If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

War Stories and Other Helpful Information

The Blog

Home » Blog
Indicators of a Compromise

Why You Should Investigate IOCs, and What Can Happen if You Don’t

What is an indicator of compromise (IOC)?  An indicator of compromise is a piece of digital forensic data that indicates a potential network breach. This information helps security investigators identify malicious or suspicious activity including threats, data breaches, and malware. IOCs can be collected during routine cybersecurity scans or manually if suspicious activity is detected.  Since IOC identification is primarily reactive, the discovery of an IOC typically means that an organization has already been compromised. However, this detection helps organizations to stop in-process attacks sooner and reduce the attack’s impact. In addition, investigating IOCs can be used to repair existing

Read More »
Cyber Threats

Cybersecurity Experts Weigh in on Why Cyber Threats Keep Happening

Ask the Experts The question: Why Do Cyber Threats Keep Happening? Was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their working experience and knowledge in the field of cybersecurity. Why Do Cyber Threats Keep Happening? Companies don’t do a good job of keeping their systems up to date. As long as their technology is working for them in the way they want it to,

Read More »
Microsoft Confirms Breach by Lapsus$ Extortion Group

Microsoft Confirms Breach by Lapsus$ Extortion Group

Who is Lapsus$? Lapsus$, also tracked by Microsoft’s Threat Intelligence Center (MSTIC) as DEV-0537, is a relatively new English/Portuguese online extortion group that gained notoriety after attacking Brazil’s Ministry of Health on December 10, 2021. This operator is believed to operate out of South America, likely Brazil, and targets large organizations. The group aims to ransom organizations if its demands aren’t met. Lapsus$ does not appear to encrypt data only to exfiltrate it from the organizations. The group shares its exploits on Telegram instead of the more popular darkweb forums that many threat groups use. Lapsus$ is a highly sophisticated

Read More »
QR Codes

Are QR Codes Dangerous?

Quick Response (QR) codes, first developed in Japan in the 1990s, are square shaped codes that can be used for a variety of purposes. With their ability to store a lot of data, QR codes are an efficient and easy way to share and stow information. They can also be used for tracking purposes, sharing contact information, marketing promotions, ticketing, and completing contactless payments.  With the need for contactless engagement increasing during the pandemic, the use of QR codes has become even more popular. Many restaurants include QR codes on—or in place of—menus. Codes are also commonly found on business

Read More »
Global Increase in Ransomware Threats

Ransomware Threat Increases Globally in 2021

Reports show that globally, in 2021, the number of ransomware attacks increased significantly. Not only did the level of frequency grow, but so did their level of sophistication. Ransomware as an industry is escalating and it’s important to know what to look for to better protect sensitive data. Here are several trends to be aware of and steps to help mitigate the risk of attack: Cybercriminal Services for Hire The ransomware market has become more sophisticated and professional in recent years, making attacks harder to distinguish. It has also become more collaborative, with cybercriminals utilizing ransomware-as-a-service (RaaS), engaging with third-party

Read More »
Should Small to Medium Businesses Be Concerned About Cyber Threats?

Should Small to Medium Businesses Be Concerned About Cyber Threats?

In 2020, the FBI reported a whopping $2.7B as the cost of cybercrimes in just that year. While no business is immune to cybersecurity attacks, small and medium sized businesses are especially vulnerable. In a survey conducted with small to medium business owners in late 2021, 42% of business owners suffered a cyber attack in the last year. Additionally, according to the U.S. Small Business Administration (SBA), 88% of small business owners feel their businesses are vulnerable to cyber attacks. Small to medium businesses remain attractive targets for cyber criminals because they have information criminals want and often have weaker

Read More »
Cyclops Blink: Nation-State Threat to United States Organizations

Cyclops Blink: Nation-State Threat to United States Organizations

The Threat Sandworm Sandworm, a Russian-backed hacking group, was attributed to the NotPetya attack on Ukraine in 2017. It now has developed new malware, Cyclops Blink, which targets firewall devices manufactured by WatchGuard. Cyclops Blink is a replacement framework for the VPNFilter malware that was exposed in 2018. VPNFilter exploited network devices, primarily small and home office routers and network-attached storage devices. Cyclops Blink Cyclops Blink (T1129) has been active since 2019 and its deployment appears to be indiscriminate and widespread. The threat has so far been primarily deployed on WatchGuard devices, but it is likely that Sandworm would be

Read More »
Job Phishing Scams and How to Avoid Them

Job Phishing Scams and How to Avoid Them

Searching for a new job is hard enough without also worrying about employment scams. Unfortunately, fraudulent job postings have always been around, and thanks to the advent of technology, are only becoming more convincing. The practice of job scamming itself has become more accessible and lucrative. In an employment scam, cyber criminals leverage their position as a potential employer to persuade victims to pass along their personal identifiable information (PII). With this information in hand, the scammers are then able to execute a variety of illegal activities like identity theft, setting up fake financial accounts, taking over existing financial accounts,

Read More »
Ransomware Payments & Profits

Do Incident Response Firms Profit From Ransomware Payments?

How Much Money Does Your Incident Response Team Make on Ransom Payments? A common trend in the cybersecurity space is incident response teams making a profit on a percentage of the ransom payments paid out to threat actors when a ransomware attack occurs. Since this profit is often far more than the fees the incident response team would pay a crypto currency broker, the incident response team is making money from a situation it should be trying to avoid at all costs. To truly understand the conflict of interest for an incident response team paying the ransom, let’s look at

Read More »
MSP vs MSSP—What’s the Difference?

MSP vs MSSP—What’s the Difference?

Managed service providers (MSP) and managed security service providers (MSSP) are both incredibly useful tools for businesses, but there is one major difference that sets an MSSP apart from an MSP: security. Unlike an MSP, which focuses more on IT support, an MSSP provides 24/7 cybersecurity support. It’s important to understand the differences between these two types of third-party services when evaluating your business needs. MSP As the internet world developed in the early ‘00s, so did internet speeds and the ability to provide IT services remotely. This allowed businesses who did not have the bandwidth or expertise to internally

Read More »
Cybersecurity News 2021: Year in Review

Cybersecurity News 2021: Year in Review

This year is on its way out, but before we say goodbye, let’s take stock of the major 2021 cybersecurity events. As we’ll see, the major attacks used ransomware, attackers demanded millions of dollars in exchange for decryption tools, and attacked companies usually paid up. And while 2 out of 3 of Americans are “very concerned” about hackers, by October there were already more data breaches for 2021 than there were in all of 2020. 2021 is poised to set a single-year record for these transgressions. Attacks While we could point to many different cyber attacks from 2021, here are

Read More »
Apache Log4j Vulnerability

Apache Log4j Vulnerability

What is the Apache Log4j Vulnerability? The Log4j vulnerability allows threat actors to execute code remotely on a targeted computer. What is Log4j? Log4j is a Java library for logging error messages in applications. What is Log4j used for? Log4j is used in both consumer and enterprise services to log security and performance information. It is used in websites, applications, and operational technology products. What versions of Apache’s Log4j are affected by the vulnerability? Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as “Log4Shell” and “Logjam.” Need Immediate Help? How to protect against the Log4j vulnerability: Prioritize patching. Enumerate

Read More »
Ransomware: Why Are Small to Medium Businesses Targeted Most Often?

Ransomware: Why Are Small to Medium Businesses Targeted Most Often?

According to a survey of managed service providers for SMEs, only 30 percent felt that ransomware was a critical threat, perhaps indicating an attitude that it only affects larger corporations. This couldn’t be further from the truth. In fact, a single ransomware “gang” took on 63 companies in 2021 so far, including schools, local government agencies and healthcare services. Smaller businesses may, in fact, be more at risk because of several factors. Lack of Cybersecurity Training Any company that connects to the internet and holds data of any kind is at risk from threat actors. This means every organization is at

Read More »
GoCD Vulnerability Allows Potential for Supply Chain Attacks

GoCD Vulnerability Allows Potential for Supply Chain Attacks

GoCD has released a security update to their critical authentication vulnerability discovered by SonarSource, a Swiss security firm. The popular (and free) open-source, Java-run Continuous Integration and Continuous Delivery System (CI/CD) is a broadly used piece of infrastructure, and its misuse has the potential for massive disruptions. Unauthorized attackers could use this vulnerability to extract encrypted data, create backdoors in internal or external software, or impersonate a GoCD Agent. Attackers could also obtain control over both software delivery pipelines and GoCD servers and execute arbitrary code on them. Ultimately, this weakness has the potential for massive supply chain attacks. The

Read More »
Cybersecurity Awareness Month 2021 Recap

Cybersecurity Awareness Month 2021 Recap

The month of October is Cybersecurity Awareness Month. Threat actors never rest, and it is always important to do your part to keep you and your company’s information as safe as possible. In October, we accumulated a wide assortment of cybersecurity tips and tricks covering topics like phishing, working in a hybrid workplace, and general cybersecurity, as well as why you should consider a cybersecurity career. The following graphic contains an overview of this information.

Read More »
Prioritizing cybersecurity in a hybrid workplace

Prioritizing Cybersecurity in a Hybrid Workplace

In this day and age, employees are more connected than ever. The hybrid workplace is here to stay, and for employees, this means relying on connected devices from their home office setups. According to recent data, smart home systems are set to rise to a market value of $157 billion by 2023, and the number of installed connected devices in the home is expected to rise by a staggering 70% by 2025. In this new normal where smart devices and consequently online safety are a must, here are some tips for securing those devices. Remember smart devices need smart security

Read More »
3 Reasons to Consider a Career in Cybersecurity

3 Reasons to Consider a Career in Cybersecurity

Cybersecurity is one of the hottest industries today, with new threats and challenges emerging constantly. This means there is a huge push by both business and education sectors to attract individuals toward a degree and career in cybersecurity. Are you interested in joining this exciting workforce? Here are a few reasons why pursuing a career in cybersecurity might be right for you. Growing Job Market The cybersecurity job market is growing at an incredibly fast rate, due to the rising number of cyber challenges and threats. According to the U.S. Bureau of Labor Statistics, the job market for information security

Read More »
3 Tips to help deal with phishing threats

Three Tips to Help Deal with Phishing Threats

Although new threats that are cropping up in the cybersecurity space – phishing — one of the oldest pain points in cybersecurity — is continuing to wreak havoc. Phishing is one of the most dangerous “action varieties” to an organization’s cybersecurity health. Phishing has been a mainstay in the cybersecurity threat landscape for decades, even though its not talked about much in the media. Because it continues to work, phishing is still a common tactic used by threat actors. In 2021, more than 80 percent of US organizations experienced at least one successful phishing attack, a year-over-year increase of more

Read More »
Five Simple Tips to Mitigate Cyber Risk

Five Simple Tips to Mitigate Cyber Risk

Being cyber smart is the best way to protect yourself and others from cyber attacks. In honor of Cyber Security Awareness Month, Blue Team Alpha has compiled 5 simple tips to mitigate your cyber risk. Following these tips is easy, and free. Using all of these tips together can make a real difference for taking control of your online presence. But it’s important to keep in mind that no single tip is full proof on it’s own. Read on to learn 5 simple tips to mitigate your cyber risk that you can implement today. 1) Use strong passphrases/password manager While

Read More »

Microsoft Exchange Proxyshell Vulnerability

Microsoft Exchange Proxyshell Vulnerability What is the September 2021 Microsoft Exchange Proxyshell Vulnerability? Exchange servers are under attack, again. These are not the Hafnium Webshells, these are Proxyshells that are being used to compromise onsite Exchange environments. Microsofts latest patch may not be effective in keeping your Exchange environment safe.   Indicators of compromise: One indicator of compromise is draft emails that were not created by the mailbox owner.   Associated CVE’s:  CVE-2021-31207  CVE-2021-34473  CVE-2021-34523  Is there a patch available? There was a patch made available by Microsoft on August 24th 2021. These patches and vulnerabilities are now under review by Microsoft,

Read More »