If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

War Stories and Other Helpful Information

The Blog

Home » Blog

Cultivating a Cybersecurity Culture

The Importance of Making Cybersecurity a Part of Your Company Culture Most organizations are fully aware of the importance of effective cybersecurity strategies and the risks of what can happen without them. Companies have devoted both time and resources to training and educating their staff accordingly, but that isn’t enough. Without a valued culture of cyber awareness in an organization, the higher the risk of an attack.   Often in cybersecurity incidents, the weak link into the network is a person within that organization. That could be someone who clicked the link in a phishing email, used a compromised flash drive,

Read More »

VMware Backdoor Vulnerability

What is the Vulnerability? The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server. How Hackers Gain Access The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2)

Read More »

Cisco Umbrella Virtual Appliance Vulnerability

What is the Vulnerability? A vulnerability in the Cisco Umbrella Virtual Appliance (VA) was discovered last week by Fraser Hess of Pinnacol Assurance (tracked as CVE-2022-20773). The flaw is in the key-based SSH authentication mechanism of the VA, which could allow an unauthenticated, remote attacker to impersonate a VA. Cisco Umbrella is a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks. The service uses on-premise virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data. “This vulnerability is due to the presence of a static SSH host key.

Read More »

Increased Ransomware Attacks During Peak Agriculture Times

The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer. The Attacks that Occurred: In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season. In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of

Read More »

Oracle Massive Critical Patch Update

What Occurred? Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates need urgent attention if you are a user of an affected product. Affected Oracle Product Families Oracle Communications Applications The update contains 39 new security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without authentication. I.e., they may be exploited over a network without requiring user credentials. CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS

Read More »

HAFNIUM Tarrask Malware

What is the Tarrask Malware? The Tarrask malware utilizes Windows scheduled tasks to maintain persistence on compromised hosts. An admin can profile the usage of the Task Scheduler GUI or schtasks command line utility to aid investigators in tracking this persistence mechanism. The following registry keys are created upon creation of a new task: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID} Subkeys created within the Tree path match the names of the scheduled task, and the values within it (Id, Index, and SD) contain metadata for the task registration within the system. The second subkey, created within Tasks path, is a GUID mapping

Read More »

What to Know About the Threat Actor HAFNIUM

Who is HAFNIUM? HAFNIUM is a threat actor that historically targeted entities in the United States for the purpose of exfiltrating information from industry sectors. It has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. These attacks include three steps. First, gaining access to an Exchange Server either with stolen credentials or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it creates a web shell to control the compromised server remotely. Third, it uses remote access ran from U.S. based private servers to steal data from

Read More »
Hardening Cyber Defenses

Ways to Harden Your Cyber Defenses Today

If someone called you right now from an unknown number, what would you do? Most people would ignore the call if they were not expecting it. This was not always the case. There was a time before caller ID in which people had to answer to find out who was calling. Now, thanks to innovations in phone technology, we can see who is calling without answering and simply ignore suspicious phone calls. If the same approach was taken towards email, a huge portion of cyber attacks could be eliminated. According to the FBI’s Internet Crime Complaint Center (IC3) Internet Crime

Read More »
Indicators of a Compromise

Why You Should Investigate IOCs, and What Can Happen if You Don’t

What is an indicator of compromise (IOC)?  An indicator of compromise is a piece of digital forensic data that indicates a potential network breach. This information helps security investigators identify malicious or suspicious activity including threats, data breaches, and malware. IOCs can be collected during routine cybersecurity scans or manually if suspicious activity is detected.  Since IOC identification is primarily reactive, the discovery of an IOC typically means that an organization has already been compromised. However, this detection helps organizations to stop in-process attacks sooner and reduce the attack’s impact. In addition, investigating IOCs can be used to repair existing

Read More »
Cyber Threats

Cybersecurity Experts Weigh in on Why Cyber Threats Keep Happening

Ask the Experts The question: Why Do Cyber Threats Keep Happening? Was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their working experience and knowledge in the field of cybersecurity. Why Do Cyber Threats Keep Happening? Companies don’t do a good job of keeping their systems up to date. As long as their technology is working for them in the way they want it to,

Read More »
Microsoft Confirms Breach by Lapsus$ Extortion Group

Microsoft Confirms Breach by Lapsus$ Extortion Group

Who is Lapsus$? Lapsus$, also tracked by Microsoft’s Threat Intelligence Center (MSTIC) as DEV-0537, is a relatively new English/Portuguese online extortion group that gained notoriety after attacking Brazil’s Ministry of Health on December 10, 2021. This operator is believed to operate out of South America, likely Brazil, and targets large organizations. The group aims to ransom organizations if its demands aren’t met. Lapsus$ does not appear to encrypt data only to exfiltrate it from the organizations. The group shares its exploits on Telegram instead of the more popular darkweb forums that many threat groups use. Lapsus$ is a highly sophisticated

Read More »
QR Codes

Are QR Codes Dangerous?

Quick Response (QR) codes, first developed in Japan in the 1990s, are square shaped codes that can be used for a variety of purposes. With their ability to store a lot of data, QR codes are an efficient and easy way to share and stow information. They can also be used for tracking purposes, sharing contact information, marketing promotions, ticketing, and completing contactless payments.  With the need for contactless engagement increasing during the pandemic, the use of QR codes has become even more popular. Many restaurants include QR codes on—or in place of—menus. Codes are also commonly found on business

Read More »
Global Increase in Ransomware Threats

Ransomware Threat Increases Globally in 2021

Reports show that globally, in 2021, the number of ransomware attacks increased significantly. Not only did the level of frequency grow, but so did their level of sophistication. Ransomware as an industry is escalating and it’s important to know what to look for to better protect sensitive data. Here are several trends to be aware of and steps to help mitigate the risk of attack: Cybercriminal Services for Hire The ransomware market has become more sophisticated and professional in recent years, making attacks harder to distinguish. It has also become more collaborative, with cybercriminals utilizing ransomware-as-a-service (RaaS), engaging with third-party

Read More »
Should Small to Medium Businesses Be Concerned About Cyber Threats?

Should Small to Medium Businesses Be Concerned About Cyber Threats?

In 2020, the FBI reported a whopping $2.7B as the cost of cybercrimes in just that year. While no business is immune to cybersecurity attacks, small and medium sized businesses are especially vulnerable. In a survey conducted with small to medium business owners in late 2021, 42% of business owners suffered a cyber attack in the last year. Additionally, according to the U.S. Small Business Administration (SBA), 88% of small business owners feel their businesses are vulnerable to cyber attacks. Small to medium businesses remain attractive targets for cyber criminals because they have information criminals want and often have weaker

Read More »
Cyclops Blink: Nation-State Threat to United States Organizations

Cyclops Blink: Nation-State Threat to United States Organizations

The Threat Sandworm Sandworm, a Russian-backed hacking group, was attributed to the NotPetya attack on Ukraine in 2017. It now has developed new malware, Cyclops Blink, which targets firewall devices manufactured by WatchGuard. Cyclops Blink is a replacement framework for the VPNFilter malware that was exposed in 2018. VPNFilter exploited network devices, primarily small and home office routers and network-attached storage devices. Cyclops Blink Cyclops Blink (T1129) has been active since 2019 and its deployment appears to be indiscriminate and widespread. The threat has so far been primarily deployed on WatchGuard devices, but it is likely that Sandworm would be

Read More »
Job Phishing Scams and How to Avoid Them

Job Phishing Scams and How to Avoid Them

Searching for a new job is hard enough without also worrying about employment scams. Unfortunately, fraudulent job postings have always been around, and thanks to the advent of technology, are only becoming more convincing. The practice of job scamming itself has become more accessible and lucrative. In an employment scam, cyber criminals leverage their position as a potential employer to persuade victims to pass along their personal identifiable information (PII). With this information in hand, the scammers are then able to execute a variety of illegal activities like identity theft, setting up fake financial accounts, taking over existing financial accounts,

Read More »
Ransomware Payments & Profits

Do Incident Response Firms Profit From Ransomware Payments?

How Much Money Does Your Incident Response Team Make on Ransom Payments? A common trend in the cybersecurity space is incident response teams making a profit on a percentage of the ransom payments paid out to threat actors when a ransomware attack occurs. Since this profit is often far more than the fees the incident response team would pay a crypto currency broker, the incident response team is making money from a situation it should be trying to avoid at all costs. To truly understand the conflict of interest for an incident response team paying the ransom, let’s look at

Read More »
MSP vs MSSP—What’s the Difference?

MSP vs MSSP—What’s the Difference?

Managed service providers (MSP) and managed security service providers (MSSP) are both incredibly useful tools for businesses, but there is one major difference that sets an MSSP apart from an MSP: security. Unlike an MSP, which focuses more on IT support, an MSSP provides 24/7 cybersecurity support. It’s important to understand the differences between these two types of third-party services when evaluating your business needs. MSP As the internet world developed in the early ‘00s, so did internet speeds and the ability to provide IT services remotely. This allowed businesses who did not have the bandwidth or expertise to internally

Read More »
Cybersecurity News 2021: Year in Review

Cybersecurity News 2021: Year in Review

This year is on its way out, but before we say goodbye, let’s take stock of the major 2021 cybersecurity events. As we’ll see, the major attacks used ransomware, attackers demanded millions of dollars in exchange for decryption tools, and attacked companies usually paid up. And while 2 out of 3 of Americans are “very concerned” about hackers, by October there were already more data breaches for 2021 than there were in all of 2020. 2021 is poised to set a single-year record for these transgressions. Attacks While we could point to many different cyber attacks from 2021, here are

Read More »
Apache Log4j Vulnerability

Apache Log4j Vulnerability

What is the Apache Log4j Vulnerability? The Log4j vulnerability allows threat actors to execute code remotely on a targeted computer. What is Log4j? Log4j is a Java library for logging error messages in applications. What is Log4j used for? Log4j is used in both consumer and enterprise services to log security and performance information. It is used in websites, applications, and operational technology products. What versions of Apache’s Log4j are affected by the vulnerability? Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as “Log4Shell” and “Logjam.” Need Immediate Help? How to protect against the Log4j vulnerability: Prioritize patching. Enumerate

Read More »