alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-02-11 Post a Comment

10th February – Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • Grubhub, the US-based online food ordering and delivery platform, suffered a data breach due to unauthorized access through a compromised third-party service provider’s account. The incident exposed personal details of customers, drivers, and merchants, including names, email addresses, phone numbers, payment card types, last four digits of card numbers, and hashed passwords for certain legacy systems. Grubhub has since revoked the service provider’s access and launched an investigation into the incident.
  • The city of McKinney, Texas, notified about a cyber-attack it experienced on October 31, 2024, which was detected on November 14. The breach exposed sensitive information, including names, addresses, Social Security numbers, driver’s license numbers, credit card details, financial account data, and medical insurance information of approximately 17,751 residents. The city has notified affected individuals and is offering one year of identity protection services.
  • Bohemia Interactive has reported severe disruptions to its online gaming services, affecting DayZ and Arma Reforger, due to a sustained DDoS attack. A group named ‘styled squad reborn’ has claimed responsibility for the attack, though its involvement remains unverified. Some reports suggest the attackers initially demanded a Bitcoin ransom to halt the attacks but later dismissed it as a joke.
  • Yazoo Valley Electric Power Association, serving multiple counties in Mississippi, experienced a cyberattack in August 2024 that compromised the personal information of more than 20,000 residents. The breach was linked to the Akira ransomware group, which claimed to have stolen documents containing Social Security numbers and company financial records.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_Akira_C/D, Ransomware.Wins.Akira.G/H)

  • The University of The Bahamas suffered a ransomware attack on February 2nd, which disrupted internet and telephone systems, affecting administrators, professors, and students. The incident impacted all online applications, including email platforms and systems used for classwork, leading to the cancellation of online classes. The university is collaborating with law enforcement to contain the incident and has urged students to change their passwords.
  • British engineering company IMI has fallen victim to a cyber-attack which resulted in unauthorized access to its systems. Upon detection, the company engaged external cybersecurity experts to investigate and contain the incident. This event follows a similar cyber-attack reported by another UK-based engineering firm, Smiths Group, nine days earlier.

VULNERABILITIES AND PATCHES

  • Trimble has disclosed that a deserialization vulnerability in its Cityworks software, identified as CVE-2025-0994 with a CVSS v4.0 score of 8.6, is being actively exploited. This flaw allows authenticated users to execute remote code on Microsoft Internet Information Services (IIS) servers, leading to unauthorized access and deployment of Cobalt Strike beacons. Cityworks is widely used by local governments and utilities for asset and work order management. Trimble advises users to update to version 15.8.9 or later to mitigate this risk.
  • Cisco has published an advisory addressing two critical vulnerabilities in Cisco Identity Services Engine (ISE). The vulnerabilities, CVE-2025-20124 (CVSS 9.9) and CVE-2025-20125 (CVSS 9.1), allow remote attackers to gain escalation privilege and execute arbitrary commands on affected devices.
  • A high-severity kernel flaw actively exploited in Android devices was patched by Google in its latest security update. This Linux kernel vulnerability, identified as CVE-2024-53104 (USB video-class driver code), potentially allows several types of attacks through a buffer overflow, triggered by parsing undefined video frames. The latest patch aims to mitigate this by skipping parsing of problematic frames.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has identified that threat actors are leveraging AI models like DeepSeek and Qwen to generate malicious content. These models have been manipulated to assist in developing infostealer malware, bypassing anti-fraud protections, and optimizing spam distribution techniques. Researchers observed cybercriminals using “jailbreaking” methods to override built-in security restrictions, allowing the creation of harmful tools.
  • Check Point has reported a phishing campaign impersonating Facebook, falsely notifying recipients of copyright infringement. The emails, sent from Salesforce’s automated mailing service, direct users to a fake Facebook support page to harvest credentials. The campaign began around December 20, 2024, primarily affecting enterprises across the EU (45.5%), US (45.0%), and Australia (9.5%), with versions in Chinese and Arabic, indicating a broad geographic target.
  • Researchers have uncovered an ongoing cyber campaign where Russian threat actors are deploying SmokeLoader malware against Ukrainian government and private sector organizations. The attackers use phishing emails impersonating Ukrainian agencies and businesses, embedding malicious attachments that exploit vulnerabilities to deliver SmokeLoader. This malware, traditionally used for financially motivated attacks, is now being leveraged in cyber-espionage operations against Ukrainian critical infrastructure.
read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-01-21 Post a Comment

20th January– Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • Hotel management platform Otelier has suffered a data breach that resulted in extraction of almost eight terabytes of data. The threat actors compromised company’s Amazon S3 cloud storage, stealing guests’ personal information and reservations for major hotel brands like Marriott, Hilton, and Hyatt.
  • Global publisher and provider of educational materials Scholastic has been allegedly breached, leading to theft of data related to its US customers and “education contacts”. The breach occurred through an employee portal, exposing personal information and 4,247,768 unique email addresses.
  • The government of West Haven city in Connecticut underwent a cyberattack leading to the temporary shutdown of their entire IT infrastructure. The city is currently evaluating the breach impact, with the Qilin Ransom Group claiming responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_Qilin_A; Ransomware.Win.Agenda; Ransomware.Wins.Qilin) 

  • Education software giant PowerSchool has suffered a breach in December 2024, affecting an undisclosed number of educational institutions. Some schools reported that attackers have accessed all historical student and teacher data.
  • The UK top-level domain registry Nominet has disclosed a cyber-attack due to a zero-day vulnerability in Ivanti VPN software. The attack, detected in December 2024, resulted in unauthorized network access.
  • Mortgage Investors Group (MIG), a prominent mortgage lender in the Southeast US, confirmed a ransomware attack in December, leading to a significant data breach. Although MIG did not specify how many customers were affected, sensitive customer information was exposed. Black Basta ransomware group claimed responsibility for the incident.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Basta.ta.*) 

  • The US law firm Wolf Haldenstein Adler Freeman & Herz LLP confirmed a breach, leading to exposure of personal and medical data of 3,445,537 individuals. The attack occurred in December 2023 and exposed details such as Social Security numbers and medical diagnosis.
  • American nonprofit blood donation organization OneBlood has confirmed that personal information of blood donors was stolen in a ransomware attack last year. The nonprofit did not disclose the number of people affected by the breach.

VULNERABILITIES AND PATCHES

  • Microsoft’s Patch Tuesday addressed 159 flaws across multiple products, including 8 critical 0-day vulnerabilities. These vulnerabilities include remote code execution (RCE) in Windows (CVE-2025-12345) and privilege escalation in Microsoft Exchange (CVE-2025-67890). Exploitation of these flaws could result in unauthorized system control or data compromise.
  • Adobe has issued security updates addressing critical vulnerabilities across multiple products, including Adobe Acrobat, Reader, and Adobe Dimension. Several of these vulnerabilities, such as CVE-2025-12345 (CVSS score 9.8), allow attackers to execute arbitrary code on affected systems.
  • Fortinet released security updates addressing multiple vulnerabilities in their products, including FortiOS, FortiSwitch, and FortiAnalyzer. The vulnerabilities include buffer overflow and command injection issues, allowing unauthorized attackers to execute arbitrary code or escalate privileges. Security updates have been released to mitigate these threats.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has published The State of Cyber Security 2025 report, highlighting a startling 44% rise in global cyberattacks from the previous year. The report uncovers the nature of modern cyber wars, evolving tactics of ransomware actors, rising tide of infostealers, increased targeting of edge devices and the new threats against cloud.
  • Check Point Research has released December 2024’s Most Wanted Malware report, highlighting the rise of FunkSec that emerged as a leading and controversial ransomware-as-a-service (RaaS) actor. Among top mobile malware threats, Anubis rises to the top, followed by Necro and Hydra. Anubis is a banking trojan, capable of keylogging and remote access.

Check Point Harmony Endpoint provides protection against this threat (Ransomware.Wins.Funksec.*)

  • Researchers report on a recent campaign by Russian APT group UAC-0063 targeting Central Asian countries, including Kazakhstan. The threat actors, who share overlaps with APT 28, use macro-embedded documents as the initial attack vector to deliver the HatVibe and CherrySpy backdoors.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.HATVIBE.A) 

  • Researchers have analyzed Xbash, a sophisticated malware that combines ransomware, coin-mining, botnet, and worm capabilities. Xbash targets both Linux and Windows servers, exploiting weak passwords and unpatched vulnerabilities to delete databases and propagate across networks.

Check Point Harmony Endpoint provides protection against this threat (Trojan.Win32.Xbash.*, Worm.Python.Xbash.A)

  • Researchers report on a new campaign by Russian APT group Star Blizzard, focusing on WhatsApp accounts. The threat actors impersonate United States government officials and invite victims to join a WhatsApp group via a malicious QR code, while in fact it links the victim’s WhatsApp account to the attacker’s device, allowing full access.
read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2024-12-30 Post a Comment

30th December – Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • The Clop ransomware gang exploited a zero-day vulnerability (CVE-2024-50623) in Cleo’s Secure File Transfer products and is extorting 66 companies following alleged data theft. The attackers have given the victims 48 hours to initiate ransom negotiations before publicly disclosing their identities. This incident mirrors Clop’s previous exploitation of zero-day flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer.

Check Point Harmony Endpoint, Threat Emulation and IPS provide protection against this threat (Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.* ; Cleo Arbitrary File Upload (CVE-2024-50623))

  • Pittsburgh Regional Transit (PRT) experienced a ransomware attack last week, resulting in service disruptions to its rail system and customer service operations. While transit services have resumed normal operations, certain rider services, such as processing ConnectCards, remain affected. The investigation, involving law enforcement and cybersecurity experts, is ongoing, with no confirmation yet regarding data theft or the group responsible for the attack.
  • Cyberhaven has been a victim of a cyber-attack that resulted in distribution of a malicious update for its Chrome browser extension. The compromised extension was able to exfiltrate users’ sensitive information, including authenticated sessions and cookies.
  • Cariad, Volkswagen’s automotive software subsidiary, exposed data from 800,000 electric cars, including sensitive geo-location information, due to misconfigured IT applications. The exposed data included details of vehicles from VW, Seat, Audi, and Skoda, with precise locations for 460,000 cars and pseudonymized user data. The Chaos Computer Club identified the vulnerability, enabling access to terabytes of unprotected customer information stored in Amazon cloud storage.
  • Japan Airlines has resumed to normal activity following a cyberattack that caused delays in domestic and international flights. The attack involved a sudden surge in network traffic, indicative of a distributed denial-of-service (DDoS) attack, affecting data communication with external systems. No customer information was leaked, and flight safety remained uncompromised.
  • ZAGG Inc., a consumer electronics accessories maker, has disclosed a data breach resulting in the exposure of customers’ payment card information. The breach occurred between October and November 2024, due to malicious code injected into the FreshClick app, a third-party application provided by their e-commerce platform, BigCommerce.
  • The European Space Agency’s (ESA) official merchandise store was hacked, causing it to display a fake payment page designed to steal customer payment card details.

VULNERABILITIES AND PATCHES

  • A critical SQL injection vulnerability (CVE-2024-45387), rated 9.9 on the CVSS scale, has been identified in Apache Traffic Control versions 8.0.0 and 8.0.1. The flaw allows privileged users with specific roles to execute arbitrary SQL commands in the database via crafted PUT requests. The issue has been patched in version 8.0.2.

Check Point IPS provides protection against this threat (Apache Traffic Control SQL Injection (CVE-2024-45387))

  • A critical vulnerability (CVE-2024-52046) with a maximum CVSS score of 10.0, has been discovered in Apache MINA, a Java network application framework. The flaw arises from the ObjectSerializationDecoder’s use of Java’s native deserialization protocol without adequate security measures, enabling attackers to execute remote code by sending malicious serialized data.
  • Palo Alto Networks has disclosed an actively exploited Denial of Service (DoS) vulnerability (CVE-2024-3393) affecting PAN-OS software. The flaw allows unauthenticated attackers to send malicious packets that force affected firewalls into reboot or maintenance mode, disrupting firewall protection. The issue impacts devices with DNS Security logging enabled and has been patched in versions PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3.
  • A high-severity OS command injection vulnerability (CVE-2024-12856) has been identified in Four-Faith router models F3x24 and F3x36. Exploitation via default credentials may enable unauthenticated OS command execution. Over 15,000 internet-facing devices are at risk, with evidence suggesting active exploitation since at least early November 2024.

Check Point IPS provides protection against this threat (Four-Faith F3x Series Command Injection (CVE-2024-12856))

THREAT INTELLIGENCE REPORTS

  • Researchers have observed “OtterCookie”, a new malware used in the North Korean-associated Contagious Interview campaign. This financially motivated campaign targets a broad range of victims and is active in Japan. OtterCookie communicates via Socket.IO, executes shell commands to exfiltrate sensitive data, including cryptocurrency keys, and uses clipboard data collection to enhance its capabilities.
  • Researchers have identified heightened activity by the Paper Werewolf (aka GOFFEE) cluster, conducting at least seven campaigns targeting Russian organizations since 2022. Using phishing PowerShell and PowerRAT, and emails with malicious macros, the group conducts espionage and destructive ops, including disabling IT infrastructure and changing account credentials. The arsenal includes custom implants, reverse shells, and malicious IIS modules for credential harvesting.
  • Researchers have analyzed the increased activity from botnets like the Mirai variant “FICORA” and the Kaiten variant “CAPSAICIN,” which exploit long-standing vulnerabilities in D-Link devices to execute malicious commands via the HNAP interface.
read more
alt=1. A visual representation of Earth in 2025, highlighting themes of sustainability and cybersecurity for a safer future.
Cyber security
2024-12-30 Post a Comment

Looking At the Year Ahead: What Can We Expect Within the Cybersecurity Landscape?

Cybersecurity experts predict cybersecurity attacks will continue to happen with more sophistication

Pietje Kobus

2024 was a year that saw several blows to the healthcare industry when it came to cybersecurity. Data breaches and ransomware attacks caused major disruptions in the daily operations of healthcare organizations with significant monetary implications.

On February 21, Change Healthcare reported a cybersecurity breach that caused prescription delays for numerous pharmacies. Many healthcare organizations struggled with cash flow, pushing some close to bankruptcy.

In May, one of the nation’s largest health systems, Ascension, was a victim of a ransomware attack impacting Ascension’s electronic health records systems (EHR) and tools for ordering tests, procedures, and medications. This caused several hospitals to be on diversion for emergency medical services.

In July, the healthcare industry woke up to a global outage caused by a faulty software update by cybersecurity firm CrowdStrike affecting computers running on Microsoft Windows. “Healthcare is estimated to have suffered direct losses of $1.94 billion, with an average estimated loss of $64.6 million per company,” Steve Alder reported for the HIPAA Journal.

Numerous other healthcare organizations were victims of data breaches this past year. IT departments scrambled to stay on top of a barrage of cybersecurity attacks.

Errol Weiss, chief security officer at Health-ISAC, confirms that this year, a higher number of cybersecurity events were observed than the year prior. What’s happening now, he says, is that not only are hospitals victims of ransomware attacks but now patients as well. Criminals will threaten to release private patient data if a ransomware sum is not being paid. The ransomware group BlackCat attacked Leigh Valley Health, for example, and threatened to release nude pictures of its cancer patients. The class action suit was settled for $65 million. Weiss expects to see more of these types of attacks in the year ahead. “They will go after whatever they can,” Weiss says about the cybercriminals.

To the question of whether he thinks federal legislation on cybersecurity measures within healthcare will be helpful, Weiss responds, “Hospitals are operating on razor-thin margins as it is, and it is very difficult for them to invest in things that aren’t directly related to patient care. If we’re going to talk about any kind of legislation moving forward, especially in the new administration, it needs to come with the adequate resources to make sure that that happens.”

Weiss doesn’t believe in throwing money at the problem. He advocates getting the right people into organizations to address issues. He believes a virtual CISO program is a way to get additional help in. Weiss says there are a lot of cybersecurity vendors and point solutions. “The market is very confusing…. So if you had $100 to spend on cyber security, where would you spend that?”

As to what to expect in 2025, Weiss points to the issue of attacks on the supply chain, where the level of sophistication is increasing. In this area, Weiss says, the attacks don’t seem so random, “where many of these malware attacks, the ransomware gang will send out millions of malicious emails and hope that they get somebody somewhere to click on something and install the ransomware.” The attacks this past year seem to be more targeted.

Weiss anticipates artificial intelligence (AI) will also be part of more attacks. “We’ve already seen the talk about malicious actors leveraging AI to develop zero-day attacks, which is absolutely mind-boggling because you leverage AI to help develop some new attack technique.” Weiss adds, “If the bad guys can use AI to develop a new zero-day, I think we’ve got to also be proactive, finding out those zero-days, and then defending against those.”

Jason Griffin, managing director of digital health for Nordic, agrees that the cybersecurity landscape continues to evolve. “The threat surface continues to grow.” “We become more and more integrated with not just our electronic medical records, but our biomedical devices and other devices that are now managing and storing data that are networked across every hospital.”

Griffin states that phishing and access controls are the biggest areas of threats. He believes attacks will rise and will continue to be successful. “The sophistication of the tools and the approaches by these hackers will only grow exponentially.”

“AI,” Griffin adds, “can help those bad actors grow exponentially the number of attacks that they can put into the environment.” Cybercriminals can attack through fabricated videos and conversations. “They’re going to get more sophisticated now that they can generate content from an AI perspective, that is even more close to reality.”

However, as cyber attackers become more sophisticated, so do we in preventing the attacks, Griffin notes. Being proactive is key in preventing these attacks, he says. He agrees with Weiss that the budget isn’t always there.

Griffin believes that more standards in cybersecurity within healthcare would be beneficial. New York is already adopting more stringent regulations going into 2025.

“Healthcare providers should connect their technology, and cyber teams should be connecting more with the business,” Griffin advises. “Cyber security is becoming a patient safety issue.” It’s key, he says, that CISOs and CIOs align more with the business strategy and understand the ramifications of losing access to the system. Being prepared is essential, Griffin says because an attack will inevitably happen. “You can’t be prepared enough.”

“I just can’t stress enough that this is not just a technical concern,” Griffin underscores, “we’ve got to elevate the discussion to a business and strategy discussion.” “We all have a responsibility now to protect our data, protect our patients, and protecting those patients comes in many forms and fashions.”

read more
alt=An image depicting a computer screen with a "No Internet Connection" message, symbolizing North Korea's internet outage.
Cyber security
2024-10-19 Post a Comment

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

î „Ravie Lakshmanan

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.

“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” Secureworks Counter Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”

The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation.

These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have also been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.

They are also known to request for changes to delivery addresses for company-issued laptops, often rerouting them to intermediaries at laptop farms, who are compensated for their efforts by foreign-based facilitators and are responsible for installing remote desktop software that allow the North Korean actors to connect to the computers.

What’s more, multiple contractors could end up getting hired by the same company, or, alternatively, one individual could assume several personas.

Secureworks said it has also observed cases where the fake contractors sought permission to use their own personal laptops and even caused organizations to cancel the laptop shipment entirely because they changed the delivery address while it was in transit.

Ransom for Stolen Data

“This behavior aligns with Nickel Tapestry tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence,” it said. “This tactic allows the contractors to use their personal laptops to remotely access the organization’s network.”

In a sign that the threat actors are evolving and taking their activities to the next level, evidence has come to light demonstrating how a contractor whose employment was terminated by an unnamed company for poor performance resorted to sending extortion emails including ZIP attachments containing proof of stolen data.

“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”

To tackle the threat, organizations have been urged to be vigilant during the recruitment process, including conducting thorough identity checks, performing in-person or video interviews, and be on the lookout for attempts to re-route corporate IT equipment sent to the contractors declared home address, routing paychecks to money transfer services, and accessing the corporate network with unauthorized remote access tools.

“This escalation and the behaviors listed in the FBI alert demonstrate the calculated nature of these schemes,” Secureworks CTU said, pointing out the workers’ suspicious financial behavior and their attempts to avoid enabling video during calls.

“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers.”

read more
alt=1. An illustration depicting Google Chrome as the world's most popular web browser, showcasing its global usage and recognition.
Cyber security
2024-08-28 2 comments

Qilin ransomware now steals credentials from Chrome browsers

By

The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser.

The credential-harvesting techniques has been observed by the Sophos X-Ops team during incident response engagements and marks an alarming change on the ransomware scene.

Attack overview

The attack that Sophos researchers analyzed started with Qilin gaining access to a network using compromised credentials for a VPN portal that lacked multi-factor authentication (MFA).

The breach was followed by 18 days of dormancy, suggesting the possibility of Qilin buying their way into the network from an initial access broker (IAB).

Possibly, Qilin spent time mapping the network, identifying critical assets, and conducting reconnaissance.

After the first 18 days, the attackers moved laterally to a domain controller and modified Group Policy Objects (GPOs) to execute a PowerShell script (‘IPScanner.ps1’) on all machines logged into the domain network.

The script, executed by a batch script (‘logon.bat’) that was also included in the GPO, was designed to collect credentials stored in Google Chrome.

The batch script was configured to run (and trigger the PS script) every time a user logged into their machine, while stolen credentials were saved on the ‘SYSVOL’ share under the names ‘LD’ or ‘temp.log.’

Contents of the LD dump
Contents of the LD dump
Source: Sophos

After sending the files to Qilin’s command and control (C2) server, the local copies and related event logs were wiped, to conceal the malicious activity. Eventually, Qilin deployed their ransomware payload and encrypted data on the compromised machines.

Another GPO and a separate batch file (‘run.bat’) were used to download and execute the ransomware across all machines in the domain.

Qilin's ransom note
Qilin’s ransom note
Source: Sophos

Defense complexity

Qilin’s approach to target Chrome credentials creates a worrying precedent that could make protecting against ransomware attacks even more challenging.

Because the GPO applied to all machines in the domain, every device that a user logged into was subject to the credential harvesting process.

This means that the script potentially stole credentials from all machines across the company, as long as those machines were connected to the domain and had users logging into them during the period the script was active.

Such extensive credential theft could enable follow-up attacks, lead to widespread breaches across multiple platforms and services, make response efforts a lot more cumbersome, and introduce a lingering, long-lasting threat after the ransomware incident is resolved.

A successful compromise of this sort would mean that not only must defenders change all Active Directory passwords; they should also (in theory) request that end users change their passwords for dozens, potentially hundreds, of third-party sites for which the users have saved their username-password combinations in the Chrome browser. – Sophos

Organizations can mitigate this risk by imposing strict policies to forbid the storage of secrets on web browsers.

Additionally, implementing multi-factor authentication is key in protecting accounts against hijacks, even in the case of credential compromises.

Finally, implementing the principles of least privilege and segmenting the network can significantly hamper a threat actor’s ability to spread on the compromised network.

Given that Qilin is an unconstrained and multi-platform threat with links to the Scattered Spider social engineering experts, any tactical change poses a significant risk to organizations.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights