If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

War Stories and Other Helpful Information

The Blog

Home » Blog

U.S. Passes Two New Cybersecurity Bills Into Law

On Tuesday June 21, 2022, President Biden signed two cybersecurity bills into law. This was a bipartisan effort, with approval from both Democratic and Republican senators and representatives, which shows the importance of improving the United States’ cybersecurity strategies.   These new laws are the Federal Rotational Cyber Workforce Program Act of 2021 and the State and Local Government Cyber Security Act of 2021, per a White House press release.  Federal Rotational Cyber Workforce Program Act of 2021 The Federal Rotation Cyber Workforce Program (bill S. 1097) establishes a rotational cyber workforce program within the Federal Cyber Workforce Strategy, under which

Read More »

What Motivates a Hacker?

Cyber attacks happen every day, and it’s no secret that they are increasing in frequency and sophistication. While threat actors generally don’t discriminate based on company size or type of organization, the criminal’s motivation for attack generally points to the victim. Understanding the why behind a cyber attack is critical in developing effective cybersecurity strategies to protect your organization.   4 Common Motivations Monetary Motivations  Monetary gain is perhaps the most common reason for hackers to attack an organization or an individual. In these cases, threat actors (often affiliated with cybercrime gangs) target companies they believe will pay a ransom to

Read More »

How Do IT Directors Communicate to CFO’s the Value of Cybersecurity?

IT Directors, CIOs, CISOs and Other Non-technical Decision Makers As with any corporate relationship, the one between CIOs and CFOs depends on the organization. When it comes to making cybersecurity decisions, some companies are more IT driven with CIOs and CISOs taking the lead; other companies have CFOS and other leadership making the decisions. Budgeting also has an impact on these decisions. IT teams often have a budget for cybersecurity needs; however, CFOs will usually have the final say. For example, if a CIO needs a vulnerability management provider, they first choose the best-in-class option and then check in with

Read More »
Microsoft Office Zero Day Follina

Microsoft Office Zero Day Follina

Identified: May 27, 2022 Name of Vulnerability: Microsoft Office Zero Day Follina Description of Vulnerability: A new zero-day vulnerability, Microsoft Office Zero Day Follina, was discovered in Microsoft Office when a specially crafted document is downloaded and opened or viewed in explorer preview allowing arbitrary code execution. A security researcher who goes by Nao_sec discovered an odd looking Word document uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and Windows. The document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol

Read More »

VMware Vulnerabilities Patches

Vulnerabilities in VMWARE allow internal attackers to gain unauthenticated administrative access to the entire company’s infrastructure. Who is affected: Anyone using: VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager Authentication Bypass Vulnerability (CVE-2022-22972)* VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.* A malicious actor with network access to the UI may be able to obtain administrative

Read More »

What Are the Most Critical Cyber Threats of 2022?

Ask the Experts The question: What are the most critical cyber threats of 2022? was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their extensive working experience and knowledge in the field of cybersecurity.  What Are the Most Critical Cyber Threats of 2022?  Complexity of Systems  Computer systems these days are incredibly complicated, and most are comprised of a lot of different parts. Many people

Read More »

11 Ways to Boost the Cyber Defenses of a Small Business

While no business is immune to cybersecurity attacks, small and medium sized businesses are especially vulnerable. In a survey conducted with small to medium business owners in late 2021, 42% of business owners suffered a cyber attack in the last year. Additionally, according to the U.S. Small Business Administration (SBA), 88% of small business owners feel their businesses are vulnerable to cyber attacks. Small to medium businesses remain attractive targets for cyber criminals because they have information criminals want and often have weaker security infrastructure compared to larger businesses. This means it is more important than ever to ensure that SMBs practice good cybersecurity

Read More »

Cultivating a Cybersecurity Culture

The Importance of Making Cybersecurity a Part of Your Company Culture Most organizations are fully aware of the importance of effective cybersecurity strategies and the risks of what can happen without them. Companies have devoted both time and resources to training and educating their staff accordingly, but that isn’t enough. Without a valued culture of cyber awareness in an organization, the higher the risk of an attack.   Often in cybersecurity incidents, the weak link into the network is a person within that organization. That could be someone who clicked the link in a phishing email, used a compromised flash drive,

Read More »

VMware Backdoor Vulnerability

What is the Vulnerability? The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server. How Hackers Gain Access The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2)

Read More »

Cisco Umbrella Virtual Appliance Vulnerability

What is the Vulnerability? A vulnerability in the Cisco Umbrella Virtual Appliance (VA) was discovered last week by Fraser Hess of Pinnacol Assurance (tracked as CVE-2022-20773). The flaw is in the key-based SSH authentication mechanism of the VA, which could allow an unauthenticated, remote attacker to impersonate a VA. Cisco Umbrella is a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks. The service uses on-premise virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data. “This vulnerability is due to the presence of a static SSH host key.

Read More »

Increased Ransomware Attacks During Peak Agriculture Times

The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer. The Attacks that Occurred: In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season. In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of

Read More »

Oracle Massive Critical Patch Update

What Occurred? Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates need urgent attention if you are a user of an affected product. Affected Oracle Product Families Oracle Communications Applications The update contains 39 new security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without authentication. I.e., they may be exploited over a network without requiring user credentials. CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS

Read More »

HAFNIUM Tarrask Malware

What is the Tarrask Malware? The Tarrask malware utilizes Windows scheduled tasks to maintain persistence on compromised hosts. An admin can profile the usage of the Task Scheduler GUI or schtasks command line utility to aid investigators in tracking this persistence mechanism. The following registry keys are created upon creation of a new task: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID} Subkeys created within the Tree path match the names of the scheduled task, and the values within it (Id, Index, and SD) contain metadata for the task registration within the system. The second subkey, created within Tasks path, is a GUID mapping

Read More »

What to Know About the Threat Actor HAFNIUM

Who is HAFNIUM? HAFNIUM is a threat actor that historically targeted entities in the United States for the purpose of exfiltrating information from industry sectors. It has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. These attacks include three steps. First, gaining access to an Exchange Server either with stolen credentials or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it creates a web shell to control the compromised server remotely. Third, it uses remote access ran from U.S. based private servers to steal data from

Read More »
Hardening Cyber Defenses

Ways to Harden Your Cyber Defenses Today

If someone called you right now from an unknown number, what would you do? Most people would ignore the call if they were not expecting it. This was not always the case. There was a time before caller ID in which people had to answer to find out who was calling. Now, thanks to innovations in phone technology, we can see who is calling without answering and simply ignore suspicious phone calls. If the same approach was taken towards email, a huge portion of cyber attacks could be eliminated. According to the FBI’s Internet Crime Complaint Center (IC3) Internet Crime

Read More »
Indicators of a Compromise

Why You Should Investigate IOCs, and What Can Happen if You Don’t

What is an indicator of compromise (IOC)?  An indicator of compromise is a piece of digital forensic data that indicates a potential network breach. This information helps security investigators identify malicious or suspicious activity including threats, data breaches, and malware. IOCs can be collected during routine cybersecurity scans or manually if suspicious activity is detected.  Since IOC identification is primarily reactive, the discovery of an IOC typically means that an organization has already been compromised. However, this detection helps organizations to stop in-process attacks sooner and reduce the attack’s impact. In addition, investigating IOCs can be used to repair existing

Read More »
Cyber Threats

Cybersecurity Experts Weigh in on Why Cyber Threats Keep Happening

Ask the Experts The question: Why Do Cyber Threats Keep Happening? Was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their working experience and knowledge in the field of cybersecurity. Why Do Cyber Threats Keep Happening? Companies don’t do a good job of keeping their systems up to date. As long as their technology is working for them in the way they want it to,

Read More »
Microsoft Confirms Breach by Lapsus$ Extortion Group

Microsoft Confirms Breach by Lapsus$ Extortion Group

Who is Lapsus$? Lapsus$, also tracked by Microsoft’s Threat Intelligence Center (MSTIC) as DEV-0537, is a relatively new English/Portuguese online extortion group that gained notoriety after attacking Brazil’s Ministry of Health on December 10, 2021. This operator is believed to operate out of South America, likely Brazil, and targets large organizations. The group aims to ransom organizations if its demands aren’t met. Lapsus$ does not appear to encrypt data only to exfiltrate it from the organizations. The group shares its exploits on Telegram instead of the more popular darkweb forums that many threat groups use. Lapsus$ is a highly sophisticated

Read More »
QR Codes

Are QR Codes Dangerous?

Quick Response (QR) codes, first developed in Japan in the 1990s, are square shaped codes that can be used for a variety of purposes. With their ability to store a lot of data, QR codes are an efficient and easy way to share and stow information. They can also be used for tracking purposes, sharing contact information, marketing promotions, ticketing, and completing contactless payments.  With the need for contactless engagement increasing during the pandemic, the use of QR codes has become even more popular. Many restaurants include QR codes on—or in place of—menus. Codes are also commonly found on business

Read More »
Global Increase in Ransomware Threats

Ransomware Threat Increases Globally in 2021

Reports show that globally, in 2021, the number of ransomware attacks increased significantly. Not only did the level of frequency grow, but so did their level of sophistication. Ransomware as an industry is escalating and it’s important to know what to look for to better protect sensitive data. Here are several trends to be aware of and steps to help mitigate the risk of attack: Cybercriminal Services for Hire The ransomware market has become more sophisticated and professional in recent years, making attacks harder to distinguish. It has also become more collaborative, with cybercriminals utilizing ransomware-as-a-service (RaaS), engaging with third-party

Read More »