The post Cisco Talos Unveils “Living-off-the-Land” Tactics Threatening macOS appeared first on Daily CyberSecurity.

The post New Phishing Campaign Abuses GitHub to Target South Korea appeared first on Daily CyberSecurity.

The post ClickFix: The High-ROI “Living-off-the-Land” Trap Sweeping Windows and macOS appeared first on Daily CyberSecurity.

The threat of cyberattacks against critical infrastructure in the United States has evolved beyond data theft and espionage. Intruders are already entrenched in the nation’s most vital systems, waiting to unleash attacks. For instance, CISA has raised alarms about Volt Typhoon, a state-sponsored hacking group that has infiltrated critical infrastructure networks. Their goal? To establish a foothold and prepare for potentially crippling attacks that could disrupt essential services across the nation.

Volt Typhoon embodies a threat far beyond everyday cyber crime. It indicates the dangerous reality of cyber pre-positioning — a tactic that allows cyber actors to infiltrate systems, maintain persistence and potentially launch massively destructive operations. With lifeline sectors such as communications, energy, transportation and water and wastewater systems under threat, the question is no longer if attackers are embedded within U.S. infrastructure but how deeply they have rooted themselves. And the implications directly impact national security.

Nation-state pre-positioning goes beyond espionage

Employed by nation-state actors, pre-positioning goes beyond mere intelligence gathering. By silently lurking within critical infrastructure networks, actors gain the capability to wreak havoc at a moment’s notice. These intrusions, particularly in sectors like water systems and energy grids, serve little espionage value, per Anne Neuberger, the Deputy National Security Adviser for Cyber and Emerging Technologies. This indicates that the infiltrations are likely precursors to far more disruptive objectives.

Volt Typhoon’s methodical approach has allowed them to infiltrate U.S. systems for extended periods — up to five years in some cases — without detection. They’ve targeted the infrastructure that millions of Americans depend on daily. In a time of heightened geopolitical tension, a well-timed cyberattack could grind vital systems to a halt, leaving the nation vulnerable to cascading failures across multiple sectors. The fallout could be unprecedented, impacting national security, the economy and everyday life.

Volt Typhoon’s tactical mastery

Volt Typhoon is no ordinary hacking group. This state-sponsored entity has displayed a level of sophistication that challenges even the most robust cybersecurity defenses. Through its living-off-the-land (LOTL) tactics, the group exploits legitimate network administration tools, blending seamlessly with normal traffic and making detection extremely difficult. Their use of known vulnerabilities in public-facing devices such as routers and VPNs allows them to gain access, while compromised administrator credentials give them the power to burrow deeper into networks and assess operational technology (OT) systems.

The group’s calculated patience is noteworthy. Instead of seeking short-term gains, they carefully study their targets and gain an understanding of the nuances of the systems they infiltrate. In one case, Volt Typhoon spent nine months moving laterally through a water utility’s network, gaining access to crucial OT assets, including water treatment plants and electrical substations. These infiltrations are more than a technical breach — they represent a looming threat to physical infrastructure that could manifest in catastrophic failures.

Read CISA cybersecurity advisories

The FOCAL Plan’s strategic response

In the face of these threats, CISA has developed a robust response: the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. This strategic framework aims to shore up federal cybersecurity defenses by driving coordinated action across agencies. The FOCAL Plan outlines how federal agencies can adopt best practices to defend against pre-positioning and other sophisticated cyber threats, promoting a holistic approach from prevention to incident response.

The FOCAL Plan focuses on five critical areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management and incident detection and response. Each area plays a crucial role in safeguarding federal systems from persistent threats like Volt Typhoon:

1. Asset management: Without knowing what assets exist within an organization, it is impossible to protect them. The FOCAL Plan emphasizes comprehensive, continuous visibility into all IT and OT assets to ensure that any unauthorized access can be detected and mitigated quickly.

2. Vulnerability management: Regular vulnerability scanning and timely patching prevent hackers from exploiting known weaknesses, shutting down one of their primary entry points.

3. Defensible architecture: Organizations must build resilience into systems, assuming that attacks will happen. This includes implementing zero trust principles to restrict lateral movement within networks and limit the damage attackers can do, even if they gain access.

4. Supply chain risk management: This addresses the growing reliance on third-party vendors. With many cyberattacks exploiting vulnerabilities in third-party systems, the FOCAL Plan emphasizes the need for agencies to closely monitor their supply chains and ensure that their vendors adhere to strict cybersecurity protocols.

5. Incident detection and response: This is the FOCAL Plan’s approach to real-time cyber defense. CISA urges agencies to deploy advanced tools like endpoint detection and response (EDR) systems, which can identify and respond to threats before they cause significant damage. The ability to share threat intelligence and coordinate responses across federal agencies is essential for ensuring that the government can act swiftly in the event of an attack.

Mitigation urgency and action

The threat landscape outlined by Volt Typhoon’s actions calls for an urgent response — not just from federal agencies but from every organization that operates critical infrastructure. The key to stopping attackers from exploiting pre-positioned access is to adopt a mentality of constant vigilance and proactive threat hunting. It’s not enough to react to attacks after they happen. Organizations must actively hunt for threats, continually monitor their systems and act quickly to patch vulnerabilities before they can be exploited.

CISA’s FOCAL Plan provides a framework, but it is up to individual organizations to implement these measures at every level. Regular security audits, comprehensive asset management and adherence to the latest cybersecurity best practices are non-negotiable. Organizations must be prepared for the reality of an attack, ensuring that they have backup systems in place. It’s vital to practice incident response through tabletop exercises and maintain open communication channels with CISA and other federal agencies.

The harsh reality is that many organizations may already have pre-positioned attackers within their networks. The objective now is to limit the damage they can do and to ensure that attackers cannot trigger even more widespread disruption.

The clock is ticking

The presence of cyber actors like Volt Typhoon in U.S. critical infrastructure is not hypothetical — it’s happening now, and the consequences of inaction could be devastating. The ability of these attackers to remain hidden within networks for years, studying their targets and preparing for destructive actions, underscores the importance of robust, proactive cybersecurity measures.

The FOCAL Plan is a step in the right direction, but the fight against pre-positioned cyber actors is far from over. It will require a sustained, coordinated effort between federal agencies, private organizations and international allies to ensure that U.S. critical infrastructure is protected and remains resilient.

Explore cybersecurity services

The post Are attackers already embedded in U.S. critical infrastructure networks? appeared first on Security Intelligence.

As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.

What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.

Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals are changing tactics, relying on AI technology, exploiting legal frameworks and more.

AI supercharges phishing and social engineering

One of the most significant developments in the ransomware landscape has been the use of artificial intelligence (AI) to enhance phishing and social engineering attacks. Historically, phishing emails often contained obvious signs of fraud — misspelled words, poor grammar and generic messaging. However, new generative AI tools can craft highly personalized and professional-looking emails, which has drastically changed the game. This likely explains why phishing attack volumes and success rates have been rising since phishing campaigns are easier to generate and are more convincing than ever.

AI allows threat actors to mine vast amounts of data to craft convincing emails targeting specific individuals or organizations. These emails may contain contextual information that makes them seem legitimate, significantly increasing the likelihood of success. The ability to deliver such precise attacks is why ransomware has been particularly devastating to industries like healthcare, where any disruption can have life-threatening consequences.

Additionally, AI-generated deepfake technology has begun to play a role in social engineering. Cyber criminals can now create audio and video deepfakes of company executives to trick employees into transferring money or revealing sensitive information. This has made detecting fraud much harder, and organizations are finding it increasingly difficult to protect against such attacks.

Weaponizing disclosure rules

Ransomware groups are not just relying on technical means to pressure victims into paying ransoms — they are also manipulating legal regulations to their advantage. One of the most striking developments in 2024 has been the weaponization of disclosure rules, specifically those issued by the U.S. Securities and Exchange Commission (SEC).

A recent high-profile case involved the ransomware group BlackCat/ALPHV filing a formal SEC complaint against a digital lending service provider. After exfiltrating the company’s files, the group allegedly reported to the SEC that the provider failed to comply with regulations that require organizations to disclose any cybersecurity incident within four business days. This added “legal” tactic was designed to pressure victims into paying the ransom to avoid financial penalties or reputational damage.

This disturbing incident shows that ransomware groups will use anything, even government regulations, as leverage. “Threat actors are using the regulations to put more pressure on the victims. This is quite an interesting trend,” said Ifigeneia Lella, a cybersecurity expert at the European Union Agency for Cybersecurity (ENISA). It is a chilling reminder that legal frameworks, while intended to protect the public and promote transparency, can be manipulated by bad actors to further their own malicious agendas.

Read the Threat Intelligence Index

Living-off-the-land attacks fly under the radar

As per the ENISA Threat Landscape 2024 report, the past year saw increasing use of “living-off-the-land” (LOTL) techniques by cyber criminals. LOTL attacks involve using tools and software that already exist within a victim’s system, making it harder for security teams to detect malicious activity. Instead of relying on external malware that can be flagged by antivirus software, attackers leverage legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) to execute their attacks.

For example, PLAY, a multi-extortion ransomware group, often uses off-the-shelf tools like Cobalt Strike, Empire and Mimikatz for discovery and lateral movement within a target’s network. By avoiding the introduction of new, suspicious software, attackers can evade detection for longer periods, often until it’s too late for the victim to respond effectively. This shift towards LOTL techniques represents an ongoing challenge for cybersecurity professionals, as traditional antivirus solutions are becoming less effective against these subtle attacks.

Ransomware, geopolitical tensions and hacktivism

In addition to technological advancements, ransomware is increasingly being used as a weapon of geopolitical influence and hacktivism. Cyber criminals are no longer just motivated by financial gain; some are using malware to further political agendas, destabilize governments or create chaos in certain regions.

The ENISA report emphasized how geopolitical tensions are converging with ransomware attacks. For instance, during the Russia-Ukraine conflict, ransomware groups targeted critical infrastructure in Ukraine and other countries allied with Ukraine. These attacks weren’t necessarily financially motivated but rather politically driven. The aim was to disrupt national operations or cripple key sectors like energy, health care and transportation.

Hacktivist groups are also joining forces with ransomware gangs to push their own ideological goals. For example, attacks on public administration and transportation sectors have increased, often tied to specific political events or global movements. As cyber crime becomes more politicized, organizations and governments must recognize that ransomware is no longer just a financial threat but also a tool of disruption on the global stage. And given the increased geopolitical tensions across the globe, these types of attacks are increasingly common.

Attack rates and most targeted industries

Despite global efforts to curb ransomware, the number of ransomware attacks continues to rise. According to the Ransomware Tracker, the number of victims posted on extortion sites spiked in May 2024 to 450, up from 328 in April, making it one of the most active months over the last few years.

Industries like healthcare, public administration, transportation and finance are among the most targeted. These sectors are particularly vulnerable due to their reliance on digital infrastructure and the severe consequences of operational downtime. For example, the U.S. Department of Health and Human Services reported a 256% increase in hacking-related breaches in healthcare over the past five years, underscoring the sector’s heightened vulnerability.

The rising costs of ransomware

The financial impact of ransomware continues to grow in 2024, with costs extending beyond ransom payments. According to one industry report, the average recovery cost for ransomware victims in state and local governments is $2.73 million, more than double the amount reported in 2023. These costs include not only ransom payments but also expenses related to downtime, lost data, operational disruption and reputational damage.

The ransom demands themselves are also skyrocketing. The report states that the average ransom demand for state and local governments is now $3.3 million, with some demands exceeding $5 million. Globally, industries like healthcare, energy and education are seeing similar trends. Even worse, high ransom demands and significant recovery costs can cripple or even shut down smaller organizations.

A grim landscape, but there’s hope

The ransomware landscape in 2024 is one of increasing complexity. With AI-driven phishing campaigns, living-off-the-land techniques, the exploitation of legal frameworks and the merging of geopolitical tensions, the stakes have never been higher. However, advancements in AI cybersecurity tools and a growing awareness of these evolving tactics provide pathways for improving defenses.

As cyber criminals adapt and innovate, so too must cybersecurity professionals and organizations. Proactive measures like vulnerability management, employing robust backup strategies and investing in incident response capabilities are essential in combating this ever-present threat. Ransomware may continue to evolve, but so too can the tools and strategies used to fight it.

The post The current state of ransomware: Weaponizing disclosure rules and more appeared first on Security Intelligence.