Blue Team Alpha Insights

Why do attacks increase over the holidays?  In a joint cybersecurity advisory, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warn that cyberattacks increase significantly during the holidays and encourage businesses to be aware of the heightened risks and be vigilant with network defenses.   Like weekends, cybercriminals target the US specifically during holidays because it’s a busy time of year and employees are often distracted, leaving companies vulnerable to attack. With business slowing, people on vacation and kids out of school, it’s not surprising that employees across the board pay less attention to security. Threat actors know this and aim to

Identified: May 27, 2022 Name of Vulnerability: Microsoft Office Zero Day Follina Description of Vulnerability: A new zero-day vulnerability, Microsoft Office Zero Day Follina, was discovered in Microsoft Office when a specially crafted document is downloaded and opened or viewed in explorer preview allowing arbitrary code execution. A security researcher who goes by Nao_sec discovered an odd looking Word document uploaded from an IP address in Belarus. This turned out to be a zero day vulnerability in Office and Windows. The document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol

Ask the Experts The question: What are the most critical cyber threats of 2022? was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their extensive working experience and knowledge in the field of cybersecurity.  What Are the Most Critical Cyber Threats of 2022?  Complexity of Systems  Computer systems these days are incredibly complicated, and most are comprised of a lot of different parts. Many people

What is the Vulnerability? The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server. How Hackers Gain Access The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2)

What is the Vulnerability? A vulnerability in the Cisco Umbrella Virtual Appliance (VA) was discovered last week by Fraser Hess of Pinnacol Assurance (tracked as CVE-2022-20773). The flaw is in the key-based SSH authentication mechanism of the VA, which could allow an unauthenticated, remote attacker to impersonate a VA. Cisco Umbrella is a cloud-delivered security service used by over 24,000 organizations as DNS‑layer security against phishing, malware, and ransomware attacks. The service uses on-premise virtual machines as conditional DNS forwarders that record, encrypt, and authenticate DNS data. “This vulnerability is due to the presence of a static SSH host key.

What Occurred? Oracle has issued a Critical Patch Update which contains 520 new security patches across various product families. A few of these updates need urgent attention if you are a user of an affected product. Affected Oracle Product Families Oracle Communications Applications The update contains 39 new security patches for Oracle Communications Applications. Twenty-two of these vulnerabilities may be remotely exploitable without authentication. I.e., they may be exploited over a network without requiring user credentials. CVE-2022-21431 is a vulnerability in the Connection Manager component of the Oracle Communications Billing and Revenue Management product and it has the maximum CVSS

What is the Tarrask Malware? The Tarrask malware utilizes Windows scheduled tasks to maintain persistence on compromised hosts. An admin can profile the usage of the Task Scheduler GUI or schtasks command line utility to aid investigators in tracking this persistence mechanism. The following registry keys are created upon creation of a new task: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID} Subkeys created within the Tree path match the names of the scheduled task, and the values within it (Id, Index, and SD) contain metadata for the task registration within the system. The second subkey, created within Tasks path, is a GUID mapping

Who is HAFNIUM? HAFNIUM is a threat actor that historically targeted entities in the United States for the purpose of exfiltrating information from industry sectors. It has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. These attacks include three steps. First, gaining access to an Exchange Server either with stolen credentials or by using previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it creates a web shell to control the compromised server remotely. Third, it uses remote access ran from U.S. based private servers to steal data from

Ask the Experts The question: Why Do Cyber Threats Keep Happening? Was posed to a panel that included Blue Team Alpha cyber experts Joe Kingland – CEO; Dan Wolfford – Deputy CISO; Peter Martinson – Director of Incident Response; and Sean Sullivan – Senior Incident Responder. Below is a summary of their responses based on their working experience and knowledge in the field of cybersecurity. Why Do Cyber Threats Keep Happening? Companies don’t do a good job of keeping their systems up to date. As long as their technology is working for them in the way they want it to,

Who is Lapsus$? Lapsus$, also tracked by Microsoft’s Threat Intelligence Center (MSTIC) as DEV-0537, is a relatively new English/Portuguese online extortion group that gained notoriety after attacking Brazil’s Ministry of Health on December 10, 2021. This operator is believed to operate out of South America, likely Brazil, and targets large organizations. The group aims to ransom organizations if its demands aren’t met. Lapsus$ does not appear to encrypt data only to exfiltrate it from the organizations. The group shares its exploits on Telegram instead of the more popular darkweb forums that many threat groups use. Lapsus$ is a highly sophisticated

Quick Response (QR) codes, first developed in Japan in the 1990s, are square shaped codes that can be used for a variety of purposes. With their ability to store a lot of data, QR codes are an efficient and easy way to share and stow information. They can also be used for tracking purposes, sharing contact information, marketing promotions, ticketing, and completing contactless payments.  With the need for contactless engagement increasing during the pandemic, the use of QR codes has become even more popular. Many restaurants include QR codes on—or in place of—menus. Codes are also commonly found on business

The Threat Sandworm Sandworm, a Russian-backed hacking group, was attributed to the NotPetya attack on Ukraine in 2017. It now has developed new malware, Cyclops Blink, which targets firewall devices manufactured by WatchGuard. Cyclops Blink is a replacement framework for the VPNFilter malware that was exposed in 2018. VPNFilter exploited network devices, primarily small and home office routers and network-attached storage devices. Cyclops Blink Cyclops Blink (T1129) has been active since 2019 and its deployment appears to be indiscriminate and widespread. The threat has so far been primarily deployed on WatchGuard devices, but it is likely that Sandworm would be