fb pixel
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

Blue Team Alpha Insights

The Blog

Home » Blog

SOC 2® Assessment: Type 1 vs. Type 2 and Why a Company Should Have One

SOC 2 Type 1 and Type 2 Commonalities A SOC 2 – Type 1 and SOC 2 – Type 2 Report have many things in common – system description, management’s assertion, and a description of controls as they relate to the Trust Service Criteria. Both reports analyze and report on the design and implementation of the system description and the suitability of control design. The differentiator between the two reports is operating effectiveness. What are Controls in a SOC 2 Assessment? “Controls operating effectively provide reasonable assurance of achieving the service organization’s service commitments and system requirements based on the

Read More »

Penetration Testing: What is it? How is it Priced?

Penetration (pen) testing is a method of testing network or application security. Executed by a third-party service, experienced testers attempt to access a network utilizing the same tools and attack vectors as threat actors to identify any gaps in a company’s cyber defenses. Their findings are then reported back to the company in detail.  Types of Penetration Testing Internal This type of pen testing focuses on assessing any internal network weaknesses.   One kind of internal pen testing is blackbox testing. This is when a company provides the pen tester an IP address. They attempt to use that address to gain

Read More »

Manufacturing’s Biggest Cybersecurity Issues

Manufacturing has several unique problems when it comes to cybersecurity and the threat landscape, namely a distinct lack of funding and personnel that contributes to an excess of vulnerable, outdated legacy systems.    The Manufacturing Industry’s Biggest Security Problems  Downtime  As an industry, manufacturing is acutely vulnerable to downtime. While some industries can somewhat work around network downtime, those in manufacturing cannot because they rely on these networks to operate their machines. No working machines cause a hard, immediate stop to operations. This halt in operations then creates a heightened sense of urgency to resolve the issue. Unfortunately, this degree of

Read More »

Red Team Vs. Blue Team: Differences and Benefits

Red team vs. blue team exercises are a valuable learning tool for security teams. In these scenarios, the red team simulates an attack that the blue team needs to defend against. By doing this, the blue team has the opportunity to test their skills in an active environment and better prepare for real attacks.  What is the Red Team?  The red team is a group of individuals experienced in penetration testing and vulnerability scanning that are tasked with simulating a cyber attack. By utilizing the same tools, techniques, and tactics that criminals use, these team members can launch a highly

Read More »

U.S. Passes Two New Cybersecurity Bills Into Law

On Tuesday June 21, 2022, President Biden signed two cybersecurity bills into law. This was a bipartisan effort, with approval from both Democratic and Republican senators and representatives, which shows the importance of improving the United States’ cybersecurity strategies.   These new laws are the Federal Rotational Cyber Workforce Program Act of 2021 and the State and Local Government Cyber Security Act of 2021, per a White House press release.  Federal Rotational Cyber Workforce Program Act of 2021 The Federal Rotation Cyber Workforce Program (bill S. 1097) establishes a rotational cyber workforce program within the Federal Cyber Workforce Strategy, under which

Read More »

What Motivates a Hacker?

Cyber attacks happen every day, and it’s no secret that they are increasing in frequency and sophistication. While threat actors generally don’t discriminate based on company size or type of organization, the criminal’s motivation for attack generally points to the victim. Understanding the why behind a cyber attack is critical in developing effective cybersecurity strategies to protect your organization.   4 Common Motivations Monetary Motivations  Monetary gain is perhaps the most common reason for hackers to attack an organization or an individual. In these cases, threat actors (often affiliated with cybercrime gangs) target companies they believe will pay a ransom to

Read More »

How Do IT Directors Communicate to CFO’s the Value of Cybersecurity?

IT Directors, CIOs, CISOs and Other Non-technical Decision Makers As with any corporate relationship, the one between CIOs and CFOs depends on the organization. When it comes to making cybersecurity decisions, some companies are more IT driven with CIOs and CISOs taking the lead; other companies have CFOS and other leadership making the decisions. Budgeting also has an impact on these decisions. IT teams often have a budget for cybersecurity needs; however, CFOs will usually have the final say. For example, if a CIO needs a vulnerability management provider, they first choose the best-in-class option and then check in with

Read More »
Microsoft Office Zero Day Follina

Microsoft Office Zero Day Follina

Identified: May 27, 2022 Name of Vulnerability: Microsoft Office Zero Day Follina Description of Vulnerability: A new zero-day vulnerability, Microsoft Office Zero Day Follina, was discovered in Microsoft Office when a specially crafted document is downloaded and opened or viewed in explorer preview allowing arbitrary code execution. A security researcher who goes by Nao_sec discovered an odd looking Word document uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and Windows. The document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol

Read More »

VMware Vulnerabilities Patches

Vulnerabilities in VMWARE allow internal attackers to gain unauthenticated administrative access to the entire company’s infrastructure. Who is affected: Anyone using: VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager Authentication Bypass Vulnerability (CVE-2022-22972)* VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.* A malicious actor with network access to the UI may be able to obtain administrative

Read More »

What Are the Most Critical Cyber Threats of 2022?

Ask the Experts The question: What are the most critical cyber threats of 2022? was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their extensive working experience and knowledge in the field of cybersecurity.  What Are the Most Critical Cyber Threats of 2022?  Complexity of Systems  Computer systems these days are incredibly complicated, and most are comprised of a lot of different parts. Many people

Read More »

11 Ways to Boost the Cyber Defenses of a Small Business

While no business is immune to cybersecurity attacks, small and medium sized businesses are especially vulnerable. In a survey conducted with small to medium business owners in late 2021, 42% of business owners suffered a cyber attack in the last year. Additionally, according to the U.S. Small Business Administration (SBA), 88% of small business owners feel their businesses are vulnerable to cyber attacks. Small to medium businesses remain attractive targets for cyber criminals because they have information criminals want and often have weaker security infrastructure compared to larger businesses. This means it is more important than ever to ensure that SMBs practice good cybersecurity

Read More »

Cultivating a Cybersecurity Culture

The Importance of Making Cybersecurity a Part of Your Company Culture Most organizations are fully aware of the importance of effective cybersecurity strategies and the risks of what can happen without them. Companies have devoted both time and resources to training and educating their staff accordingly, but that isn’t enough. Without a valued culture of cyber awareness in an organization, the higher the risk of an attack.   Often in cybersecurity incidents, the weak link into the network is a person within that organization. That could be someone who clicked the link in a phishing email, used a compromised flash drive,

Read More »

VMware Backdoor Vulnerability

What is the Vulnerability? The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server. How Hackers Gain Access The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2)

Read More »

Cisco Umbrella Virtual Appliance Vulnerability

What is the Vulnerability? A vulnerability in the Cisco Umbrella Virtual Appliance (VA) was discovered last week by Fraser Hess of Pinnacol Assurance (tracked as CVE-2022-20773). The flaw is in the key-based SSH authentication mechanism of the VA, which could allow an unauthenticated, remote attacker to impersonate a VA. Cisco Umbrella is a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks. The service uses on-premise virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data. “This vulnerability is due to the presence of a static SSH host key.

Read More »

Increased Ransomware Attacks During Peak Agriculture Times

The FBI noted ransomware attacks during these seasons against six grain cooperatives during the fall 2021 harvest and two attacks in early 2022 that could impact the planting season by disrupting the supply of seeds and fertilizer. The Attacks that Occurred: In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season. In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of

Read More »

Oracle Massive Critical Patch Update

What Occurred? Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates need urgent attention if you are a user of an affected product. Affected Oracle Product Families Oracle Communications Applications The update contains 39 new security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without authentication. I.e., they may be exploited over a network without requiring user credentials. CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS

Read More »

HAFNIUM Tarrask Malware

What is the Tarrask Malware? The Tarrask malware utilizes Windows scheduled tasks to maintain persistence on compromised hosts. An admin can profile the usage of the Task Scheduler GUI or schtasks command line utility to aid investigators in tracking this persistence mechanism. The following registry keys are created upon creation of a new task: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID} Subkeys created within the Tree path match the names of the scheduled task, and the values within it (Id, Index, and SD) contain metadata for the task registration within the system. The second subkey, created within Tasks path, is a GUID mapping

Read More »

What to Know About the Threat Actor HAFNIUM

Who is HAFNIUM? HAFNIUM is a threat actor that historically targeted entities in the United States for the purpose of exfiltrating information from industry sectors. It has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. These attacks include three steps. First, gaining access to an Exchange Server either with stolen credentials or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it creates a web shell to control the compromised server remotely. Third, it uses remote access ran from U.S. based private servers to steal data from

Read More »
Hardening Cyber Defenses

Ways to Harden Your Cyber Defenses Today

If someone called you right now from an unknown number, what would you do? Most people would ignore the call if they were not expecting it. This was not always the case. There was a time before caller ID in which people had to answer to find out who was calling. Now, thanks to innovations in phone technology, we can see who is calling without answering and simply ignore suspicious phone calls. If the same approach was taken towards email, a huge portion of cyber attacks could be eliminated. According to the FBI’s Internet Crime Complaint Center (IC3) Internet Crime

Read More »
Indicators of a Compromise

Why You Should Investigate IOCs, and What Can Happen if You Don’t

What is an indicator of compromise (IOC)?  An indicator of compromise is a piece of digital forensic data that indicates a potential network breach. This information helps security investigators identify malicious or suspicious activity including threats, data breaches, and malware. IOCs can be collected during routine cybersecurity scans or manually if suspicious activity is detected.  Since IOC identification is primarily reactive, the discovery of an IOC typically means that an organization has already been compromised. However, this detection helps organizations to stop in-process attacks sooner and reduce the attack’s impact. In addition, investigating IOCs can be used to repair existing

Read More »