailored to your specific industry and company structure. While generic training can raise awareness, training that is relevant to the threats your organisation faces will be more impactful. For example, if your SME handles sensitive financial information, training should focus on the types of cyber threats targeting the finance sector, such as phishing, social engineering, or ransomware. Tailoring the content makes the training more engaging and relevant, increasing the likelihood that employees will take it seriously.

It’s also important to take into account the varying levels of technical expertise within your team. While some employees may be well-versed in technology and security practices, others may not. Adjust your training accordingly, offering different levels of instruction to ensure that even those who aren’t tech-savvy can understand the risks and their role in maintaining security.

2. Make Training Interactive

Training doesn’t have to be boring. Interactive sessions, quizzes, and real-world simulations, such as phishing simulations, can help employees understand the risks and consequences of cybersecurity lapses in an engaging way. Many companies now offer gamified cybersecurity training, which makes learning about security fun and competitive. This approach increases retention of key lessons, as employees are more likely to remember scenarios they’ve actively participated in.

Phishing simulations are especially important, as phishing remains one of the most common and effective tactics used by cybercriminals. Sending mock phishing emails to employees and monitoring their responses allows you to identify weaknesses and provide additional training to those who need it. When employees are tested regularly, they are more likely to remain vigilant and sceptical of suspicious emails, reducing the risk of a successful attack.

Creating a Cybersecurity Culture SOS Intelligence

3. Establish a Regular Training Schedule

Cybersecurity should be an ongoing conversation within your organisation. Consider holding quarterly or even monthly security training sessions to keep employees updated on the latest threats and best practices. Regularly review your training materials to ensure they address current threats and compliance requirements. Employees should also be reminded of the consequences of failing to adhere to security protocols, such as disciplinary action or the potential for a data breach

that could damage the business’s finances and reputation.

Training should be accessible, easy to understand, and practical. As threats evolve, new training content should reflect these changes. For example, emerging threats like quishing (QR code phishing) or supply chain attacks should be discussed in upcoming sessions. Make sure employees know that cybersecurity training isn’t a one-time event but a continual process aimed at keeping the business secure in an ever-changing digital landscape.


Foster an Open Reporting Culture

One of the biggest barriers to creating a cybersecurity culture is the fear employees may have of reporting mistakes. Whether it’s accidentally clicking on a phishing link or mishandling sensitive information, employees may hesitate to report incidents for fear of punishment or embarrassment. Unfortunately, this reluctance can allow small issues to spiral into major security breaches, which could have been mitigated with timely reporting.

1. Remove the Stigma Around Cybersecurity Incidents

To foster a cybersecurity culture, create a non-punitive reporting process. Emphasise that mistakes happen, and that the most important thing is to report incidents quickly so they can be addressed. This approach not only reduces the likelihood of an unreported breach but also encourages employees to be proactive in spotting and reporting potential vulnerabilities.

Create an environment where employees feel safe and supported when discussing cybersecurity. Consider adding anonymous reporting mechanisms, so employees can report incidents without fear of personal repercussions. By focusing on correcting mistakes rather than assigning blame, your SME can address risks proactively and reduce the likelihood of small errors snowballing into major security incidents.

2. Implement a Clear Reporting Process

Ensure that employees know exactly how to report security incidents, and make the process as simple as possible. Whether it’s a dedicated email address, an internal ticketing system, or a phone line, having a streamlined process ensures incidents are reported and addressed quickly. Encourage employees to report even minor concerns—what may seem insignificant to them could indicate a larger issue.

You should also ensure that employees are comfortable asking questions when they are unsure about the legitimacy of an email, link, or attachment. Having an accessible support structure where employees can confirm whether something is suspicious is vital for preventing security breaches. Remind employees that reporting suspicious activity, even if it turns out to be harmless, is far better than ignoring it altogether.


Incorporate Cybersecurity into Day-to-Day Operations

For cybersecurity to become part of your company’s culture, it must be incorporated into everyday activities. This doesn’t mean bogging employees down with complex security tasks, but rather making security a natural part of their workflow. When security becomes a habit rather than a burden, it becomes ingrained in the daily routine of your employees.

1. Automate Where Possible

Cybersecurity can be overwhelming, especially for employees who aren’t tech-savvy. To help integrate security into daily tasks, consider using tools that automate some of the more complicated aspects of cybersecurity. For example, password managers can help employees create and store strong, unique passwords without having to remember them, and multi-factor authentication (MFA) can add an extra layer of security without requiring much effort from the user.

In addition to password management and MFA, consider using automated tools that regularly scan your systems for vulnerabilities, ensuring that any weaknesses are identified and addressed before they can be exploited. Automated patch management systems, which update software as soon as security patches become available, can significantly reduce the risk of attacks that exploit outdated software. By automating key processes, you remove the burden from employees and reduce the risk of human error.

2. Security as a Conversation Topic

Security should be a regular agenda item in team meetings. Brief employees on new security initiatives, emerging threats, or any incidents that occurred in the wider industry. This not only keeps security top of mind but also helps normalise it as a critical business function. Discussing cybersecurity as part of normal business operations helps embed it into your company’s everyday processes.

Having a dedicated time for discussing security can also bring attention to industry-specific threats. If an SME operates in sectors like healthcare, finance, or e-commerce, the risks associated with breaches can be particularly high. Incorporating discussions around cybersecurity in day-to-day meetings ensures that employees remain aware of these risks and can act accordingly.


Develop a Comprehensive Incident Response Plan

No matter how strong your cybersecurity culture is, incidents will happen. The key is being prepared. A well-developed incident response plan is essential for quickly and effectively managing a breach. It provides clear guidance for the team, outlining the actions they need to take when a security incident occurs, which helps minimise damage.

Creating a Cybersecurity Culture SOS Intelligence

1. Identify Your Critical Assets

Your incident response plan should begin by identifying the assets that are most critical to your business. These could include customer data, intellectual property, or operational systems. Once identified, you can create a priority list to help your team focus on what needs to be protected first in the event of a breach. Understanding your most valuable assets will enable you to tailor your incident response plan and ensure that the most critical parts of your business are protected.

In SMEs, critical assets can vary greatly depending on the industry. For instance, in a financial services SME, customer data and transactional systems will be key priorities. In contrast, for a retail SME, customer credit card data and e-commerce platforms may be the primary concern. Once these assets are identified, you can categorise the risks and assign appropriate security measures, ensuring that these high-priority elements are adequately safeguarded.

2. Outline Key Roles and Responsibilities

A clear incident response plan should assign specific roles to team members. Everyone should know who is responsible for what during a cybersecurity incident. This includes not only IT staff but also communication teams, HR, and leadership. Employees should also know whom to report to in the event of a breach.

The incident response team should be equipped with a plan that is tailored to the type of attack being experienced. For example, a ransomware attack may require different actions from a data breach. Key personnel should be trained on how to handle different scenarios, ensuring that the response is swift and effective. Additionally, outlining roles and responsibilities ahead of time ensures that there is no confusion during an actual event, and the team can act quickly to mitigate damage.

3. Create a Communication Plan

A communication plan is a critical part of incident response. This includes internal communication (informing employees about the breach and how it’s being handled) as well as external communication (notifying clients, partners, and regulators). Make sure your communication plan is clear, concise, and ready to be implemented at a moment’s notice. Be transparent about what is happening and provide reassurance that the incident is being managed.

Clear communication is also essential for maintaining customer trust. In the event of a breach, you must inform affected customers quickly and provide them with guidance on any actions they should take, such as changing passwords or monitoring accounts for suspicious activity. Transparency helps manage reputational risk and can help preserve client relationships even in the face of a cybersecurity incident.

4. Conduct Regular Drills

Incident response plans should be tested regularly. Conduct drills or simulations to ensure that all employees know their roles and can respond effectively. These drills should mimic real-life scenarios, such as a ransomware attack or a data breach, to help employees get used to the pressure of responding to an actual incident.

Regular drills allow you to identify weaknesses in your incident response plan, enabling you to make improvements before a real breach occurs. Simulations also give employees a better understanding of how incidents unfold, the decisions they may need to make, and how quickly they need to act to minimise damage. The more comfortable employees are with the process, the more efficiently they will respond during an actual incident.


Encourage Personal Cybersecurity Responsibility

While businesses can put countless policies, tools, and procedures in place, ultimately, it’s up to each individual employee to take responsibility for their own cybersecurity. Encouraging this personal responsibility is the final step in creating a cybersecurity culture. When employees understand that they play a crucial role in protecting company assets, they are more likely to stay vigilant and adopt good cybersecurity practices.

1. Promote Safe Personal Habits

Encourage employees to adopt good cybersecurity habits not just in the workplace but in their personal lives as well. This could include using strong, unique passwords for personal accounts, enabling MFA on social media accounts, or being mindful of the risks associated with sharing too much personal information online. When employees apply these practices in their personal lives, they are more likely to bring the same level of vigilance to the workplace.

Educating employees about the overlap between personal and work cybersecurity is essential. With remote and hybrid working environments, the lines between personal and professional devices and networks can blur. Ensuring that employees understand how their personal digital habits can affect the security of business data is key. Whether they are using their own devices for work or sharing company information across personal networks, they must adopt best practices in every aspect of their digital lives.

Creating a Cybersecurity Culture SOS Intelligence

2. Reward Good Cybersecurity Behaviour

Incentivising good cybersecurity practices can further encourage a security-conscious culture. Whether it’s through a formal reward system or informal recognition, acknowledging employees who consistently demonstrate good security behaviour reinforces the importance of cybersecurity.

Reward systems can be simple yet effective. For example, recognising an employee who successfully identifies and reports a phishing attempt can encourage others to stay alert. Alternatively, offering small incentives for employees who complete cybersecurity training modules or contribute to the company’s security initiatives can also boost participation and engagement. By rewarding positive behaviours, you create an environment where employees feel motivated to contribute to the company’s security efforts.


Conclusion

Creating a cybersecurity culture in your SME is an ongoing process that requires commitment from all levels of the organisation. By involving leadership, providing ongoing training, fostering an open reporting culture, integrating security into daily operations, developing an incident response plan, and encouraging personal responsibility, you can build a culture where cybersecurity is a top priority.

In a world where cyber threats are constantly evolving, having a cybersecurity culture isn’t just a nice-to-have; it’s a business necessity. A well-trained, security-conscious workforce is your first line of defence against cybercriminals, helping to protect your SME from costly and potentially devastating cyberattacks. By embedding security into your company’s values and day-to-day operations, you’ll be well on your way to creating a more resilient and secure organisation.

We are here to help you as we appreciate there is a lot to think about! May we recommend your first step? Book a call and a demo so we can show you SOS Intelligence – we promise it will help you sleep easier at night.

Photos by John Schnobrich, Luca Bravo, Riccardo Annandale Dylan Gillis Alvaro Reyes Ariel 

""/
SOS Intelligence Weekly News Round Up

Weekly News Round Up

09 – 15 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Noteworthy Exploitation of New CVEs by Threat Actors:

  1. Cisco ASA SSL VPN Vulnerability (CVE-2024-40200): This RCE vulnerability is being exploited by Chinese and Russian state-sponsored APTs to gain unauthorized access to sensitive data transmitted over SSL VPNs. Targets include government agencies and critical infrastructure, particularly in APAC, making it a priority for patching.
  2. Citrix Gateway RCE Vulnerability (CVE-2024-40321): Exploited by APT29 (Cozy Bear), this flaw allows unauthenticated remote code execution. The group has used it to gain persistent access to enterprise networks in attacks against multinational corporations and financial institutions, underscoring its rapid adoption by espionage actors.
  3. Sophos XG Firewall Vulnerability (CVE-2024-41107): Iranian-linked threat actors have exploited this to bypass security controls and gain footholds in MENA-region networks. This is part of broader espionage activities targeting government and defense organizations.
  4. Zimbra Collaboration Suite Vulnerability (CVE-2024-40998): APT28 (Fancy Bear) is actively exploiting this flaw to steal sensitive emails and credentials. Zimbra is widely used by universities and government agencies, making this CVE highly dangerous for academic and public sector institutions.

Key Takeaways:

  • Cisco ASA SSL VPN and Citrix Gateway vulnerabilities are seeing heavy exploitation in cyber-espionage campaigns, with state-sponsored actors using these flaws to target critical infrastructure and government agencies.
  • Sophos XG Firewalls and Zimbra Collaboration Suite vulnerabilities are being actively exploited by APT groups, focusing on data theft and long-term persistence within sensitive networks, particularly in the Middle East and academic sectors.

Ransomware Activity

Over the past week, we’ve captured 82 ransomware incidents, affecting victims in 23 countries across 24 industries.

Ransomware Top 5s

Advancements in Ransomware Tactics:

  • Advanced EDR Evasion Techniques: Ransomware operators, particularly RansomHub, have been deploying sophisticated tools like Kaspersky’s TDSSKiller to bypass endpoint detection and response (EDR) systems. This reflects the growing use of Bring Your Own Vulnerable Driver (BYOVD) strategies, which are increasingly being employed to disable security measures before deploying ransomware.
  • Targeting Virtualized Infrastructures: Groups such as Storm-0506 and Manatee Tempest have turned their attention toward VMware ESXi hypervisors, exploiting vulnerabilities like CVE-2024-37085. This allows them to rapidly encrypt multiple virtual machines, expanding their attack surface by compromising critical server environments.

Emerging Threat Actors:

  • Helldown: A newly surfaced group, Helldown, made its mark by listing 17 victims on its leak site in a short period, indicating it may quickly become a more prominent player. Their focus has been on exploiting unpatched vulnerabilities to target a broad array of victims.
  • Manatee Tempest: This relatively new group has been gaining attention for its focused exploitation of ESXi vulnerabilities, joining the ranks of emerging ransomware gangs that prioritize attacks on virtualization technologies.

Key Ransomware Incidents:

  • Storm-0506 (Black Basta) Attack on Engineering Firm: Storm-0506 conducted a high-profile attack against a North American engineering firm, exploiting CVE-2023-28252 (a Windows CLFS vulnerability). The group leveraged advanced credential-stealing tools like Cobalt Strike and Pypykatz to compromise administrative accounts and encrypt virtual machines, causing widespread operational disruption.
  • Meow Ransomware Group Resurgence: The Meow ransomware group has shifted its focus from Russian targets to U.S. entities, marking a resurgence in its activity. Using Conti’s leaked ransomware code, Meow has been increasingly active, showing adaptability in its targeting strategy and operational methods.

News Roundup

Payment Provider Breach Exposes Credit Card Data

On September 10th, 2024, payment provider Slim CD disclosed a significant data breach affecting 1.7 million users. The breach resulted in the exposure of sensitive credit card information, raising concerns about customer financial security. Slim CD reported the breach promptly, triggering investigations into how the attackers were able to bypass existing defences. The company is urging affected customers to monitor their financial statements closely for any suspicious activity and is working with cybersecurity experts to fortify its systems.

Meta Scrapes User Data to Train AI

On September 12th, 2024, Meta (formerly Facebook) admitted to scraping user data, including images and posts, from Australian profiles to train its AI models. Worryingly, this data collection also included content from minors featured on adult profiles, prompting privacy concerns. Australian regulators and privacy advocates have voiced concerns about the scope of Meta’s data-gathering efforts and the lack of transparency. The incident has reignited debates on data privacy and the ethical use of personal information in AI training.

RansomHub: A New Threat in Ransomware

US authorities issued a joint advisory on the growing threat of RansomHub, a ransomware-as-a-service group that has gained prominence throughout 2024. Formerly known as Cyclops and Knight, the group has attacked over 200 organisations since February 2024, targeting critical sectors such as water, manufacturing, and government services. Authorities recommend organisations implement multi-factor authentication and enhance phishing detection to defend against this rapidly evolving threat​.

Zero-Day Vulnerabilities in Ivanti EPM

On September 11th, 2024, researchers revealed that critical vulnerabilities in Ivanti Endpoint Manager (EPM) were being actively exploited in the wild. These zero-day flaws, rated CVSS 10, allow remote attackers to take full control of affected systems. Ivanti has urged organisations to apply patches immediately to mitigate the risk of exploitation. The vulnerabilities have been leveraged by both criminal groups and nation-state actors, targeting critical industries such as healthcare, government, and energy​.

AppleCare+ Scam Exposed

A new scam surfaced on September 13th, 2024, where attackers used GitHub repositories to create fake AppleCare+ websites, tricking users into providing personal and financial information. The scam involved impersonating legitimate Apple services, offering fraudulent tech support and extended warranties. Security experts warn that this technique, leveraging trusted platforms like GitHub, represents an evolution in phishing tactics. Users are advised to verify the legitimacy of any unsolicited AppleCare+ communications and avoid clicking on suspicious links​.

Photo by FlyD on Unsplash

"10
Opinion, SME Cybersecurity

10 Cybersecurity Best Practices Every SME Should Implement

In today’s rapidly evolving digital landscape, small and medium-sized enterprises (SMEs) are no longer under the radar of cybercriminals. These businesses are often seen as attractive targets due to perceived weaker defences compared to large corporations. The consequences of a cyberattack can be devastating, from financial losses to long-lasting reputational damage. However, by adopting a proactive approach to cybersecurity, SMEs can significantly reduce their risk of falling victim to such threats.

This blog outlines 10 essential cybersecurity best practices that every SME should implement. These actionable steps can help you strengthen your organisation’s cyber resilience, protect sensitive data, and ensure business continuity.

1. Employee Training and Awareness
The most common entry point for cyberattacks is not some sophisticated hacking tool but the employees themselves. Phishing, social engineering, and inadvertent downloads of malware all stem from human error, which is why employee training is critical. Cybercriminals know this and increasingly target SMEs through schemes that exploit untrained or unaware staff.

Action Steps:

  • Conduct Regular Training: Training should not be a one-time affair. Cyber threats are constantly evolving, so your staff must receive up-to-date information about new scams and vulnerabilities. Tailor your training to different roles within your organisation. For example, your finance team may be more prone to business email compromise scams, while your marketing team may encounter phishing attempts through social media.
  • Phishing Simulations: Consider running phishing simulations to test your staff’s response to phishing emails. This not only highlights potential areas for improvement but also makes employees more vigilant in their day-to-day activities.
  • Clear Reporting Channels: Ensure that there are clear channels for reporting suspicious activity. Often, employees may be unsure of whom to contact or may be afraid of reporting a potential mistake. Encourage an open and blame-free environment where cybersecurity concerns are taken seriously.

In addition to this, fostering a company-wide culture that prioritises cybersecurity can reduce risks. When employees recognise their role in defending the company, they’re less likely to make mistakes that can lead to costly breaches.

2. Implement Strong Password Policies

Weak passwords are akin to leaving the front door to your business unlocked. Cybercriminals often use automated tools to guess passwords, known as brute force attacks, or simply gain access through poor password hygiene. For SMEs, password strength must be a cornerstone of your cybersecurity strategy.

10 Cybersecurity Best Practices Every SME Should Implement

Action Steps:

  • Enforce Password Complexity: Require passwords to be at least 12 characters long and include a mix of upper- and lowercase letters, numbers, and special characters. Simplicity is the enemy of security, and passwords like ‘123456’ or ‘password’ should never be allowed.
  • Password Manager Implementation: Encourage the use of a password manager. These tools generate and store complex passwords securely, eliminating the need for employees to memorise multiple passwords or, worse, write them down.
  • Multi-Factor Authentication (MFA): Two-factor authentication adds a second layer of security, often in the form of a one-time code sent to a mobile device. This ensures that even if a password is compromised, a second factor is required for access.

Furthermore, you should implement a policy that requires periodic password changes, especially for critical systems. Though some argue that frequent password changes can lead to poor practices (such as choosing weaker passwords), pairing this with MFA and using a password manager mitigates these risks.

3. Use Firewalls and Antivirus Software

Think of a firewall as your first layer of defence against external threats. It acts as a gatekeeper, monitoring incoming and outgoing network traffic and blocking potentially harmful data from entering your system. Paired with antivirus software, firewalls help ensure that malware and other malicious activities are stopped before they cause damage.

10 Cybersecurity Best Practices Every SME Should Implement

Action Steps:

  • Set Up Network Firewalls: Ensure your company has a firewall in place to protect the network perimeter. It’s also important to configure internal firewalls to separate sensitive data and systems, reducing the potential damage if a breach occurs.
  • Use Endpoint Protection: Equip all devices, from workstations to mobile devices, with endpoint security solutions. These solutions typically include antivirus, anti-malware, and firewall protections, which provide an additional security layer for individual devices.
  • Regular Updates and Patching: Both firewalls and antivirus software need regular updates to keep up with new threats. Malware evolves constantly, and outdated security software can leave your systems vulnerable.

In addition to traditional firewalls, SMEs can also benefit from Web Application Firewalls (WAFs), especially if they host websites or web applications. These firewalls help protect against common web-based attacks such as SQL injections and cross-site scripting.

4. Regular Data Backups

Data loss can happen for many reasons—ransomware attacks, hardware failures, or even human error. When it does, the consequences can be dire, especially if your business relies on this data for daily operations. Having a robust backup strategy ensures that even if data is lost, your business can recover with minimal disruption.

Action Steps:

  • Backup Frequency: Aim to back up your business-critical data daily. If daily backups aren’t feasible, establish a schedule that ensures minimal data loss in the event of a breach. Weekly full backups combined with daily incremental backups can offer a good balance between resource use and recovery needs.
  • Offsite and Cloud Backups: It’s important to store backups in more than one location. Use both onsite (e.g., external hard drives) and offsite solutions, such as cloud-based storage, to ensure redundancy. Cloud backups are particularly useful as they offer rapid recovery options and are often encrypted for extra security.
  • Test Your Backups: Regularly test your backups by performing a full restoration to ensure they’re functioning properly. A backup is only useful if it can be restored quickly and completely in the event of a disaster.

An often overlooked aspect of the backup strategy is ensuring that the backup data itself is secure. Implement encryption and access controls to ensure that even if the backup is compromised, the data cannot be easily accessed by attackers.

5. Keep Software and Systems Updated

Outdated software is a hacker’s dream. Unpatched vulnerabilities provide cybercriminals with an easy way into your systems, making regular software updates one of the most basic but effective ways to enhance your security posture. For SMEs, who may not have the resources for dedicated IT staff, this is especially important.

10 Cybersecurity Best Practices Every SME Should Implement

Action Steps:

  • Automate Software Updates: Enable automatic updates for all software, including operating systems, web browsers, and applications. This ensures that your systems are always protected against the latest threats.
  • Patch Management Strategy: Implement a formal patch management process to track and apply critical updates. This includes not only operating systems but also third-party applications, plugins, and hardware firmware.
  • Update Legacy Systems: If your business relies on legacy systems that are no longer supported by the vendor, consider replacing them or isolating them from the rest of the network. Unsupported systems are particularly vulnerable because they no longer receive security patches.

Furthermore, it’s important to stay informed about vulnerabilities in widely used software. Cybercriminals are quick to exploit known vulnerabilities in popular software like Microsoft Office or Adobe products, so prompt patching is key to mitigating these risks.

6. Encrypt Sensitive Data

Encryption is a fundamental tool for protecting your company’s sensitive information. Whether it’s customer data, financial records, or intellectual property, encryption ensures that even if your data falls into the wrong hands, it cannot be easily read or misused.

Action Steps:

  • Full-Disk Encryption: Implement full-disk encryption on all company devices, including laptops and mobile phones. This ensures that if a device is lost or stolen, the data remains inaccessible without the correct decryption key.
  • Encrypt Data in Transit and at Rest: Use encryption protocols such as SSL/TLS to protect data being transmitted over the internet, whether via email, cloud storage, or internal networks. Similarly, ensure that data stored on servers or backup systems is encrypted.
  • Encryption Key Management: Properly manage your encryption keys, ensuring they are securely stored and regularly rotated. A compromised key can render your encryption useless, so keys must be handled with care.

In addition to encrypting sensitive business data, SMEs should also consider encrypting employee communications. Using secure email services or encrypted messaging platforms can protect sensitive conversations from being intercepted by attackers.

7. Develop an Incident Response Plan

No cybersecurity strategy is complete without an incident response plan. This plan outlines the steps your business will take in the event of a cyberattack or data breach, ensuring that your team can act swiftly to mitigate damage and recover quickly.

Action Steps:

  • Document Roles and Responsibilities: Your incident response plan should clearly define the roles and responsibilities of key personnel during a cybersecurity incident. This includes who will communicate with stakeholders, who will handle technical remediation, and who will contact law enforcement if necessary.
  • Regular Drills: Run regular incident response drills to simulate real-life cyberattacks. This helps employees become familiar with their roles and responsibilities during an incident, reducing panic and confusion when a real attack occurs.
  • Post-Incident Review: After an incident has been resolved, conduct a post-mortem analysis to identify what went wrong, what was handled well, and how your response plan can be improved in the future.

A well-prepared incident response plan can be the difference between a minor incident and a full-scale disaster. Regular updates and testing of the plan are crucial to ensure it remains effective as new threats emerge.

8. Secure Mobile Devices

Mobile devices have become indispensable tools for business, but they also pose significant security risks. SMEs need to ensure that mobile devices used for work purposes are properly secured, especially if employees are working remotely or using personal devices for work tasks.

10 Cybersecurity Best Practices Every SME Should Implement

Action Steps:

  • Implement Mobile Device Management (MDM): Use an MDM solution to enforce security policies on all mobile devices used within the organisation. This includes requiring password protection, encrypting data, and enabling remote wipe functionality.
  • Restrict Access to Sensitive Data: Ensure that sensitive data can only be accessed through secure channels, such as VPNs or dedicated apps, rather than via unsecured mobile browsers or public Wi-Fi networks.
  • Monitor for Unauthorised Apps: Regularly review the apps installed on work devices to ensure that no unauthorised or potentially malicious software is present. Encourage employees to only download apps from trusted sources.

The risks associated with mobile devices are particularly high due to the ease with which they can be lost or stolen. By implementing strong security policies, SMEs can mitigate these risks and ensure that mobile devices remain a secure extension of their IT infrastructure.

9. Control Access to Data

Not every employee needs access to every piece of company data. By limiting access based on roles and responsibilities, you can minimise the risk of insider threats and reduce the likelihood of accidental data breaches. This principle, known as the principle of least privilege (PoLP), ensures that employees can only access the information necessary to perform their jobs.

10 Cybersecurity Best Practices Every SME Should Implement

Action Steps:

  • Implement Role-Based Access Controls (RBAC): Use RBAC to restrict access to sensitive data based on job function. For example, only finance personnel should have access to financial records, and only HR should have access to employee information.
  • Monitor Access Logs: Regularly review access logs to track who is accessing sensitive data and when. This can help you detect unusual or unauthorised access attempts and act quickly to mitigate potential risks.
  • Review and Update Permissions Regularly: Conduct regular audits of employee access privileges to ensure that permissions are still relevant. As employees change roles or leave the company, their access to sensitive data should be adjusted accordingly.

In addition to RBAC, SMEs can benefit from using multifactor authentication (MFA) to secure access to sensitive data. This ensures that even if login credentials are compromised, additional verification is required before data can be accessed.

10. Monitor and Audit Systems Regularly

A strong cybersecurity posture isn’t something you achieve once—it requires continuous monitoring and regular auditing. Proactively monitoring your systems for suspicious activity helps you detect potential threats before they cause significant damage. Regular audits, meanwhile, allow you to assess the effectiveness of your security controls and identify areas for improvement.

Action Steps:

  • Set Up Automated Monitoring Tools: Use automated tools to monitor network traffic, detect unusual behaviour, and flag potential threats in real-time. This could include everything from monitoring login attempts to tracking changes in file integrity.
  • Conduct Regular Cybersecurity Audits: Schedule periodic audits of your entire IT infrastructure to assess your security defences. These audits should evaluate whether your firewalls, encryption protocols and other controls are up to date and functioning as intended.
  • Review Audit Logs: Keep detailed audit logs of all significant system events, including access to sensitive data, configuration changes, and software updates. These logs provide valuable information in the event of a breach and can help you identify exactly what went wrong.

By combining continuous monitoring with regular audits, SMEs can stay one step ahead of cyber threats. Rather than reacting to attacks after they occur, proactive monitoring allows businesses to identify and mitigate risks before they cause harm.

Implementing these 10 cybersecurity best practices is essential for protecting your SME against the ever-growing range of cyber threats. From employee training and strong password policies to encryption and incident response planning, these steps will go a long way in ensuring the security of your business data and systems.

While no security system is foolproof, taking proactive measures can drastically reduce your vulnerability to cyberattacks. By fostering a culture of cybersecurity and staying vigilant, you can minimise risks and focus on what matters most: growing your business.

Need Help?

If you don’t know about a threat, you cannot act. SOS Intelligence can be your eyes and ears on the dark web, providing digital risk monitoring to make sure you have the right intelligence, when you need it, to take action to protect your business.

Photos by Andrea De Santis, Ofspace LLC, rc.xyz NFT gallery, Fusion Medical Animation, Photo by Luke Chesser, William Hook, Connor Williams, Samsung Memory, ThisisEngineering on Unsplash.

"Top
Opinion, SME Cybersecurity

Top 5 Cyber Threats Every SME Should Be Aware Of

In today’s fast-paced digital age, businesses are more connected than ever before. While this connectivity has created countless growth opportunities, it has also introduced new vulnerabilities. Cyber threats have evolved in sophistication, making them a critical concern for businesses of all sizes.

Small and medium-sized enterprises (SMEs) are particularly attractive targets for cybercriminals. Unlike larger corporations, which often have dedicated security teams and robust defences in place, SMEs frequently lack the resources to protect themselves adequately. This perception of vulnerability makes them an enticing target for attackers.

According to the Federation of Small Businesses (FSB), cybercrime costs the UK economy around £4.5 billion annually, with the average cost of an attack on a small business estimated to be around £1,300 per victim. For an SME, a cyberattack can lead to not only significant financial losses but also loss of customer trust, reputational damage, and even the risk of going out of business.

As a business owner, it’s essential to be aware of the common types of cyber threats and how to protect your business. In this blog, we’ll explore the top five cyber threats facing SMEs, share real-world examples of businesses that have been impacted, and provide actionable tips on how to identify and prevent these attacks.

1. Phishing Attacks

What is Phishing?

Phishing is a form of social engineering that involves cybercriminals pretending to be trusted entities to trick individuals into revealing sensitive information such as passwords, bank details, or personal data. These attacks are most commonly conducted via email but can also occur through text messages (smishing) or phone calls (vishing).  When such attacks are targeted at a specific person within a company, often someone in a senior or sensitive role, they are referred to as spear phishing.

Phishing emails often contain malicious links or attachments. When an unsuspecting employee clicks on a link or downloads an attachment, they might inadvertently provide access to sensitive company data or install malware on their device.

Real-Life Example: The WADA Attack

In 2016, the World Anti-Doping Agency (WADA) became the target of a sophisticated phishing attack. Hackers posed as WADA officials and tricked employees into revealing login credentials. These credentials were then used to access confidential athlete information, which was subsequently leaked. The damage caused by this breach not only harmed WADA’s reputation but also disrupted trust in global anti-doping efforts.

How to Identify Phishing:

  • Suspicious Email Addresses: Phishing emails may appear to come from legitimate sources, but a close inspection of the sender’s email address often reveals small inconsistencies, such as an extra character or unusual domain name.
  • Urgency and Fear Tactics: Many phishing emails create a sense of urgency or fear. For example, they may claim your account will be suspended unless you take immediate action.
  • Unexpected Attachments or Links: Phishing emails may ask recipients to open attachments or click on links. Always hover over links to verify their destination before clicking.

How to Protect Your SME:

  • Implement Two-Factor Authentication (2FA): 2FA adds an extra layer of security by requiring users to provide two forms of identification before accessing accounts. This reduces the risk of compromised passwords.
  • Ongoing Employee Training: Regularly educate your employees about the risks of phishing. Make sure they know how to identify suspicious emails and what to do if they receive one.
  • Advanced Email Security: Use email filtering tools that block or flag suspicious messages before they reach your employees’ inboxes.

2. Ransomware

What is Ransomware?

Ransomware is a type of malicious software that locks or encrypts a victim’s data, rendering it inaccessible until a ransom is paid. Cybercriminals typically demand payment in cryptocurrencies, which are harder to trace, and often provide a tight deadline for payment to pressure victims.

For SMEs, ransomware can be devastating. In addition to the ransom itself, businesses can face operational downtime, loss of sensitive data, and a hit to their reputation. Moreover, there is no guarantee that paying the ransom will lead to the recovery of your data.

In recent years, the majority of ransomware threat actors have moved to a double extortion method, whereby not only do they encrypt your data, but they also threaten to release it to the public through their victim-shaming blogs.  We are now also beginning to see instances where threat actors rely solely on this threat of data publication, rather than data encryption.

Real-Life Example: The WannaCry Attack

In 2017, the WannaCry ransomware attack swept across the globe, affecting more than 200,000 computers in over 150 countries. One of the most notable victims was the NHS in the UK, which faced widespread disruption as critical medical systems became inoperable. WannaCry exploited a vulnerability in older versions of Microsoft Windows, and while a patch had been released, many organisations had not yet applied it.

The total financial impact of WannaCry was estimated to be in the billions, with businesses around the world incurring significant downtime and recovery costs.

How to Identify a Ransomware Attack:

  • Files Become Inaccessible: One of the most obvious signs of a ransomware attack is that you are suddenly unable to access your files or data.
  • Ransom Note: Ransomware attacks often display a message explaining that your files have been encrypted and demanding payment for their release.
  • Unusual Network Activity: You may notice strange spikes in network traffic as ransomware spreads through your system, attempting to encrypt all connected devices.

How to Protect Your SME:

  • Backup Critical Data: Regularly back up your data and ensure that backups are stored offline or in a secure cloud service. This way, if a ransomware attack occurs, you can restore your data without paying the ransom.
  • Patch and Update Software: Ensure all systems and software are up-to-date. Many ransomware attacks exploit known vulnerabilities that can be patched through regular updates.
  • Endpoint Security Solutions: Install advanced antivirus and anti-malware software that can detect and block ransomware before it causes damage.

3. Malware

What is Malware?

Malware is an umbrella term used to describe any malicious software designed to disrupt, damage, or gain unauthorised access to a computer system. Types of malware include viruses, worms, trojans, spyware, and adware.

Once malware infiltrates a system, it can steal data, monitor user activity, install additional harmful software, or even render systems inoperable. For SMEs, a malware attack can result in lost productivity, compromised customer data, and long-term damage to your brand’s reputation.

Real-Life Example: The NotPetya Attack

NotPetya was initially thought to be ransomware, but its true intent was far more destructive. In June 2017, the malware spread across organisations globally, severely impacting businesses like shipping giant Maersk, which faced significant operational downtime and financial losses as its systems were brought to a halt. The attack encrypted critical files and disrupted supply chains, costing Maersk an estimated £300 million.

NotPetya also highlights another significant cyber-security concern: supply-chain attacks.  The malware had originated from the Ukrainian company Intellect Service, which supplied tax software.  Threat actors breached the company and configured their software updater to download the malware to anyone using the software, which occurred when the latest software update was pushed.  This highlights the need to properly consider not only your risk but third-party risk as well.

How to Identify Malware:

  • Sluggish Performance: If your computers or network are unusually slow, this could be a sign that malware is consuming system resources.
  • Pop-Up Ads: Malware infections are often accompanied by a barrage of unwanted pop-up ads, even when you’re not browsing the web.
  • System Crashes: Frequent crashes or the appearance of the “blue screen of death” could indicate that your system has been compromised.

How to Protect Your SME:

  • Install and Update Antivirus Software: Ensure that all company devices are equipped with up-to-date antivirus software. Schedule regular scans to identify and remove malware.
  • Limit Software Downloads: Only allow trusted employees to install or download software to prevent the introduction of malware from suspicious sources.
  • Monitor Network Traffic: Keep an eye on your network for unusual spikes in data usage, which could be a sign of malware communicating with external servers.

4. Insider Threats

What are Insider Threats?

Insider threats come from within your organisation and are caused by employees, contractors, or anyone with legitimate access to your systems. These individuals can either intentionally or unintentionally compromise your data and security. Insider threats can be difficult to detect because they exploit trusted access.

Real-Life Example: Tesla’s Insider Sabotage

In 2018, Tesla faced an insider threat when a disgruntled employee deliberately sabotaged the company’s systems. The employee altered the company’s manufacturing operating system and leaked confidential data to third parties. Tesla’s CEO, Elon Musk, publicly confirmed the damage caused by the incident, which affected the company’s operations and intellectual property.

How to Identify Insider Threats:

  • Unusual Access Patterns: If an employee is accessing files or systems they don’t usually use, this could be a sign of an insider threat.
  • Data Downloads: Sudden spikes in data downloads, especially involving sensitive information, can indicate malicious activity.
  • Employee Behaviour: Employees exhibiting signs of dissatisfaction or frustration could potentially become insider threats.

How to Protect Your SME:

  • Role-Based Access Control (RBAC): Limit access to data based on an employee’s role and responsibilities. Employees should only have access to the information necessary for their job.
  • Regular Audits: Conduct routine audits of system access and file downloads. This can help identify unusual patterns of behaviour that may indicate an insider threat.
  • Encourage Employee Reporting: Create a culture where employees feel comfortable reporting suspicious behaviour, without fear of retribution.

5. Distributed Denial of Service (DDoS) Attacks

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack occurs when multiple compromised systems flood a target, such as a website or online service, with an overwhelming amount of traffic. The sheer volume of requests causes the target to become slow, unresponsive, or even crash altogether.

While DDoS attacks don’t typically result in data theft, they can cause significant operational disruptions. For SMEs that rely on online services, even a temporary outage can lead to lost revenue, frustrated customers, and long-term reputational damage.

Real-Life Example: The Dyn DNS Attack

In 2016, Dyn, a major provider of DNS services, was hit by a massive DDoS attack that affected major websites such as Twitter, Spotify, and Netflix. The attack, which was conducted using a botnet made up of Internet of Things (IoT) devices, disrupted services for several hours, highlighting the vulnerability of DNS infrastructure and the far-reaching impact of DDoS attacks.

How to Identify a DDoS Attack:

  • Slow or Unresponsive Website: If your website becomes unusually slow or users report difficulty accessing it, this could be the result of a DDoS attack.
  • Spike in Traffic: A sudden and unexpected increase in traffic, especially if it comes from unknown or foreign sources, is a common indicator of a DDoS attack.
  • Service Outages: Repeated service interruptions or crashes can point to a sustained DDoS assault.

How to Protect Your SME:

  • Use a CDN: Content Delivery Networks (CDNs) distribute traffic across multiple servers, reducing the impact of DDoS attacks by ensuring that no single server is overwhelmed.
  • Invest in DDoS Mitigation Services: There are dedicated DDoS mitigation tools and services that can detect abnormal traffic patterns and block malicious requests before they reach your network.
  • Firewalls and Load Balancers: Use Web Application Firewalls (WAFs) and load balancers to filter incoming traffic, block malicious IP addresses, and distribute the load more effectively across servers.

Conclusion: Building a Resilient Cybersecurity Strategy

The risks of cyberattacks are real, and for SMEs, the consequences can be especially severe. By understanding the top cyber threats—phishing, ransomware, malware, insider threats, and DDoS attacks—business owners can take proactive steps to secure their operations.

Cybersecurity is not just a technical issue but a fundamental part of business resilience. Implementing strong security measures, providing ongoing employee training, and fostering a culture of cybersecurity awareness will go a long way in reducing the risk of cyberattacks.

Ultimately, it’s not about if your business will be targeted but when. Taking the time to assess your vulnerabilities and enhance your security protocols now will save you time, money, and reputation in the long run. The best time to protect your business is today.

Read our first post in this series here > What every SME needs to know.

Need Help?

If you don’t know about a threat, you cannot act. SOS Intelligence can be your eyes and ears on the dark web, providing digital risk monitoring to make sure you have the right intelligence, when you need it, to take action to protect your business. Click here to book a demo.

Photos by FlyD , Stephen Phillips – Hostreviews.co.uk, Michael Geiger on Unsplash.

"Inside
Opinion, SME Cybersecurity, Tips

Inside a Cyber Attack – Key Phases and Business Impact

The Far-Reaching Impact of Cyber Attacks and what are the phases?

In an era where digital connectivity underpins nearly every aspect of our personal and professional lives, the threat of cyber attacks is not going away. As you can probably imagine, it’s getting worse.

From personal data breaches to corporate espionage and national security threats, cyber attacks can have profound and far-reaching consequences. In this blog post, we’ll explore the various impacts of cyber attacks, including economic damage, operational disruption, reputational harm, and personal consequences. We will also outline the main phases of an attack.

One of the areas we try and focus on is providing as much education as possible for businesses and organisations. Here is an infographic we have recently developed which outlines the main phases inside a cyber attack.

You will see that the phases are distinct and each one has certain things which happen which then leads to the next phase. The critical part to understand is that if you have insight into a leak of credentials or a discussion of a vulnerability, you can take action and stop this chain of events.

You can download the PDF version here. (Opens in a new tab for you).

The key phases flow from one to another, often with alarming speed. If you don’t know what has happened or indeed, happening, you cannot act…

This is where SOS Intelligence comes in to give you the insight and information you need for your business or organisation.

So what is the business impact from a cyber attack?


Economic Damage: The Price of Vulnerability

One of the most immediate and tangible impacts of a cyber attack is its financial cost. Businesses and organisations may face:

  • Direct Financial Losses: This includes the immediate costs of response and remediation, such as hiring cybersecurity experts, paying for system repairs, and dealing with potential legal fees. Financial losses can soar into the millions of pounds.
  • Ransom Payments: In ransomware attacks, cybercriminals encrypt data and demand payment for its release. These payments can be substantial, and even if the ransom is paid, there’s no guarantee that the data will be recovered or that the organization won’t be targeted again.
  • Insurance Costs: Many organisations turn to cyber insurance to mitigate potential losses, but premiums can rise significantly after an attack, adding to the long-term financial burden.

Operational Disruption: Halting Business As Usual

Cyber attacks can cripple a businesses’ ability to operate effectively. The impact on operations can be severe:

  • Downtime: System outages or disruptions can halt business operations, affecting productivity and revenue. For some organisations, it can be critical infrastructure which is disrupted. For the recent NHS attacks in the UK, operations and appointments as well as medical testing were severely disrupted.
  • Data Loss: Losing access to critical data can impede decision-making processes, delay projects, and affect customer service. Restoring lost data can be time-consuming and costly.
  • Supply Chain Disruptions: Cyber attacks can ripple through supply chains, causing delays and impacting partners and customers. The 2020 SolarWinds attack, which compromised numerous organizations through a single software provider, is a prime example of how interconnected systems can be affected. SOS Intelligence can help you monitor your third parties as well as your own domains and keywords.

Reputational Harm: Eroding Trust

The damage to an organisation’s reputation can be long-lasting and challenging to repair:

  • Customer Trust: Data breaches that expose personal information can erode customer trust. Customers expect companies, large and small, to safeguard their data, and a breach can lead to loss of business and diminished customer loyalty. This would be especially so in the legal sector which is seeing a rise in cyber threats.
  • Public Perception: How an organisation responds to an attack can influence public perception. A poorly managed response can exacerbate reputational damage, while transparent and effective communication can help rebuild trust. Ideally, you don’t want to be ion this position in the first place!
  • Competitive Disadvantage: Competitors may capitalise on an organisation’s misfortune, attracting clients who are concerned about security. Additionally, the affected business may face increased scrutiny from regulators and stakeholders.

Personal Consequences: The Human Element

The impact of cyber attacks extends beyond businesses and can significantly affect individuals as well:

  • Identity Theft: Personal data breaches can lead to identity theft, where sensitive information is used fraudulently, potentially causing long-term financial and emotional distress for victims.
  • Privacy Invasion: Cyber attacks that expose private communications or personal data can lead to privacy violations, harassment, and psychological distress.
  • Loss of Confidence: Individuals who fall victim to cyber attacks may experience a loss of confidence in digital systems, leading to increased anxiety and reluctance to use online services.

The Path Forward: Enhancing Cyber Resilience

In light of these impacts, it’s crucial for businesses, organisations and individuals to improve their cyber defences AND adopt best practices to mitigate risks:

  • Invest in Cybersecurity: Regularly update and upgrade cybersecurity measures, including firewalls, anti-virus software, and encryption. If you have not seen what SOS Intelligence can do for you, please get in touch, we would be delighted to show you.
  • Educate and Train: Ensure that employees and individuals are aware of potential threats and know how to recognise phishing attempts and other cyber risks.
  • Develop Response Plans: Have a robust incident response plan in place to quickly address and mitigate the effects of a cyber attack.
  • Regular Backups: Maintain regular backups of critical data to ensure recovery in the event of data loss.

Conclusion

Cyber attacks are a pervasive and evolving threat with significant consequences. The economic impact, operational disruption, reputational damage, and personal consequences underscore the importance of proactive measures to enhance your cyber resilience.

EVERY business and organisation is at risk, in any country and in any vertical. It is not just large organisations… SMEs are just as much at risk, and often at more risk as they don’t have large teams and systems in place.

If you’d like to book a demo of what SOS Intelligence can do for you, click here now.

Read the next blog post in our SME Cyberecurity series.

"SOS
SOS Intelligence Weekly News Round Up

Weekly News Round Up

19 – 25 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Emergence of New Stealer Malware: QWERTY & Styx

A new strain of malware, named “QWERTY Info Stealer,” has been identified as a significant threat to Windows systems, utilising advanced anti-debugging techniques and data exfiltration capabilities. Hosted on the domain mailservicess[.]com, the malware is designed to evade detection, making it particularly dangerous for both individuals and organisations. Discovered on a Linux-based server in Frankfurt, Germany, the malware is distributed via the URL hxxps://mailservicess[.]com/res/data/i.exe.

QWERTY Info Stealer employs multiple anti-debugging strategies, such as using Windows API functions like IsProcessorFeaturePresent() and IsDebuggerPresent(), and the lesser-known __CheckForDebuggerJustMyCode function. These techniques enable the malware to terminate if it detects a debugging environment, complicating efforts by security researchers to analyse its behaviour. After bypassing these checks, the malware begins collecting data, including system information and browser data, which it stores in specific directories on the infected system. It then communicates with Command and Control (C2) servers, downloading additional payloads and exfiltrating data using HTTP POST requests, underlining its sophistication and the ongoing threat it poses to cybersecurity.

Cybersecurity researchers at Check Point have uncovered a new malware strain called “Styx Stealer,” designed to steal browser and instant messenger data. Emerging in April 2024 and based on the Phemedrone Stealer, Styx Stealer enhances its predecessor’s capabilities with features like crypto-clipping, real-time clipboard monitoring, and auto-start functionality. It targets Chromium and Gecko-based browsers to extract sensitive information such as passwords, cookies, and cryptocurrency wallet data, while also compromising Telegram and Discord sessions. The malware resists analysis by antivirus programs and sandboxes, making it a formidable tool for cybercriminals.

Styx Stealer was developed by a Turkish hacker known as “Sty1x,” who marketed it via Telegram, charging between $75 per month and $350 for unlimited access. An operational security lapse exposed his identity and connections with a Nigerian cybercriminal linked to an Agent Tesla campaign. This revelation highlighted the broader network of cybercriminals involved in various illicit activities, including targeting Chinese firms. Despite Sty1x’s efforts, there are no confirmed victims beyond their own systems and a few security sandboxes, suggesting that their attempts to widely distribute Styx Stealer were largely unsuccessful.

New Phishing Attack Targets Android & iOS Users

A new phishing attack targeting both Android and iOS users has been discovered, combining traditional social engineering techniques with the use of Progressive Web Applications (PWAs) and WebAPKs. First identified in November 2023, the attack primarily targets clients of Czech banks, though cases have also been reported in Hungary and Georgia, indicating a wider spread. The attackers employ various delivery methods, such as automated voice calls, SMS messages, and social media ads, which often use official bank mascots and logos to lure victims to a phishing link mimicking a Google Play page. If accessed via a mobile device, the page prompts the installation of a phishing app disguised as a legitimate banking application.

This phishing app, installed as a PWA or WebAPK, is almost indistinguishable from the real banking app, leading victims to a fake login page that captures their banking credentials. The stolen information is then transmitted to the attackers’ Command and Control (C&C) servers, which are operated by two distinct groups—one using a Telegram bot for real-time logging, and the other using a traditional C&C server. The attackers have managed to evade detection by frequently changing domains and launching new campaigns. To mitigate the risk, users should be cautious when installing apps, verify the authenticity of downloads, and keep their devices updated with the latest security patches.

Linux Kernel Vulnerability

Researchers have identified a vulnerability in the Linux kernel’s dmam_free_coherent() function, caused by a race condition during the process of freeing DMA (Direct Memory Access) allocations and managing associated resources. This flaw can lead to system instabilities, as DMA is essential for allowing hardware devices to transfer data directly to and from system memory without CPU involvement. The vulnerability arises from an improper order of operations within the function, which could result in incorrect memory access, data corruption, or system crashes.

The vulnerability is particularly concerning because an attacker could exploit the race condition by timing their operations to coincide with the freeing and reallocation of DMA memory. If successful, this could cause the devres_destroy function to free the wrong memory entry, triggering a WARN_ON assertion in the dmam_match function, which is part of the DMA management subsystem. This issue occurs when a concurrent task allocates memory with the same virtual address before the original entry is removed from the tracking list, potentially leading to significant system errors.

To address this vulnerability, Greg Kroah-Hartman committed a patch (CVE-2024-43856) authored by Lance Richardson from Google, which modifies the dmam_free_coherent function. The patch swaps the order of the function calls, ensuring that the tracking data structure is destroyed before the DMA allocation is freed, thereby preventing the race condition. The patch has been tested on Google’s internal network encryption project and has been approved for inclusion in the mainline Linux kernel, mitigating the risk associated with this vulnerability. Exploiting this vulnerability to achieve arbitrary code execution would be complex and would likely require additional vulnerabilities or precise control over the target system.

Zero-day Vulnerability in Google Chrome

Google recently patched a high-severity zero-day vulnerability in its Chrome browser, CVE-2024-7971. This flaw, found in the V8 JavaScript engine, is a type confusion issue that can be exploited to execute arbitrary code. The vulnerability was reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024, and it is actively being exploited in the wild. In response, Google quickly released updates to mitigate the risk, urging users to update their browsers to the latest version.

The latest Chrome update, version 128.0.6613.84/.85, addresses a total of 38 security vulnerabilities, including several high-severity issues. Among these are CVE-2024-7964, a use-after-free vulnerability in the Passwords component; CVE-2024-7965, an inappropriate implementation in the V8 engine; and CVE-2024-7966, an out-of-bounds memory access flaw in the Skia graphics library. Each of these vulnerabilities could allow attackers to execute arbitrary code, leading to serious security breaches or system compromises.

Users are strongly advised to update to the latest version of Google Chrome to ensure protection against these vulnerabilities. While Chrome generally updates automatically, users can manually check for updates via Settings > About Chrome. Additionally, those using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest security updates as they become available. This patch highlights the need for vigilance and prompt action in the face of zero-day exploits in widely used software.

Chinese Hackers Exploiting Cisco Zero-day

A sophisticated cyber espionage group known as Velvet Ant, linked to China, has been found exploiting a zero-day vulnerability in Cisco NX-OS Software to deploy custom malware on network switches. The vulnerability, identified as CVE-2024-20399, was discovered by cybersecurity firm Sygnia during a forensic investigation and promptly reported to Cisco. This flaw, with a CVSS score of 6.0, allows an authenticated local attacker with administrative privileges to execute arbitrary commands as root on the affected devices due to insufficient validation of arguments passed to specific CLI commands.

Velvet Ant exploited this vulnerability to install a custom malware, dubbed VELVETSHELL, on compromised Cisco Nexus devices. The malware, which combines elements of the TinyShell Unix backdoor and the 3proxy tool, enables attackers to execute arbitrary commands, upload and download files, and create tunnels to proxy network traffic. Sygnia’s investigation revealed that Velvet Ant has been operating for approximately three years, targeting inadequately protected network appliances like outdated F5 BIG-IP systems to maintain long-term access and steal sensitive information.

Cisco has released software updates to patch the vulnerability and strongly advises customers to apply these updates immediately. Experts warn that network appliances, especially switches, are often under-monitored, with logs rarely forwarded to centralized logging systems, making it difficult to detect and investigate such malicious activities. To mitigate this threat, organizations are urged to apply Cisco’s updates, enhance monitoring of network appliances, regularly update administrator credentials, and adopt stringent security practices to prevent unauthorized access.

""/
SOS Intelligence Weekly News Round Up

Weekly News Round Up

12 – 18 August 2024

CVE Discussion

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Ransomware Top 5s

News Roundup

Hackers’ Toolkit Exposed

Cybersecurity researchers have uncovered an extensive hacker toolkit, revealing a sophisticated set of tools designed for various stages of cyberattacks. The toolkit, discovered in an open directory in December 2023, comprises a range of batch scripts and malware targeting both Windows and Linux systems. These tools illustrate the hackers’ ability to execute a variety of malicious activities, from initial system compromise to long-term control and data exfiltration.

Among the most significant tools found were PoshC2 and Sliver, two command and control (C2) frameworks commonly used by penetration testers but repurposed for malicious purposes. The toolkit also included custom scripts designed for defence evasion and system manipulation, such as those for removing remote management agents, deleting system backups, and erasing event logs. These components reflect the attackers’ intent to maintain persistent access while covering their tracks.

The discovery of this toolkit highlights the advanced methods used by modern cybercriminals and emphasises the need for robust cybersecurity measures. Experts recommend that organisations adopt comprehensive security strategies, including regular updates, employee training, and advanced threat detection, to protect against these sophisticated attacks. The presence of tools aimed at stopping services, deleting backups, and disabling antivirus software suggests that the toolkit was likely used in ransomware activities.

Critical Vulnerabilities in AWS Identified

Researchers from Aqua identified critical vulnerabilities in six Amazon Web Services (AWS) offerings: CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar. These vulnerabilities, varying in severity, posed significant risks such as remote code execution, service user takeover, AI module manipulation, data exposure, exfiltration, and denial of service (DoS) attacks, potentially affecting any organisation globally that utilised these services. Aqua introduced two key attack vectors, “Shadow Resource” and “Bucket Monopoly,” which exploit automatically generated AWS resources, like S3 buckets, created without explicit user commands. These techniques could allow attackers to execute code, steal data, or take over user accounts.

The vulnerabilities were reported to AWS between February and March 2024, with AWS confirming fixes for most by June 2024. However, a subsequent report indicated that the CloudFormation fix left users vulnerable to a DoS attack, prompting AWS to announce further work on this issue. By August 2024, the vulnerabilities and fixes were publicly discussed at prominent cybersecurity conferences, Black Hat USA and DEF CON 32. AWS’s response included adding random sequences to bucket names if a name conflict arose and planning the deprecation of CodeStar, which had been vulnerable but would no longer allow new projects.

One of the most critical vulnerabilities was in AWS Glue, where attackers could exploit predictable S3 bucket naming to inject malicious code into Glue jobs, leading to remote code execution. To mitigate these risks, it is recommended that organisations implement scoped policies, verify bucket ownership, and avoid using predictable bucket names. While AWS has addressed these specific vulnerabilities, similar risks may exist in other services, underscoring the importance of following best practices and implementing robust security measures to protect against evolving threats.

0-Click Vulnerability leading to RCE found in Outlook

Morphisec researchers have identified a critical vulnerability in Microsoft Outlook, labelled as CVE-2024-30103, which allows remote code execution when a malicious email is opened. This flaw builds on a previously discovered vulnerability, CVE-2024-21378, that exposed Outlook to remote code execution via synchronized form objects. The new vulnerability exploits weaknesses in the allow-listing mechanism, which fails to properly validate form server properties, enabling attackers to instantiate unauthorized custom forms.

The vulnerability hinges on how the Windows API function RegCreateKeyExA handles registry paths. Specifically, the function removes trailing backslashes, allowing attackers to manipulate registry keys and bypass security checks. This manipulation can lead to the loading of malicious executables when a specially crafted email is opened in Outlook. By exploiting this behaviour, attackers can execute arbitrary code within the Outlook process, potentially leading to data breaches, unauthorized access, and other malicious activities.

In response, Microsoft has issued a security update that revises the allow-listing matching algorithm to prevent such exploits. The update modifies how subkeys are matched by removing trailing backslashes before performing an exact match, enhancing system defences. Additionally, Microsoft has strengthened its denylist to block remote code execution attacks exploiting subkey manipulation. Despite these improvements, the evolving nature of security threats means organisations must remain vigilant, regularly updating and auditing their systems to protect against future vulnerabilities.

APT42 targeting US Presidential Election

The Iranian government-backed cyber group APT42 has launched a phishing campaign targeting high-profile individuals connected to the U.S. presidential election, according to Google’s Threat Analysis Group (TAG). This sophisticated threat actor, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been focusing on individuals affiliated with both the Biden and Trump campaigns. The campaign is part of APT42’s broader efforts to support Iran’s political and military objectives through cyber espionage, with a notable focus on the U.S. and Israel, which together represent 60% of the group’s known targets.

APT42 employs a range of tactics in its phishing campaigns, including the use of malware, phishing pages, and malicious redirects, often hosted on popular services like Google Drive and OneDrive. The group is known for creating fake domains that closely resemble legitimate organizations, a tactic called typosquatting, to deceive their targets. Their phishing emails, often designed to seem credible, encourage recipients to enter credentials on fake landing pages, with the capability to bypass multi-factor authentication, making them particularly dangerous.

In response to these activities, Google has taken measures to secure compromised accounts and issued warnings to targeted individuals. They have also reported the malicious activities to law enforcement and are working with authorities to mitigate the threat. As the U.S. presidential election nears, the actions of APT42 highlight the ongoing risk of foreign interference, emphasizing the need for robust cybersecurity measures to protect democratic processes. High-risk individuals are advised to enhance their security, including enrolling in Google’s Advanced Protection Program.

Phishing Campaign masquerading as Google Safety Center

A sophisticated phishing campaign has been identified, where cybercriminals impersonate the Google Safety Centre to trick users into downloading a malicious file disguised as the Google Authenticator app. This attack threatens personal data by installing two types of malware, Latrodectus and ACR Stealer, on victims’ devices. Latrodectus allows attackers to remotely control the infected device, while ACR Stealer uses advanced techniques to obscure its command and control server, making it difficult for cybersecurity experts to trace and neutralize the threat.

What makes this campaign particularly concerning is the attackers’ use of advanced evasion techniques, which indicate a high level of sophistication and ongoing refinement of their methods. As cybercriminals continue to evolve, cybersecurity experts urge users to be cautious when receiving unsolicited emails or messages, especially those prompting software downloads. Verifying the authenticity of such communications and keeping software and security systems up to date are crucial steps in protecting against these increasingly sophisticated threats.

Photo by Kenny Eliason on Unsplash

"SOS
Ransomware

Ransomware – State of Play July 2024

Ransomware – State of Play

July 2024

SOS Intelligence is currently tracking 206 distinct ransomware groups, with data collection covering 424 relays and mirrors.

In the reporting period, SOS Intelligence has identified 388 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher.   Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 2% increase in July when compared to the previous month, and a 16% increase in activity when compared to the previous year.  Furthermore, the number of active groups has decreased to 34 from 37 the previous month.

This month has seen a significant increase in activity from Ransomhub, making a significant charge to fill the void left by LockBit.  Data for this strain may be skewed, however, by the group using multiple data leak sites to advertise and disseminate stolen data.

Significant activity has been noted from the Handala group, who have exclusively targeted Israel and Israel-based entities over the month.  Handala (Arabic: حنظلة) is a prominent national symbol and personification of the Palestinian people, so this activity is highly likely a response to the continued conflict in the Middle East.  Handala has been increasing activity against Israel throughout the year, including significant attacks against Zerto, and allegedly Israel’s Iron Dome air defence system.

Analysis of Geographic Targeting

Over the last month, targeting continues to follow financial lines, with the majority of attacks targeted at G7, EU and BRICS bloc countries.  Furthermore, a significant number of attacks have been directed towards Israel, with likely political motivations.

Compared to June, 4% more countries were targeted in July.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities.  This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

Scattered Spider, a threat actor group known for its social engineering tactics and attacks on VMware ESXi servers, has recently incorporated new ransomware strains into its operations. The group has adopted RansomHub, a rebranded variant of Knight ransomware, and Qilin ransomware. Previously, Scattered Spider used the now-defunct BlackCat ransomware, but it has since shifted to deploying RansomHub in post-compromise scenarios, reflecting its evolving tactics and adaptation to new tools within the cybercriminal landscape.

A flaw in the cryptographic scheme of the DoNex ransomware family has been identified, enabling victims to recover their files for free using a newly released decryptor. This vulnerability, affecting all variants of DoNex, was revealed at a recent cybersecurity conference and involves issues with the encryption key generation and application of ChaCha20 and RSA-4096 algorithms. The decryptor, available through private channels since March 2024, was publicly released following the flaw’s disclosure. Victims are advised to use a large example file for decryption and to back up their encrypted data before proceeding.

Two Russian nationals have pleaded guilty to their involvement in LockBit ransomware attacks that targeted victims worldwide. As affiliates of LockBit’s ransomware-as-a-service operation, they breached vulnerable systems, stole data, and deployed ransomware to encrypt files. One of the individuals has been arrested and faces up to 25 years in prison, while the other has been sentenced to four years. Despite recent law enforcement actions that have seized LockBit’s infrastructure and decryption keys, the ransomware group remains active, continuing to target victims and release stolen data.

Threat Group Development

Change in threat group TTPs to target VMWare ESXi

Play ransomware has recently expanded its focus to target VMware ESXi environments, marking a significant shift in its operations toward broader Linux platform attacks. Utilizing a dedicated Linux locker, Play ransomware encrypts virtual machines (VMs) by first verifying the environment, then scanning for and shutting down active VMs before proceeding with encryption. This approach highlights the group’s advanced evasion techniques and adaptability in the ransomware landscape. The encryption process affects critical VM files, such as disks and configurations, with files receiving a .PLAY extension. Additionally, Play has started using URL-shortening services for its operations, further showcasing its sophistication.

Similarly, Eldorado ransomware, which initially targeted Windows systems, has expanded its scope to include VMware ESXi VMs since its emergence in March. This ransomware employs ChaCha20 encryption across both platforms, allowing affiliates to customise attacks. Meanwhile, the SEXi ransomware operation, rebranded as APT INC, has intensified its focus on VMware ESXi servers since February 2024, leveraging leaked Babuk and LockBit 3 encryptors. APT INC has gained notoriety with high-profile attacks, such as the one on Chilean hosting provider IxMetro Powerhost, with ransom demands reaching millions. The operation continues to use the same encrypted messaging application for negotiations, with no known weaknesses in its encryption for file recovery.

Evolution of BlackBasta

In 2024, Black Basta ransomware has shown significant evolution, adapting to challenges by shifting to custom malware and incorporating new tools after the disruption of its previous partner, QBot. The group now utilizes sophisticated malware like the SilentNight backdoor, memory-only droppers such as DawnCry and KnowTrap, and custom tunneling tools including PortYard and SystemBC. Additionally, it has integrated reconnaissance and execution utilities like CogScan and KnockTrock into its attack processes. These developments underscore Black Basta’s resilience and sophistication, as it continues to pose a formidable global threat by employing advanced tactics and exploiting zero-day vulnerabilities.

New & Emerging Groups

MAD LIBERATOR is a newly emerged ransomware group that launched its leak site in July 2024. The group claims to offer services to help companies fix security issues and recover their files, demanding a fee for their assistance. If the payment is not made, MAD LIBERATOR threatens to publicly list the companies and publish their stolen data. They employ AES/RSA encryption for securing the files. As of the report’s writing, the group had already listed eight victims on its leak site, showcasing their active and ongoing operations.

Ransomcortex is a lesser-known ransomware group with limited information available. However, the group has claimed responsibility for three attacks, all targeting the healthcare sector in Brazil. Despite the lack of detailed information, the choice of victims within such a critical industry highlights the potentially serious impact of their activities.

Vanir Group is a new ransomware group that has quickly gained notoriety for its aggressive and professional tactics. They publicize their attacks via a data leak site and issue intimidating messages to CEOs and domain administrators of the affected companies. These messages warn that the companies’ internal infrastructure has been compromised, backups deleted or encrypted, and critical data stolen. The Vanir Group stresses the importance of cooperation to avoid further damage, threatening to sell or distribute the stolen data if demands are not met. Their website also features an interactive terminal for updates and invites potential affiliates to join their operations. Interestingly, their leak site bears a resemblance to that of Akira, another notorious ransomware group.

Vulnerabilities Observed in Use

1 2 3 4
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound