"Star Blizzard" should not be confused with a celestial weather phenomenon or a limited-edition threat from the Dairy Queen. This saga takes place in a digital space where the only snowflakes are the unique identifiers of each hacked system.
The audacity of Blizzard, which conducts targeted social engineering attacks on Microsoft Teams using ready-made infrastructure against everyone who uses it. The group has been doing this since November 2023, remaining unnoticed until January 12, 2024. And not just sneaking around, but camping, making a bonfire in your digital backyard while you serenely watched your favorite TV series.
In the world of cybersecurity, where the stakes are high and the attackers are always looking for the next weak link, it's a wonder that any industry can keep a straight face. So, let's all have a nervous chuckle and then maybe, just maybe, update those passwords.
Phishing is basically the type of cybercrime in which attackers imitates a real person through institution and mimics that they are sending message from an authorized organization and then take the details of the user personal identity, credit card details and any type of bank information and will breach the personal details of the user. There are many free tools to help in web based scams. Basically the free anti phishing toolbars in the below given study were examined many example in which Spoof Guard anti phishing toolbar is sufficient and good at identifying fraudulent sites and can also gave false positive results. Earth Link, Google, Net Craft, Cloud Mark and Internet Explorer seven detected many of the fraudulent or fake sites even more than 15 of fraudulent sites are false positive. Trust Watch, eBay and Netscape correctly found the fraudulent websites and by the combination of the toolbars the expected outcome came out. Dr. Lalit Pratap | Mr. Shubham Sangwan | Monika "E-Mail Phishing Prevention and Detection" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49541.pdf Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/49541/email-phishing-prevention-and-detection/dr-lalit-pratap
The document discusses phishing attacks, which are deceptive cyberattacks where attackers disguise themselves as legitimate entities to manipulate individuals into divulging sensitive information. It describes different types of phishing attacks like email, spear, and smishing phishing. The anatomy of a phishing attack is explained as reconnaissance, creation, delivery, response, and exploitation. Techniques used in phishing attacks include spoofing, social engineering, malicious attachments/links, and impersonation. Real-world case studies and infrastructure are also outlined, along with detection and prevention methods.
Spear phishing typically uses faked correspondence from friends or associates to get someone to unwittingly download a piece of malware or to release sensitive information. The first point of contact with a potential victim is usually through email or social media. It's important to be aware of telltale signs of a spear phishing attack, and to know what to do when your business encounters them.
This document discusses phishing, whaling, and hacking case studies presented by Stephen Martin, a cybersecurity leader from a Big 4 advisory firm. It defines phishing and whaling as deceptive acts used to obtain sensitive personal or financial information from targets. It also defines hacking and describes common hacking methods like social engineering, password hacking, and malware infections. The document outlines how to protect against these threats, such as keeping software updated, using strong unique passwords, and implementing network security controls. It highlights the impact of successful phishing, whaling, and hacking attacks, including financial losses, reputation damage, and personal information theft.
Social engineering is a technique used by attackers to manipulate people into revealing confidential information through deception; it is effective because human behavior is vulnerable and there are no complete defenses against social engineering attacks. Common social engineering techniques include impersonation, pretexting, phishing emails and websites, baiting, and exploiting trust to obtain login credentials, financial details, and other sensitive data from targets. Social engineers use methods like researching targets, developing relationships, and exploiting those relationships to gather sensitive account and financial information from organizations.
Phishing is a cybercrime where an individual is contacted, usually via email or text message, by someone posing as a legitimate institution to trick them into providing sensitive personal or financial information. Phishers use social engineering techniques and information found on social media profiles to learn about their targets and make phishing messages appear authentic. Successful phishing emails can be difficult to distinguish from real messages as they often include corporate logos and links designed to look like they go to the spoofed organization in order to steal users' data and credentials.
This document discusses phishing and how to identify and prevent it. Phishing is a form of fraud where attackers masquerade as reputable entities to steal login credentials or sensitive information. There are different types of phishing like deceptive, spear, and voice phishing. Phishing emails can be identified as they are poorly written, include suspicious links or attachments, and create a sense of urgency. People should employ common sense, use security software, enable multi-factor authentication, and be wary of providing sensitive information over email to prevent phishing. The document concludes with an example of a popular phishing scam between 2013-2015 where Facebook and Google were tricked out of $100 million.
Phishing is basically the type of cybercrime in which attackers imitates a real person through institution and mimics that they are sending message from an authorized organization and then take the details of the user personal identity, credit card details and any type of bank information and will breach the personal details of the user. There are many free tools to help in web based scams. Basically the free anti phishing toolbars in the below given study were examined many example in which Spoof Guard anti phishing toolbar is sufficient and good at identifying fraudulent sites and can also gave false positive results. Earth Link, Google, Net Craft, Cloud Mark and Internet Explorer seven detected many of the fraudulent or fake sites even more than 15 of fraudulent sites are false positive. Trust Watch, eBay and Netscape correctly found the fraudulent websites and by the combination of the toolbars the expected outcome came out. Dr. Lalit Pratap | Mr. Shubham Sangwan | Monika "E-Mail Phishing Prevention and Detection" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49541.pdf Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/49541/email-phishing-prevention-and-detection/dr-lalit-pratap
The document discusses phishing attacks, which are deceptive cyberattacks where attackers disguise themselves as legitimate entities to manipulate individuals into divulging sensitive information. It describes different types of phishing attacks like email, spear, and smishing phishing. The anatomy of a phishing attack is explained as reconnaissance, creation, delivery, response, and exploitation. Techniques used in phishing attacks include spoofing, social engineering, malicious attachments/links, and impersonation. Real-world case studies and infrastructure are also outlined, along with detection and prevention methods.
Spear phishing typically uses faked correspondence from friends or associates to get someone to unwittingly download a piece of malware or to release sensitive information. The first point of contact with a potential victim is usually through email or social media. It's important to be aware of telltale signs of a spear phishing attack, and to know what to do when your business encounters them.
This document discusses phishing, whaling, and hacking case studies presented by Stephen Martin, a cybersecurity leader from a Big 4 advisory firm. It defines phishing and whaling as deceptive acts used to obtain sensitive personal or financial information from targets. It also defines hacking and describes common hacking methods like social engineering, password hacking, and malware infections. The document outlines how to protect against these threats, such as keeping software updated, using strong unique passwords, and implementing network security controls. It highlights the impact of successful phishing, whaling, and hacking attacks, including financial losses, reputation damage, and personal information theft.
Social engineering is a technique used by attackers to manipulate people into revealing confidential information through deception; it is effective because human behavior is vulnerable and there are no complete defenses against social engineering attacks. Common social engineering techniques include impersonation, pretexting, phishing emails and websites, baiting, and exploiting trust to obtain login credentials, financial details, and other sensitive data from targets. Social engineers use methods like researching targets, developing relationships, and exploiting those relationships to gather sensitive account and financial information from organizations.
Phishing is a cybercrime where an individual is contacted, usually via email or text message, by someone posing as a legitimate institution to trick them into providing sensitive personal or financial information. Phishers use social engineering techniques and information found on social media profiles to learn about their targets and make phishing messages appear authentic. Successful phishing emails can be difficult to distinguish from real messages as they often include corporate logos and links designed to look like they go to the spoofed organization in order to steal users' data and credentials.
This document discusses phishing and how to identify and prevent it. Phishing is a form of fraud where attackers masquerade as reputable entities to steal login credentials or sensitive information. There are different types of phishing like deceptive, spear, and voice phishing. Phishing emails can be identified as they are poorly written, include suspicious links or attachments, and create a sense of urgency. People should employ common sense, use security software, enable multi-factor authentication, and be wary of providing sensitive information over email to prevent phishing. The document concludes with an example of a popular phishing scam between 2013-2015 where Facebook and Google were tricked out of $100 million.
OWASP_Presentation_FINAl. Cybercrime and cyber security awarenessMaherHamza9
The document discusses phishing attacks and mitigations. It defines phishing as a cybercrime where targets are contacted to provide sensitive data by posing as a legitimate institution. Phishing kits are used to replicate brand websites to steal data. Common types of phishing include email, SMS, phone calls and targeted spear phishing. The document outlines techniques to avoid phishing and its effects on businesses, including reputational damage, loss of customers, regulatory fines and disruption. It concludes with demonstrations of phishing methods.
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWPICPE
This document provides an overview of cybersecurity risks and strategies for risk reduction. It discusses how cyber attacks are growing threats for both businesses and individuals. Common attacker motives are financial gain and espionage. Popular attack methods include phishing emails and exploiting known software vulnerabilities. The document recommends practicing basic "cyber hygiene" behaviors like using strong passwords, updating software, and being wary of unsolicited messages. It also outlines the US National Cybersecurity Workforce Framework for implementing comprehensive cybersecurity programs in organizations.
Blue and White Minimal Professional Business Project Presentation .pptxjennblair0830
Online scams come in many forms, including phishing emails, fake websites, and social engineering scams. Scammers often target seniors, students, immigrants, and others. People sometimes fall for scams due to financial desperation, trusting fraudulent authorities, or lack of awareness of common tactics. To prevent scams, it is important to verify sources, use strong passwords and two-factor authentication, update software, educate yourself on common scams, and securely monitor online transactions and accounts. Staying informed and vigilant can help protect against evolving online threats.
Safeguarding Your Online Presence_ Social Media Cybersecurity Tips.pdfCIOWomenMagazine
Stay safe online! Protect your privacy & info with these crucial social media cybersecurity tips. From strong passwords to 2FA & privacy settings, learn how to navigate the web securely.
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionEMC
Social engineering relies on manipulating human psychology rather than technology. It works by exploiting human trust and emotions like fear, curiosity, and greed. Cybercriminals use social engineering tactics like phishing emails that appear to come from trusted sources to trick victims into revealing passwords and other sensitive information or downloading malware. While technology security measures are important, social engineering targets the human link. Education and awareness training to help users identify social engineering scams can help reduce the success of these attacks.
Email phishing: Text classification using natural language processingCSITiaesprime
Phishing is networked theft in which the main motive of phishers is to steal any person’s private information, its financial details like account number, credit card details, login information, payment mode information by creating and developing a fake page or a fake web site, which look completely authentic and genuine. Nowadays email phishing has become a big threat to all, and is increasing day by day. Moreover, detection of phishing emails has been considered an important research issue as phishing emails have been increasing day by day. Various techniques have been introduced and applied to deal with such a big issue. The major objective of this research paper is giving a detailed description on the classification of phishing emails using the natural language processing concepts. Natural language processing (NLP) concepts have been applied for the classification of emails; along with that accuracy rate of various classifiers have been calculated. The paper is presented in four sections. An introduction about phishing its types, its history, statistics, life cycle, motivation for phishers and working of email phishing have been discussed in the first section. The second section covers various technologies of phishing- email phishing and also description of evaluation metrics. An overview of the various proposed solutions and work done by researchers in this field in form of literature review has been presented in the third section. The solution approach and the obtained results have been defined in the fourth section giving a detailed description about NLP concepts and working procedure.
Phishing involves attempting to acquire sensitive information like usernames, passwords, and credit card details by masquerading as a trustworthy entity. It is often done through email spoofing or instant messaging to direct users to fake websites. Common phishing techniques include disguised email links and sender addresses, clickable email images leading to bogus websites, and requests for sensitive info. Users can prevent phishing by not responding to unsolicited requests for personal info, directly visiting websites instead of clicking links, monitoring accounts regularly, and being cautious with personal data.
Social Media & Social Networking: A Cautionary TaleMike Gotta
This document discusses the risks and challenges of using social media and social networking tools in an enterprise setting. It provides 8 use case scenarios that highlight potential issues such as inaccurate user profiles, information leakage, unintended automatic updates, and challenges in deciphering relationships on social platforms. The document advocates for a balanced approach using policy, oversight, education and tools to mitigate risks and leverage benefits of social technologies.
VAPT (Vulnerability Assessment and Penetration Testing) involves evaluating systems and networks to identify vulnerabilities, configuration issues, and potential routes of unauthorized access. It is recommended for SMEs due to common security issues like phishing and ransomware attacks targeting them. The document outlines the types of VAPT testing, why SMEs need it, example data breaches, and estimated costs of common cyber attacks and security services.
Social media allows users to share information publicly, but it also exposes them to various online threats. Once information is posted, it can be used to conduct attacks against both the user and their contacts. Attack methods mentioned in the document include baiting, clickjacking, cross-site scripting, doxing, elicitation, pharming, phreaking, scams, spoofing, and phishing. These attacks aim to secretly install malware, steal personal information, or trick users into revealing private details. The document advises being cautious about what information is shared online and checking URLs and email senders to avoid falling victim to such threats.
Social media allows users to share information publicly, but this exposes them to various online threats. Once information is posted, it cannot be fully retracted and can be used for attacks against the user or their contacts. Personal details shared on social media could enable baiting, clickjacking, cross-site scripting, doxing, elicitation, pharming, phreaking, scams, spoofing and phishing attacks that aim to steal sensitive data without directly interacting with social media sites. Users should be aware of these risks and avoid oversharing to stay protected from malicious actors online.
Phishing scams have evolved over time from targeting AOL users in 1995 to now using more sophisticated techniques like DNS tricks, JavaScript attacks, and spear phishing. Phishing scams aim to steal personal information like credit card numbers and account credentials through fraudulent emails or websites. To avoid phishing scams, users should be wary of unsolicited emails asking for personal information, look for misspellings or unusual URLs in links, and only access financial sites by typing URLs directly or using saved favorites.
This document discusses phishing and prevention techniques. It defines phishing as techniques used by cybercriminals to trick users into revealing sensitive information or installing malware. There are various types of phishing attacks, including email, text, phone calls, and USB devices. Phishing can be mass, spear, or target senior executives. To prevent phishing, the document recommends two-factor authentication, keeping systems updated, scrutinizing links and attachments, and being wary of requests for sensitive information.
Crypto-Book aims to allow anonymous document leaking while still verifying the credibility of sources. It works by having the whistleblower select a group of potential leakers on Facebook to form an "anonymity set". The identities of the true leaker remains hidden while the document's authenticity as coming from one of the anonymity set can be verified. SeeMail also aims to track document leaking, but through embedding unique images ("email beacons") in documents to log when and where they are accessed, raising privacy concerns Crypto-Book hopes to address.
A Deep Dive into Phishing Techniques and Countermeasures.pdfwatchyourpocketbusin
Phishing scams pose a significant risk in today's digital world, where fraudsters constantly develop new tactics to deceive individuals and obtain sensitive information. Phishing scams aim to trick victims into revealing personal details, like passwords or credit card information, which can lead to identity theft and financial loss.
This was a presentation by Hewie Poplock on Tuesday, November 15th, 2016 in the Goodwill Manasota (FL) Ranch Lake Community Room, "How to Avoid Identity Theft".
A victim of identity theft himself, Hewie will provide examples of how ID theft can happen as well as suggestions and precautions on how to prevent you and your family from becoming victims of identity theft yourselves. Topics covered included:
• What is Identity Theft
• How ID Theft Happens
• How to Protect Yourself
• Phishing
• Data Breaches
• Facebook Spoofing
• Skimmers
• Security Freeze
• On Line Shopping Safety
• Credit Card Chips
• What to Do If You are a Victim
Hewie is a former teacher, college instructor, business owner and manager, IT Manager, and web designer. He is currently semi-retired, but is active in technology user groups and frequently speaks to and teaches groups who are mostly seniors. He holds a monthly Windows Special Interest Group for a group in Orlando and has several videos on YouTube. He is an active member of The Sarasota Technology User Group.
Cyber threats aim to steal data, disrupt systems, or cause damage. Common threats include malware, social engineering, man-in-the-middle attacks, denial-of-service attacks, and injection attacks. Malware like viruses, worms, trojans, and ransomware infiltrate systems via links or downloads. Social engineering tricks users into providing access through phishing emails or texts. Man-in-the-middle attacks intercept communications to steal data or impersonate users. Denial-of-service attacks overload targets through excessive traffic to hinder functionality. Nation states, terrorist groups, criminal groups, hackers, and insiders are all potential sources of cyber threats.
Avoiding the Top Social Media Frauds in 2024 Protective Measures.pptxafiyashaikh25
🔒Protect Yourself from Online Frauds in 2024! 🛡️Don't let cybercriminals compromise your online presence. Safeguard your digital presence with knowledge and proactive measures. Our comprehensive blog sheds light on the top social media frauds of the year and equips you with the tools to defend against them.
This document provides examples of critical information and guidelines for protecting that information on social networking sites (SNS). Critical information includes names, contact details, job information, schedules and locations. The document outlines countermeasures such as using strong and unique passwords, modifying privacy settings, being wary of links and downloads, and avoiding posting critical details. It cautions that information posted can be seen forever and provides examples of how posting details online has put people at risk or caused harm. The key recommendation is to practice good operations security to minimize risks from using SNS.
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
Another day, another CVE exploited by our favorite cyber adversaries. This time, the spotlight is on CVE-2023-42793, and let's just say, it's not getting rave reviews from the cybersecurity community.
TeamCity, for those not in the loop, is the Swiss Army knife for software developers, handling everything from compiling code to tying it up with a pretty bow. But, plot twist, it turns out to be the perfect backdoor for our cyber villains to waltz right in.
With all seriousness, the document aims to shed light on the critical cybersecurity threats posed by the exploitation of JetBrains TeamCity software. The ultimate goal is to enhance organizational cybersecurity postures, safeguarding against similar threats and contributing effectively to the collective defense against sophisticated cyber espionage activities.
-------
This document provides aт analysis of the Exploiting JetBrains TeamCity CVE advisory, as detailed in the Defense.gov publication. The analysis delves into various critical aspects of cybersecurity, focusing on the exploitation of CVEs to gain initial access to networks, deployment of custom malware.
This analysis serves as a valuable resource for cybersecurity professionals, software developers, and stakeholders in various industries, offering a detailed understanding of the tactics, techniques, and procedures (TTPs) employed by cyber actors. By providing a qualitative summary of the advisory, this document aims to enhance the cybersecurity posture of organizations, enabling them to better protect against similar threats and contribute to the collective defense against state-sponsored cyber espionage activities.
More Related Content
Similar to TechAttacks. Star Blizzard continues worldwide spear-phishing campaigns [EN].pdf
OWASP_Presentation_FINAl. Cybercrime and cyber security awarenessMaherHamza9
The document discusses phishing attacks and mitigations. It defines phishing as a cybercrime where targets are contacted to provide sensitive data by posing as a legitimate institution. Phishing kits are used to replicate brand websites to steal data. Common types of phishing include email, SMS, phone calls and targeted spear phishing. The document outlines techniques to avoid phishing and its effects on businesses, including reputational damage, loss of customers, regulatory fines and disruption. It concludes with demonstrations of phishing methods.
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWPICPE
This document provides an overview of cybersecurity risks and strategies for risk reduction. It discusses how cyber attacks are growing threats for both businesses and individuals. Common attacker motives are financial gain and espionage. Popular attack methods include phishing emails and exploiting known software vulnerabilities. The document recommends practicing basic "cyber hygiene" behaviors like using strong passwords, updating software, and being wary of unsolicited messages. It also outlines the US National Cybersecurity Workforce Framework for implementing comprehensive cybersecurity programs in organizations.
Blue and White Minimal Professional Business Project Presentation .pptxjennblair0830
Online scams come in many forms, including phishing emails, fake websites, and social engineering scams. Scammers often target seniors, students, immigrants, and others. People sometimes fall for scams due to financial desperation, trusting fraudulent authorities, or lack of awareness of common tactics. To prevent scams, it is important to verify sources, use strong passwords and two-factor authentication, update software, educate yourself on common scams, and securely monitor online transactions and accounts. Staying informed and vigilant can help protect against evolving online threats.
Safeguarding Your Online Presence_ Social Media Cybersecurity Tips.pdfCIOWomenMagazine
Stay safe online! Protect your privacy & info with these crucial social media cybersecurity tips. From strong passwords to 2FA & privacy settings, learn how to navigate the web securely.
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionEMC
Social engineering relies on manipulating human psychology rather than technology. It works by exploiting human trust and emotions like fear, curiosity, and greed. Cybercriminals use social engineering tactics like phishing emails that appear to come from trusted sources to trick victims into revealing passwords and other sensitive information or downloading malware. While technology security measures are important, social engineering targets the human link. Education and awareness training to help users identify social engineering scams can help reduce the success of these attacks.
Email phishing: Text classification using natural language processingCSITiaesprime
Phishing is networked theft in which the main motive of phishers is to steal any person’s private information, its financial details like account number, credit card details, login information, payment mode information by creating and developing a fake page or a fake web site, which look completely authentic and genuine. Nowadays email phishing has become a big threat to all, and is increasing day by day. Moreover, detection of phishing emails has been considered an important research issue as phishing emails have been increasing day by day. Various techniques have been introduced and applied to deal with such a big issue. The major objective of this research paper is giving a detailed description on the classification of phishing emails using the natural language processing concepts. Natural language processing (NLP) concepts have been applied for the classification of emails; along with that accuracy rate of various classifiers have been calculated. The paper is presented in four sections. An introduction about phishing its types, its history, statistics, life cycle, motivation for phishers and working of email phishing have been discussed in the first section. The second section covers various technologies of phishing- email phishing and also description of evaluation metrics. An overview of the various proposed solutions and work done by researchers in this field in form of literature review has been presented in the third section. The solution approach and the obtained results have been defined in the fourth section giving a detailed description about NLP concepts and working procedure.
Phishing involves attempting to acquire sensitive information like usernames, passwords, and credit card details by masquerading as a trustworthy entity. It is often done through email spoofing or instant messaging to direct users to fake websites. Common phishing techniques include disguised email links and sender addresses, clickable email images leading to bogus websites, and requests for sensitive info. Users can prevent phishing by not responding to unsolicited requests for personal info, directly visiting websites instead of clicking links, monitoring accounts regularly, and being cautious with personal data.
Social Media & Social Networking: A Cautionary TaleMike Gotta
This document discusses the risks and challenges of using social media and social networking tools in an enterprise setting. It provides 8 use case scenarios that highlight potential issues such as inaccurate user profiles, information leakage, unintended automatic updates, and challenges in deciphering relationships on social platforms. The document advocates for a balanced approach using policy, oversight, education and tools to mitigate risks and leverage benefits of social technologies.
VAPT (Vulnerability Assessment and Penetration Testing) involves evaluating systems and networks to identify vulnerabilities, configuration issues, and potential routes of unauthorized access. It is recommended for SMEs due to common security issues like phishing and ransomware attacks targeting them. The document outlines the types of VAPT testing, why SMEs need it, example data breaches, and estimated costs of common cyber attacks and security services.
Social media allows users to share information publicly, but it also exposes them to various online threats. Once information is posted, it can be used to conduct attacks against both the user and their contacts. Attack methods mentioned in the document include baiting, clickjacking, cross-site scripting, doxing, elicitation, pharming, phreaking, scams, spoofing, and phishing. These attacks aim to secretly install malware, steal personal information, or trick users into revealing private details. The document advises being cautious about what information is shared online and checking URLs and email senders to avoid falling victim to such threats.
Social media allows users to share information publicly, but this exposes them to various online threats. Once information is posted, it cannot be fully retracted and can be used for attacks against the user or their contacts. Personal details shared on social media could enable baiting, clickjacking, cross-site scripting, doxing, elicitation, pharming, phreaking, scams, spoofing and phishing attacks that aim to steal sensitive data without directly interacting with social media sites. Users should be aware of these risks and avoid oversharing to stay protected from malicious actors online.
Phishing scams have evolved over time from targeting AOL users in 1995 to now using more sophisticated techniques like DNS tricks, JavaScript attacks, and spear phishing. Phishing scams aim to steal personal information like credit card numbers and account credentials through fraudulent emails or websites. To avoid phishing scams, users should be wary of unsolicited emails asking for personal information, look for misspellings or unusual URLs in links, and only access financial sites by typing URLs directly or using saved favorites.
This document discusses phishing and prevention techniques. It defines phishing as techniques used by cybercriminals to trick users into revealing sensitive information or installing malware. There are various types of phishing attacks, including email, text, phone calls, and USB devices. Phishing can be mass, spear, or target senior executives. To prevent phishing, the document recommends two-factor authentication, keeping systems updated, scrutinizing links and attachments, and being wary of requests for sensitive information.
Crypto-Book aims to allow anonymous document leaking while still verifying the credibility of sources. It works by having the whistleblower select a group of potential leakers on Facebook to form an "anonymity set". The identities of the true leaker remains hidden while the document's authenticity as coming from one of the anonymity set can be verified. SeeMail also aims to track document leaking, but through embedding unique images ("email beacons") in documents to log when and where they are accessed, raising privacy concerns Crypto-Book hopes to address.
A Deep Dive into Phishing Techniques and Countermeasures.pdfwatchyourpocketbusin
Phishing scams pose a significant risk in today's digital world, where fraudsters constantly develop new tactics to deceive individuals and obtain sensitive information. Phishing scams aim to trick victims into revealing personal details, like passwords or credit card information, which can lead to identity theft and financial loss.
This was a presentation by Hewie Poplock on Tuesday, November 15th, 2016 in the Goodwill Manasota (FL) Ranch Lake Community Room, "How to Avoid Identity Theft".
A victim of identity theft himself, Hewie will provide examples of how ID theft can happen as well as suggestions and precautions on how to prevent you and your family from becoming victims of identity theft yourselves. Topics covered included:
• What is Identity Theft
• How ID Theft Happens
• How to Protect Yourself
• Phishing
• Data Breaches
• Facebook Spoofing
• Skimmers
• Security Freeze
• On Line Shopping Safety
• Credit Card Chips
• What to Do If You are a Victim
Hewie is a former teacher, college instructor, business owner and manager, IT Manager, and web designer. He is currently semi-retired, but is active in technology user groups and frequently speaks to and teaches groups who are mostly seniors. He holds a monthly Windows Special Interest Group for a group in Orlando and has several videos on YouTube. He is an active member of The Sarasota Technology User Group.
Cyber threats aim to steal data, disrupt systems, or cause damage. Common threats include malware, social engineering, man-in-the-middle attacks, denial-of-service attacks, and injection attacks. Malware like viruses, worms, trojans, and ransomware infiltrate systems via links or downloads. Social engineering tricks users into providing access through phishing emails or texts. Man-in-the-middle attacks intercept communications to steal data or impersonate users. Denial-of-service attacks overload targets through excessive traffic to hinder functionality. Nation states, terrorist groups, criminal groups, hackers, and insiders are all potential sources of cyber threats.
Avoiding the Top Social Media Frauds in 2024 Protective Measures.pptxafiyashaikh25
🔒Protect Yourself from Online Frauds in 2024! 🛡️Don't let cybercriminals compromise your online presence. Safeguard your digital presence with knowledge and proactive measures. Our comprehensive blog sheds light on the top social media frauds of the year and equips you with the tools to defend against them.
This document provides examples of critical information and guidelines for protecting that information on social networking sites (SNS). Critical information includes names, contact details, job information, schedules and locations. The document outlines countermeasures such as using strong and unique passwords, modifying privacy settings, being wary of links and downloads, and avoiding posting critical details. It cautions that information posted can be seen forever and provides examples of how posting details online has put people at risk or caused harm. The key recommendation is to practice good operations security to minimize risks from using SNS.
Similar to TechAttacks. Star Blizzard continues worldwide spear-phishing campaigns [EN].pdf (20)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
Another day, another CVE exploited by our favorite cyber adversaries. This time, the spotlight is on CVE-2023-42793, and let's just say, it's not getting rave reviews from the cybersecurity community.
TeamCity, for those not in the loop, is the Swiss Army knife for software developers, handling everything from compiling code to tying it up with a pretty bow. But, plot twist, it turns out to be the perfect backdoor for our cyber villains to waltz right in.
With all seriousness, the document aims to shed light on the critical cybersecurity threats posed by the exploitation of JetBrains TeamCity software. The ultimate goal is to enhance organizational cybersecurity postures, safeguarding against similar threats and contributing effectively to the collective defense against sophisticated cyber espionage activities.
-------
This document provides aт analysis of the Exploiting JetBrains TeamCity CVE advisory, as detailed in the Defense.gov publication. The analysis delves into various critical aspects of cybersecurity, focusing on the exploitation of CVEs to gain initial access to networks, deployment of custom malware.
This analysis serves as a valuable resource for cybersecurity professionals, software developers, and stakeholders in various industries, offering a detailed understanding of the tactics, techniques, and procedures (TTPs) employed by cyber actors. By providing a qualitative summary of the advisory, this document aims to enhance the cybersecurity posture of organizations, enabling them to better protect against similar threats and contribute to the collective defense against state-sponsored cyber espionage activities.
So, here we have a riveting tale from the NSA, spinning a yarn about the dark arts of Living Off the Land (LOTL) intrusions. It's like a bedtime story for cyber security folks, but instead of dragons, we have cyber threat actors wielding the mighty power of... legitimate tools? Yep, you heard it right. These digital ninjas are sneaking around using the very tools we rely on daily, turning our digital sanctuaries into their playgrounds.
The document, in its infinite wisdom, distills the essence of the NSA's advisory into bite-sized, actionable insights. Security pros, IT wizards, policymakers, and anyone who's ever touched a computer – rejoice! You now have the secret sauce to beef up your defenses against these stealthy intruders. Thanks to the collective brainpower of cybersecurity's Avengers – the U.S., Australia, Canada, the UK, and New Zealand – we're privy to the secrets of thwarting LOTL techniques.
With all seriousness, this document aims to equip professionals with the knowledge and tools necessary to combat the increasingly sophisticated LOTL cyber threats. By adhering to the NSA's advisory, organizations retrospectively can significantly enhance their security posture, ensuring a more secure and resilient digital environment against adversaries who exploit legitimate tools for malicious purposes.
-------
This document provides an in-depth analysis of the National Security Agency's (NSA) advisory on combatting cyber threat actors who perpetrate Living Off the Land (LOTL) intrusions. The analysis encompasses a thorough examination of the advisory's multifaceted approach to addressing LOTL tactics, which are increasingly leveraged by adversaries to exploit legitimate tools within a target's environment for malicious purposes.
The analysis offers a high-quality summary of the NSA's advisory, distilling its key points into actionable insights. It serves as a valuable resource for security professionals, IT personnel, policymakers, and stakeholders across various industries, providing them with the knowledge to enhance their defensive capabilities against sophisticated LOTL cyber threats. By implementing the advisory's recommendations, these professionals can improve their situational awareness, refine their security posture, and develop more robust defense mechanisms to protect against the subtle and stealthy nature of LOTL intrusions.
PureVPN presents itself as a beacon of online privacy and security in the vast and murky waters of the internet.
In the grand tradition of "security first", we find ourselves marveling at the latest contributions to the cybersecurity hall of fame: CVE-2023-38043, CVE-2023-35080, and CVE-2023-38543. These vulnerabilities, discovered in the Avanti Secure Access Client, previously known as Pulse Secure VPN, have opened up a new chapter in the saga of "How Not To VPN".
-------
This document presents a analysis of the vulnerabilities identified in Ivanti Secure Access VPN (Pulse Secure VPN) with their potential impact on organizations that rely on this VPN. The analysis delves into various aspects of these vulnerabilities, including their exploitation methods, potential impacts, and the challenges encountered during the exploitation process.
The document provides a qualitative summary of the analyzed vulnerabilities, offering valuable insights for cybersecurity professionals, IT administrators, and other stakeholders in various industries. By understanding the technical nuances, exploitation methods, and mitigation strategies, readers can enhance their organizational security posture against similar threats.
This analysis is particularly beneficial for security professionals seeking to understand the intricacies of VPN vulnerabilities and their implications for enterprise security. It also serves as a resource for IT administrators responsible for maintaining secure VPN configurations and for industry stakeholders interested in the broader implications of such vulnerabilities on digital security and compliance.
What a joyous day it was on October 31, 2023, when Atlassian graciously informed the world about CVE-2023-22518, a delightful little quirk in all versions of Confluence Data Center and Server. This minor hiccup, a mere improper authorization vulnerability, offers the thrilling possibility for any unauthenticated stranger to waltz in, reset Confluence, and maybe, just maybe, take the whole system under their benevolent control. Initially, this was given a modest CVSS score of 9.1, but because we all love a bit of drama, it was cranked up to a perfect 10, thanks to some lively exploits and a charming group of enthusiasts known as 'Storm-0062'.
In a heroic response, Atlassian released not one, but five shiny new versions of Confluence (7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1) to put a dampener on the festivities. They've kindly suggested that perhaps, just maybe, organizations might want to consider updating to these less fun versions to avoid any uninvited guests. And, in a stroke of genius, they recommend playing hard to get by restricting external access to Confluence servers until such updates can be applied. Cloud users, you can sit back and relax; this party is strictly on-premise.
This whole saga really highlights the thrill of living on the edge in the digital world, reminding us all of the sheer excitement that comes with the need for timely patching and robust security measures.
-------
This document presents a analysis of CVE-2023-22518, an improper authorization vulnerability in Atlassian Confluence Data Center and Server. The analysis will cover various aspects of the vulnerability, including its discovery, impact, exploitation methods, and mitigation strategies.
Security professionals will find the analysis particularly useful as it offers actionable intelligence, including indicators of compromise and detailed mitigation steps. By understanding the root causes, exploitation methods, and effective countermeasures, security experts can better protect their organizations from similar threats in the future.
BianLian ransomware has shown a remarkable ability to adapt and evolve faster than a chameleon at a disco. Initially an Android banking trojan, it decided that was too mainstream and reinvented itself as a ransomware strain in July 2022, because why not join the lucrative world of digital extortion?
BianLian targets just about anyone it can, from healthcare and education to government entities, because diversity is key in the world of cybercrime. It's not picky about its victims, much like a buffet enthusiast at an all-you-can-eat restaurant.
In a twist that would make a soap opera writer proud, BianLian ditched its encryption antics after Avast released a decryptor and now they focus on data exfiltration, threatening to spill your secrets unless you pay up, like a cyber version of "I know what you did last summer."
-------
This document provides an analysis of the Bian Lian ransomware, a malicious software that has been increasingly targeting various sectors with a focus on data exfiltration-based extortion. The analysis delves into multiple aspects of ransomware, including its operational tactics, technical characteristics, and the implications of its activities on cybersecurity.
The analysis of BianLian ransomware is particularly useful for security professionals, IT personnel, and organizations across various industries. It equips them with the knowledge to understand the threat landscape, anticipate potential attack vectors, and implement robust security protocols to mitigate risks associated with ransomware attacks.
Oh, where do we even start with the digital drama that is Anonymous Sudan? Picture this: a group of "hacktivists" (because apparently, that's a career choice now) decides to throw the digital equivalent of a temper tantrum across the globe. From the comfort of their mysterious lairs, they've been unleashing chaos since January 2023, targeting anyone from Sweden to Australia.
There's a twist! Despite their name, there's a juicy conspiracy theory that these digital vigilantes are actually Russian state-sponsored actors in disguise (guess the name of country who announces this theory and spent USD money to promote it?). Yes, you heard that right. They've been dropping hints in Russian, cheering for Russian government, and hanging out with their BFFs in the hacking group KillNet. Anonymous Sudan, however, is adamant they're the real deal, proudly Sudanese and not just some Russian operatives on a digital espionage mission.
Either way, they've certainly made their mark on the world, one DDoS attack at a time.
-------
This document provides a analysis of the hacktivist group known as Anonymous Sudan. The analysis delves into various aspects of the group's activities, including their origins, motivations, methods, and the implications of their actions. It offers a qualitative unpacking of the group's operations, highlighting key findings and patterns in their behavior.
The insights gained from this analysis are useful for cyber security experts, IT professionals, and law enforcement agencies. Understanding the modus operandi of Anonymous Sudan equips these stakeholders with the knowledge to anticipate potential attacks, strengthen their defenses, and develop effective countermeasures against similar hacktivist threats
What a dramatic cyber soap opera we've witnessed with the Alpha ransomware group, also known by their edgy alias, BlackCat. It's like a game of digital whack-a-mole, with the FBI and friends swinging the mallet of justice and the ransomware rascals popping up with a cheeky "unseized" banner as if they're playing a high-stakes game of capture the flag.
The FBI's initial victory lap was cut short when AlphV's site reemerged, now mysteriously devoid of any incriminating victim lists.
Will the FBI finally pin the cyber tail on the Black Cat, or will these digital desperados slip away once more? Stay tuned for the next episode of "Feds vs. Felons: The Cyber Chronicles."
-------
This document presents a analysis of the Alpha ransomware site, associated with the ransomware group also known as BlackCat. The analysis covers the ransomware technical details, including its encryption mechanisms, initial access vectors, lateral movement techniques, and data exfiltration methods.
The insights gained from this analysis are important for cybersecurity practitioners, IT professionals, and policymakers. Understanding the intricacies of AlphV/BlackCat ransomware enables the development of more effective defense mechanisms, enhances incident response strategies.
The infamous Mallox is the digital Robin Hoods of our time, except they steal from everyone and give to themselves. Since mid-2021, they've been playing hide and seek with unsecured Microsoft SQL servers, encrypting data, and then graciously offering to give it back for a modest Bitcoin donation.
Mallox decided to go shopping for new malware toys, adding the Remcos RAT, BatCloak, and a sprinkle of Metasploit to their collection. They're now playing a game of "Catch me if you can" with antivirus software, using their FUD obfuscator packers to turn their ransomware into the digital equivalent of a ninja.
-------
This document provides a analysis of the Target Company ransomware group, also known as Smallpox, which has been rapidly evolving since its first identification in June 2021.
The analysis delves into various aspects of the group's operations, including its distinctive practice of appending targeted organizations' names to encrypted files, the evolution of its encryption algorithms, and its tactics for establishing persistence and evading defenses.
The insights gained from this analysis are crucial for informing defense strategies and enhancing preparedness against such evolving cyber threats.
In the world of cyber warfare, where the stakes are as high as the egos, the Cyber Toufan Al-Aqsa hacking group burst onto the scene in 2023 with all the subtlety of a bull in a China shop. They've been busy bees, buzzing from one Israeli company to another, leaving a trail of digital chaos in their wake. And who's behind this masquerade of mischief? Well, the jury's still out, but fingers are wagging towards Iran, because if you're going to accuse someone of cyber shenanigans, it might as well be your geopolitical frenemy, right?
-------
This document presents an analysis of the Cyber Toufan Al-Aqsa hacking group, a newly emerged cyber threat that has rapidly gained notoriety for its sophisticated cyberattacks primarily targeting Israeli organizations.
The analysis delves into various aspects of the group's operations, including its background and emergence, modus operandi, notable attacks and breaches, alleged state sponsorship, and the implications of its activities for cybersecurity professionals and other specialists across different industries. It also aims to highlight its significant impact on cybersecurity practices and the broader geopolitical landscape.
The analysis serves as a valuable resource for cybersecurity professionals, IT specialists, and industry leaders, offering insights into the challenges and opportunities presented by the evolving cyber threat landscape.
Here comes another enlightening document that dives into the thrilling world of breaking BitLocker, Windows' attempt at full disk encryption.
This analysis will walk you through the myriad of creative hacks, from the classic cold boot attacks—because who doesn't love freezing their computer to steal some data—to exploiting those oh-so-reliable TPM chips that might as well have a "hack me" sign on them.
We'll also cover some software vulnerabilities, because Microsoft just wouldn't be the same without a few of those sprinkled in for good measure. And let's not forget about intercepting those elusive decryption keys; it's like a digital treasure hunt!
So, whether you're a security expert, a forensic analyst, or just a curious cat in the world of cybersecurity, enjoy the read, and maybe keep that data backed up somewhere safe, yeah?
-------
This document provides a comprehensive analysis of the method demonstrated in the video "Breaking Bitlocker - Bypassing the Windows Disk Encryption" where the author showcases a low-cost hardware attack capable of bypassing BitLocker encryption. The analysis will cover various aspects of the attack, including the technical approach, the use of a Trusted Platform Module (TPM) chip, and the implications for security practices.
The analysis provides a high-quality summary of the demonstrated attack, ensuring that security professionals and specialists from different fields can understand the potential risks and necessary countermeasures. The document is particularly useful for cybersecurity experts, IT professionals, and organizations that rely on BitLocker for data protection and to highlight the need for ongoing security assessments and the potential for similar vulnerabilities in other encryption systems.
In a twist of snarky irony, the very technology that powers our AI and machine learning models is now the target of a new vulnerability, dubbed "LeftoverLocals". Disclosed by Trail of Bits, this security flaw allows the recovery of data from GPU local memory created by another process, affecting Apple, Qualcomm, AMD, and Imagination GPUs
In this document, we provide a detailed analysis of the "LeftoverLocals" CVE-2023-4969 vulnerability, which has significant implications for the integrity of GPU applications, particularly for large language models (LLMs) and machine learning (ML) models executed on affected GPU platforms, including those from Apple, Qualcomm, AMD, and Imagination.
This document provides valuable insights for cybersecurity professionals, DevOps teams, IT specialists, and stakeholders in various industries. The analysis is designed to enhance the understanding of GPU security challenges and to assist in the development of effective strategies to safeguard sensitive data against similar threats in the future.
CRAFTED BY THE DIGITAL ARTISANS KNOWN AS SANDWORM, THE CHISEL IS NOT JUST MALWARE; IT'S A MASTERPIECE OF INTRUSION. THIS COLLECTION OF DIGITAL TOOLS DOESN'T JUST SNEAK INTO ANDROID DEVICES; IT SETS UP SHOP, KICKS BACK WITH A MARTINI, AND GETS TO WORK EXFILTRATING ALL SORTS OF JUICY INFORMATION. SYSTEM DEVICE INFO, COMMERCIAL APPLICATION DATA, AND OH, LET'S NOT FORGET THE PIÈCE DE RÉSISTANCE, MILITARY-SPECIFIC APPLICATIONS. BECAUSE WHY GO AFTER BORING, EVERYDAY DATA WHEN YOU CAN DIVE INTO THE SECRETS OF THE MILITARY?
THE CHISEL DOESN'T JUST EXFILTRATE DATA; IT CURATES IT. LIKE A CONNOISSEUR OF FINE WINES, IT SELECTS ONLY THE MOST EXQUISITE INFORMATION TO SEND BACK TO ITS CREATORS. SYSTEM DEVICE INFORMATION? CHECK. COMMERCIAL APPLICATION DATA? CHECK. MILITARY SECRETS THAT COULD POTENTIALLY ALTER THE COURSE OF INTERNATIONAL RELATIONS? DOUBLE-CHECK. IT'S NOT JUST STEALING; IT'S AN ART FORM.
In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?
The average enterprise ransom payment soared to over $100,000, with demands averaging a cool $5.3 million. But here's the kicker: 80% of organizations have a "Do-Not-Pay" policy, and yet, 41% ended up paying the ransom last year. And for those thinking insurance might save the day, think again. A whopping 77% of organizations found out the hard way that ransomware is the party crasher not covered by their security insurance. It's like showing up to a hurricane with an umbrella.
With Ransomware as a Service (RaaS) making it easier for any wannabe cybercriminal to join the fun, we can only expect more chaos, more victims, and more snarky retellings like this one. So, here's to 2023, a year that will be remembered not for technological breakthroughs or cyber defense victories, but for the sheer audacity and success of ransomware groups. May 2024 be a bit less... successful for them.
The Kings of Brute-Force and DDoS Meet KillNet [EN].pdfOverkill Security
KillNet has risen to the top of the cyber activity leaderboard, eclipsing over a hundred other groups in grandiose proxy cyber wars. Their favorite weapon? A very sophisticated distributed Denial of Service (DDoS) attack that hits a sore spot: vital infrastructure, government services, airport websites and, why not, media companies in NATO countries. Europe is their favorite playground, where more than 180 attacks have been reported, while North America is in the corner with less than 10. However, they are not picky: the financial industry, transportation, government agencies and business services. Healthcare in the USA? Taken aim at. Gov websites from Romania to the United States? The following.
To prove themselves as professionals in their field, they expanded their activities, moving from using ready-made tools to creating their own... with a subscription to let you share your achievements.
The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda.
In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.
CVE-2024-0204 is like a key under the mat that has not been authenticated and wants to create its own administrator user. This vulnerability can be exploited remotely and is a classic example of CWE-425: "Forced access when a web application is simply too polite to provide proper authorization." Once they've tiptoed through the secret passage, they can create an admin user with read, write, command execution, access sensitive data, deploy malware, or just take complete control because, why not? It's free-for-all!
Vulnerable versions 6.x starting from 6.0.1 and version 7.x up to 7.4.1, in which they decided to hang a lock on the door. If you're feeling DIY, the advisory suggests a workaround: delete the endpoint /InitialAccountSetup.xhtml and restart the service. For those fancy container-deployed instances, just replace the file with an empty one and give it a good ol' reboot.
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Webinar: Designing a schema for a Data WarehouseFederico Razzoli
Are you new to data warehouses (DWH)? Do you need to check whether your data warehouse follows the best practices for a good design? In both cases, this webinar is for you.
A data warehouse is a central relational database that contains all measurements about a business or an organisation. This data comes from a variety of heterogeneous data sources, which includes databases of any type that back the applications used by the company, data files exported by some applications, or APIs provided by internal or external services.
But designing a data warehouse correctly is a hard task, which requires gathering information about the business processes that need to be analysed in the first place. These processes must be translated into so-called star schemas, which means, denormalised databases where each table represents a dimension or facts.
We will discuss these topics:
- How to gather information about a business;
- Understanding dictionaries and how to identify business entities;
- Dimensions and facts;
- Setting a table granularity;
- Types of facts;
- Types of dimensions;
- Snowflakes and how to avoid them;
- Expanding existing dimensions and facts.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Digital Marketing Trends in 2024 | Guide for Staying Ahead
TechAttacks. Star Blizzard continues worldwide spear-phishing campaigns [EN].pdf
1. Read more: Boosty
I. INTRODUCTION
Star Blizzard, also known as the Callisto Group,
SEABORGIUM, BlueCharlie, TA446, COLDRIVER, and
TAG-53 is known for targeting governmental organizations,
defense industry, academia, think tanks, NGOs, politicians, and
others in the U.S., UK, other NATO countries, and countries
neighboring Russia.
Star Blizzard's spear-phishing campaigns typically involve
sending spoofed emails that appear to be from legitimate
individuals or organizations. These emails are designed to trick
victims into providing their email account credentials, which the
group then uses to gain unauthorized, persistent access to the
victims' email accounts. Once they gain access, Star Blizzard is
known to set up mail forwarding rules, granting them ongoing
visibility of a victim’s correspondence and contact lists, and
using this information for follow-on targeting and phishing
activities.
II. COMMON TARGETS OF SPEAR-PHISHING ATTACKS
Spear-phishing campaigns typically target specific
individuals or organizations with the goal of stealing sensitive
information such as login credentials or infecting systems with
malware. The targets are often carefully researched to increase
the likelihood of a successful attack. Here are some common
targets:
• High-ranking officials within organizations: These
individuals often have access to sensitive information,
making them attractive targets for spear-phishing
campaigns
• Individuals involved in confidential operations:
People who handle sensitive data or operations within a
company are often targeted due to the valuable
information they can provide
• Specific employees within a company: Spear-phishing
campaigns may target specific employees within a
company, especially those who have access to valuable
data or systems
• Specific organizations: Organizations themselves can
be targets of spear-phishing campaigns, especially those
in sectors like government, defense, academia, and non-
governmental organizations (NGOs)
• Social media users: Spear-phishers often use social
media and other publicly available sources to gather
information about potential targets
Recent years have seen a variety of spear phishing attacks,
some of which include:
• Fake Websites: Attackers create counterfeit websites
that mimic legitimate ones to deceive individuals into
entering their personal information
• CEO Fraud: This involves impersonating a high-level
executive and sending emails to employees, often in the
finance department, to authorize wire transfers to
fraudulent accounts
• Malware: Emails with malicious attachments or links
that install malware on the victim's device when opened
• Smishing and Vishing: These are forms of spear
phishing via SMS (smishing) or voice calls (vishing),
where attackers pose as legitimate entities to extract
personal details or financial information
Spear phishing campaigns use various tactics to increase
their success rate:
• Target Selection: Attackers choose individuals or
organizations with potential access to valuable data or
financial gain
• Reconnaissance: Extensive research is conducted on
the target to gather personal information, job roles, and
interests
• Personalization: Emails are crafted using the target's
specific information to appear credible and relevant
• Urgency and Pressure: Messages often convey a sense
of urgency or pressure to prompt immediate action from
the target
• Shared Interests: Attackers may exploit known
interests of the target to create a convincing pretext for
the email
• Authority: Impersonating someone in a position of
authority or a known contact to elicit trust and
compliance
III. TARGETS OF STAR BLIZZARD CAMPAIGNS
Star Blizzard has targeted a variety of sectors and individuals
since 2019, including:
2. Read more: Boosty
• Academia: Educational institutions and individuals
associated with research or possessing valuable
intellectual property
• Defense: Entities within the defense sector, including
contractors and suppliers to the military and defense
industry
• Governmental Organizations: Various government
agencies and departments that have access to sensitive
national security information
• Non-Governmental Organizations (NGOs): These
organizations may be targeted for their involvement in
sensitive political, social, or humanitarian activities
• Think Tanks: Organizations that perform research and
advocacy on topics such as social policy, political
strategy, economy, military, technology, and culture
• High-Profile Individuals: Politicians and other
individuals who may have access to confidential
information or influence over important decisions
Specific Targets of Star Blizzard's Spear-Phishing
Campaigns:
• Personal Email Addresses: They have
predominantly sent spear-phishing emails to
targets' personal email addresses, which may have
less stringent security controls than corporate or
business email addresses
• Corporate or Business Email Addresses: They
have also used targets' corporate or business email
addresses, indicating a comprehensive approach to
targeting both personal and professional aspects of
their victims' lives
• Mailing List Data and Contacts: By gaining
access to a victim's email account, they have
accessed mailing list data and a victim's contacts
list, which they then use for follow-on targeting and
further phishing activities
• Compromised Email Accounts: These are used
for additional phishing activity, indicating a cycle
of compromise and exploitation that can self-
perpetuate and expand the scope of their campaigns
A. Common Themes or Subjects in Star Blizzard's Spear-
Phishing Emails
Star Blizzard's spear-phishing emails often revolve around
topics of interest to the target, which they identify through
extensive research using open-source resources, including social
media and professional networking platforms. They may
impersonate known contacts of their targets or respected experts
in the field, and create email accounts and fake social media or
networking profiles to engage their targets.
B. Common Attachments or Links Included in Star Blizzard's
Spear-Phishing Emails
Star Blizzard's spear-phishing emails often contain
malicious links or attachments. These are designed to trick the
victim into providing their email account credentials, which the
group then uses to gain unauthorized, persistent access to the
victims' email accounts. They also create malicious domains that
resemble legitimate organizations.
C. Common Indicators of Compromise (IOCs) Associated
with Star Blizzard's Spear-Phishing Campaigns
Common IOCs associated with Star Blizzard's spear-
phishing campaigns include:
• Unauthorized access to personal and corporate email
accounts
• Setting up of mail-forwarding rules, which gives them
ongoing visibility of a victim’s correspondence and
contact lists
• Access to mailing list data and a victim’s contacts list,
which they then use for follow-on targeting
• Use of compromised email accounts for further phishing
activity
• Use of the open-source framework Evilginx in their
spear-phishing campaigns, which allows them to harvest
credentials and session cookies to bypass the use of two-
factor authentication
D. Common File Types Included in Star Blizzard's Spear-
Phishing Emails
Star Blizzard often includes malicious attachments in their
spear-phishing emails and use file types such as PDFs, Word
documents (.doc, .docx), Excel spreadsheets (.xls, .xlsx), or
other types of files that can contain embedded scripts or macros
E. Common Domains or URLs Used in Star Blizzard's Spear-
Phishing Campaigns
Star Blizzard has been known to use URLs that mimic
legitimate file-sharing services. Some of the URLs look like this:
• https://drive.google.com/file/d/XXXXXXXXXXXXX
X/view?usp=sharing
• https://onedrive.live.com/?authkey=%XXXXXXXXX
XXXXXXXXXXXXXXXXX%XXXX&cid=8XXXX
XXXXX9B7
• https://www.dropbox.com/s/XXXXXXXXXXXXX/St
ar_Blizzard_Report.pdf?dl=0
These URLs may look legitimate, but they are actually
designed to trick victims into entering their credentials or
downloading malicious files
IV. TECHNIQUES OF STAR BLIZZARD CAMPAIGNS
A. Specific Techniques Used by Star Blizzard in Their Spear-
Phishing Campaigns
Star Blizzard uses a variety of techniques in their spear-
phishing campaigns:
• Targeted Emails: They predominantly send spear-
phishing emails to targets' personal email addresses,
although they have also used targets' corporate or
business email addresses
3. Read more: Boosty
• Impersonation: They create email accounts
impersonating known contacts of their targets. They also
create fake social media or networking profiles that
impersonate respected experts
• Malicious Domains: They create malicious domains
resembling legitimate organizations
• Evilginx: Star Blizzard actors use the open-source
framework Evilginx in their spear-phishing campaigns,
which allows them to harvest credentials and session
cookies to bypass the use of two-factor authentication
• Mail Forwarding: After compromising the target's
credentials, Star Blizzard sets up mail forwarding rules
to establish ongoing visibility of a victim’s
correspondence and contact lists
B. Common Social Engineering Techniques Used by Star
Blizzard
Star Blizzard's social engineering techniques include:
• Research and Preparation: They conduct extensive
research using social media and professional networking
platforms to identify topics of interest to engage their
target
• Impersonation: They create email accounts and fake
social media or networking profiles impersonating
known contacts or respected experts
• Building Rapport: By leveraging the information
gathered, they build a rapport with the target to make
their spear-phishing attempts more convincing
• Email Delivery: The emails are crafted to appear
legitimate and relevant to the target's interests or
responsibilities, often containing malicious links or
attachments
• PDF Lures: The PDF file sent by Star Blizzard is
typically unreadable, with a prominent button
purporting to enable reading the content. Pressing the
button causes the default browser to open a link
embedded in the PDF, leading to a credential-stealing
V. NEW TACTICS, TECHNIQUES, AND PROCEDURES (TTPS)
AND EVASION TECHNIQUES OF STAR BLIZZARD
Star Blizzard has notably enhanced its ability to evade
detection since 2022, focusing on improving its detection
evasion capabilities. It was identified five new Star Blizzard
evasive techniques:
• Use of Email Marketing Platforms: Star Blizzard
has begun to utilize email marketing services like
Mailerlite and HubSpot for directing phishing
campaigns
• Password-Protected PDF Lure Documents: To aid
in sneaking past email filters, Star Blizzard has
started using password-protected PDF lure
documents
• Use of Compromised Victim Email Accounts:
They often use compromised victim email accounts
to conduct spear-phishing activity against contacts
of the original victim
• Malicious Links in Email Attachments: They use
malicious links embedded in email attachments to
direct victims to their credential-stealing sites
• Use of Compromised Credentials: Star Blizzard has
been observed using compromised credentials,
captured from fake log-in pages, to log in to valid
victim user accounts
A. Server-side scripts
Star Blizzard has started using server-side scripts to prevent
automated scanning of their actor-controlled servers. This tactic
is an interesting approach that enhances their evasion
capabilities.
Server-side scripts are scripts that run on the server, as
opposed to client-side scripts that run in the user's browser. By
using server-side scripts, Star Blizzard can control what
information is sent to the client and what is kept on the server,
making it harder for automated scanning tools to detect
malicious activity.
The use of server-side scripts is part of a shift in tactics by
Star Blizzard, demonstrating their adaptability and
sophistication in evasion techniques. This tactic, along with
others such as the use of email marketing platforms, password-
protected PDF lure documents, and the use of compromised
victim email accounts, has allowed Star Blizzard to continue its
spear-phishing campaigns with increased stealth.
Here are some examples of functions that these server-side
scripts might perform:
• Collect and Send User Data: In April 2023, Star
Blizzard was observed moving away from using
hCaptcha servers as the sole initial redirection. Instead,
they started executing JavaScript code titled 'Collect and
Send User Data' before redirecting the user
• Refining the JavaScript Code: In May 2023, the threat
actor refined the JavaScript code, resulting in an updated
version titled 'Docs', which is still in use today
• Assessing the User's Environment: The server-side
JavaScript code is used to assess the user's environment.
This information can be used to tailor the attack to the
specific user, increasing the chances of success
The functions pluginsEmpty(), isAutomationTool(), and
sendToBackend(data) are examples of the methods used in these
scripts.
• pluginsEmpty(): This function checks if the plugins
property of the navigator object is empty. Automated
scanning tools often do not emulate plugins, so this
function can help Star Blizzard identify and ignore such
tools.
• isAutomationTool(): This function checks for signs
that the client is an automated tool rather than a human
user. This could involve checking for specific user agent
4. Read more: Boosty
strings, the presence of certain JavaScript properties, or
the speed of interactions.
• sendToBackend(data): This function sends collected
data back to the server. The data could include the
results of the previous checks or other information about
the client's environment. This information can be used
to tailor the attack to the specific user, increasing the
chances of success.
B. Email marketing platform services
Star Blizzard has begun to utilize email marketing services
like Mailerlite and HubSpot for directing its phishing
campaigns. These platforms allow the threat actor to create an
email campaign, which provides them with a dedicated
subdomain on the service that is then used to create URLs. These
URLs act as the entry point to a redirection chain ending at actor-
controlled servers.
The use of these services offers several advantages to the
threat actor. Firstly, emails sent through these platforms may be
less likely to be flagged as spam or malicious by email filters, as
they come from reputable services. Secondly, these platforms
often provide tracking capabilities, allowing the threat actor to
monitor the success of their campaigns.
Most Star Blizzard HubSpot email campaigns have targeted
multiple academic institutions, think tanks, and other research
organizations using a common theme, aimed at obtaining their
credentials for a US grants management portal.
C. DNS provider
Star Blizzard has been using a Domain Name Service (DNS)
provider to resolve actor-controlled domain infrastructure. This
tactic allows the threat actor to manage and control the domains
used in their attacks.
The use of a DNS provider offers several advantages to the
threat actor. Firstly, it allows them to set up new domains
quickly and easily for their attacks. Secondly, it can make it
harder for defenders to block or take down the domains, as they
are managed by a third-party service.
D. Randomizing DGA for actor registered domains
Star Blizzard has been using Domain Generation Algorithms
(DGAs) to randomize the domain names for their infrastructure.
DGAs are algorithms that generate a large number of domain
names, which can be used as rendezvous points for command-
and-control (C&C) servers or for other malicious purposes.
The use of DGAs makes it difficult for security teams and
automated systems to predict and block malicious domains
because the domains change frequently and can appear random.
This technique is a form of domain fluxing, which helps the
threat actor evade detection by blocklists, signature filters,
reputation systems, and other security controls.
By using a DGA, Star Blizzard can systematically switch
between domains during their attacks, making it harder for
defenders to track and remove these domains. This tactic is part
of their sophisticated approach to maintaining their malicious
operations and avoiding disruption by cybersecurity measures.
E. Password-protected PDF lures or links to cloud-based
file-sharing platforms
Star Blizzard has been using password-protected PDF lure
documents or links to cloud-based file-sharing platforms as part
of their spear-phishing campaigns. These tactics serve multiple
purposes:
• Password-Protected PDF Lure Documents: By using
password-protected PDFs, Star Blizzard can bypass some
automated email scanning systems that cannot analyze
the content of encrypted documents. The passwords for
these documents are typically provided in the same
phishing email or in a follow-up email.
• Links to Cloud-Based File-Sharing Platforms: These
links lead to cloud-based platforms where the protected
PDFs are stored. The use of legitimate file-sharing
services can lend an air of credibility to the phishing
attempt and may also evade detection by security systems
that trust content hosted on these platforms.
The PDFs often contain a call to action, such as a button or
link, which when clicked, redirects the user to a malicious site
designed to steal credentials or other sensitive information. This
technique is effective because it exploits the user's trust in
familiar file-sharing services and the expectation of receiving
legitimate documents.
VI. ATTACKS IMPACT
Microsoft did fall victim to a cyberattack by threat actor
known as Blizzard, also referred to as Nobelium, APT29, or
Cozy Bear. The attack was detected on January 12, 2024, and
began in late November 2023.
The threat actor used a password spray attack to compromise
a legacy non-production test tenant account and gain a foothold.
They then used the account's permissions to access a very small
percentage of Microsoft corporate email accounts, including
members of the senior leadership team and employees in
cybersecurity, legal, and other functions.
The attackers exfiltrated some emails and attached
documents, and the investigation indicates they were initially
targeting email accounts for information related to Blizzard
itself. The attack was not the result of a vulnerability in
Microsoft products or services, and there is no evidence that the
threat actor had any access to customer environments,
production systems, source code, or AI systems.
A. Actions Taken by Microsoft in Response to the Blizzard
Cyberattack and Secure Future Initiative
In response to the Blizzard cyberattack, Microsoft took
immediate action to investigate, disrupt malicious activity,
mitigate the attack, and deny the threat actor further access. They
have begun notifying employees whose email accounts were
compromised during the attack.
Microsoft assured staff and the world that the attack was not
due to any specific vulnerability in Microsoft products or
services, and there is no evidence that the threat actor had any
access to customer environments, production systems, source
code, or AI systems.
5. Read more: Boosty
Microsoft announced that they will apply their current
security standards to Microsoft-owned legacy systems, even
when these changes might cause disruption to existing business
processes. They also plan to make significant changes to their
internal security practices.
Microsoft's response underscores its commitment to
addressing the threat posed by nation-state actors like Blizzard
and its commitment to responsible transparency as recently
affirmed in their Secure Future Initiative (SFI).
The Secure Future Initiative (SFI) is a program introduced
by Microsoft in November 2023. The SFI rests on three key
pillars:
• The development of AI-based cyber defenses.
• Advancements in fundamental software engineering.
• A strategic shift in the balance between security and
business risk, acknowledging that the traditional
calculus is no longer sufficient
VII. DEFENSE (MICROSOFT ADVISORY)
A. Defense and protection guidance
In response to the ' Blizzard' cyberattack, Microsoft has
provided guidance for defense and protection against such
nation-state attacks. This guidance includes:
• Multi-Factor Authentication (MFA): Microsoft
emphasized the importance of enabling MFA, as the test
tenant account compromised in the attack did not have
MFA enabled.
• Monitoring OAuth Applications: Threat actors like
Blizzard often use OAuth applications to help hide their
activities. Microsoft recommends monitoring for
suspicious OAuth applications and revoking any that are
not recognized or needed.
• Awareness of Social Engineering Attacks: Microsoft
Threat Intelligence has identified highly targeted social
engineering attacks using credential theft phishing lures
sent as Microsoft Teams chats by Blizzard. Awareness
and training can help users recognize and avoid these
attacks.
• Network Traffic Analysis: Blizzard used residential
proxy networks to launch their attacks, routing traffic
through a vast number of IP addresses also used by
legitimate users. Monitoring and analyzing network
traffic for suspicious patterns can help detect such
activities.
• Regular Patching and Updating: Keeping systems and
software up-to-date is crucial in defending against
attacks that exploit known vulnerabilities.
Defend Against Malicious OAuth Applications
• Audit Privilege Levels: Use the Microsoft Graph Data
Connect authorization portal to audit the privilege level
of all identities, both users and service principals, in
your tenant. Scrutinize privileges, especially if they
belong to unknown identities, are attached to identities
no longer in use, or are excessive.
• Review ApplicationImpersonation Privileges: Audit
identities with ApplicationImpersonation privileges in
Exchange Online, as these allow a service principal to
impersonate a user. Use the PowerShell command Get-
ManagementRoleAssignment -Role
ApplicationImpersonation -GetEffectiveUsers to review
these permissions.
• Identify Malicious OAuth Apps: Use anomaly
detection policies to detect malicious OAuth apps that
make sensitive Exchange Online administrative
activities. Investigate and remediate any risky OAuth
apps through App governance.
• Conditional Access App Control: Implement
conditional access app control for users connecting from
unmanaged devices to monitor and control how they
access cloud apps.
• Review Permissions: Review any applications that hold
EWS.AccessAsUser.All and EWS.full_access_as_app
permissions. Remove them if they are no longer
required.
• Role-Based Access Control: Implement granular and
scalable role-based access control for applications in
Exchange Online to ensure they are only granted access
to the specific mailboxes required.
Protect Against Password Spray Attacks
• Eliminate Insecure Passwords: Encourage the use of
strong, unique passwords and eliminate common or
weak passwords that are easily guessable.
• Educate Users: Train users to review sign-in activity
and report suspicious attempts as "This wasn't me".
• Reset Compromised Passwords: Reset passwords for
any accounts targeted during a password spray attack,
and investigate further if those accounts had system-
level permissions.
• Use Microsoft Entra ID Protection: Detect,
investigate, and remediate identity-based attacks with
solutions like Microsoft Entra ID Protection.
• Microsoft Purview Audit: Investigate compromised
accounts using Microsoft Purview Audit (Premium).
• Enforce Password Protection: Use Microsoft Entra
Password Protection for Microsoft Active Directory
Domain Services on-premises.
• Risk Detections for User Sign-Ins: Utilize risk
detections to trigger multifactor authentication or
password changes.
• Password Spray Investigation Playbook: Investigate
any potential password spray activity using the
password spray investigation playbook.
6. Read more: Boosty
B. Detection and hunting guidance
In the wake of the Blizzard cyberattack, Microsoft has
provided detailed guidance for detection and hunting of such
threats. Hunting for Indicators of Compromise
• Log Data Analysis: Microsoft has provided detailed
guidance on what to look for in log data to hunt and
detect malicious activity associated with Blizzard
• Posture Management Tools: These tools can help
organizations inventory all non-human identities and
highlight unused OAuth applications, especially those
with over-permissive access to impersonate every user
when authenticating to Office 365 Exchange.
Microsoft's detection and hunting guidance for the Blizzard
cyberattack involves reviewing Exchange Web Services (EWS)
activity and using Microsoft Entra ID Protection, which has
several relevant detections that help organizations identify these
techniques or additional activity that may indicate anomalous
activity. The use of residential proxy network infrastructure by
threat actors is generally more likely to generate Microsoft Entra
ID Protection alerts due to inconsistencies in patterns of user
behavior compared to legitimate activity.
Microsoft Entra ID Protection alerts that can help indicate
threat activity associated with this attack include:
• Unfamiliar sign-in properties: This alert flags sign-ins
from networks, devices, and locations that are
unfamiliar to the user.
• Password spray: This risk detection is triggered when
a password spray attack has been successfully
performed.
• Threat intelligence: This alert indicates user activity
that is unusual for the user or consistent with known
attack patterns.
• Suspicious sign-ins (workload identities): This alert
indicates sign-in properties or patterns that are unusual
for the related service principal.
C. XDR and SIEM alerts and protection
Microsoft Defender for Cloud Apps and Microsoft Defender
XDR also provide alerts that can help indicate associated threat
activity. These alerts include indications of a significant increase
in calls to the Exchange Web Services API, suspicious metadata
associated with mail-related activity, and the creation of an
OAuth application that accessed mailbox items.
Microsoft Defender XDR and Microsoft Sentinel customers
can also use specific hunting queries and analytic rules to find
related activity in their networks. These include queries to find
sign-ins by a labeled password spray IP and rules to identify
password spray attempts, the granting of full_access_as_app
permission to an OAuth application, and the addition of services
principal/user with elevated permissions
Once an actor decides to use OAuth applications in their
attack, a variety of follow-on activities can be identified in alerts
to help organizations identify and investigate suspicious activity.
The following Microsoft Defender for Cloud Apps alerts can
help indicate associated threat activity:
• App with application-only permissions accessing
numerous emails – A multi-tenant cloud app with
application-only permissions showed a significant
increase in calls to the Exchange Web Services API
specific to email enumeration and collection. The app
might be involved in accessing and retrieving sensitive
email data.
• Increase in app API calls to EWS after a credential update
– This detection generates alerts for non-Microsoft
OAuth apps where the app shows a significant increase in
calls to Exchange Web Services API within a few days
after its certificates/secrets are updated or new credentials
are added.
• Increase in app API calls to EWS – This detection
generates alerts for non-Microsoft OAuth apps that
exhibit a significant increase in calls to the Exchange
Web Services API. This app might be involved in data
exfiltration or other attempts to access and retrieve data.
• App metadata associated with suspicious mail-related
activity – This detection generates alerts for non-
Microsoft OAuth apps with metadata, such as name,
URL, or publisher, that had previously been observed in
apps with suspicious mail-related activity. This app might
be part of an attack campaign and might be involved in
exfiltration of sensitive information.
• Suspicious user created an OAuth app that accessed
mailbox items – A user that previously signed on to a
medium- or high-risk session created an OAuth
application that was used to access a mailbox using sync
operation or multiple email messages using bind
operation. An attacker might have compromised a user
account to gain access to organizational resources for
further attacks.
The following Microsoft Defender XDR alert can indicate
associated activity:
• Suspicious user created an OAuth app that accessed
mailbox items – A user who previously signed in to a
medium- or high-risk session created an OAuth
application that was used to access a mailbox using sync
operation or multiple email messages using bind
operation. An attacker might have compromised a user
account to gain access to organizational resources for
further attacks
Extended Detection and Response (XDR) and Security
Information and Event Management (SIEM) systems can
provide alerts and protection against malicious activities such as
those carried out by the Blizzard threat group.
Microsoft Defender for Cloud Apps can generate alerts for
various suspicious activities, including:
• An app with application-only permissions accessing
numerous emails.
7. Read more: Boosty
• An increase in app API calls to Exchange Web Services
(EWS) , especially after a credential update.
• App metadata associated with suspicious mail-related
activity.
• A suspicious user creating an OAuth app that accessed
mailbox items.
• Microsoft Defender XDR can also generate an alert
when a suspicious user creates an OAuth app that
accesses mailbox items.
According to Microsoft guidances these alerts can help
organizations identify and investigate suspicious activities
related to OAuth applications, which are often used in attacks
like those carried out by Blizzard. By monitoring for these types
of activities, organizations can better protect themselves against
similar threats
• To detect password spray attacks, security teams can use
various hunting queries that analyze log data for signs of
such attacks. Here are some examples of hunting queries
and techniques that can be used:
• Failed Authentication Attempts Across Multiple
Accounts: Look for sudden spikes in the number of
failed login attempts or locked accounts, which can
indicate a password spray attack
• Sign-in Attempts from Suspicious Locations: Monitor
sign-in attempts from locations that are unusual for the
user, as attackers may use IP addresses from different
geographic regions
• Unusual Sign-in Times: Password spray attacks often
occur at odd hours when fewer users are likely to be
active, so monitoring for authentication attempts during
these times can be useful
• Low and Slow Attack Indicators: Detect password spray
attacks that attempt to stay under the radar by not
triggering account lockouts or bad password thresholds
• Advanced Hunting Queries: Use a query-based threat
hunting tool like Microsoft Defender's Advanced
Hunting to inspect events in your network and gather
more information related to password spray alerts
• Alert Classification: Check whether the user received
other alerts before the password spray activity, such as
impossible travel alerts, activity from infrequent
countries/regions, or suspicious email deletion activity
Here are some specific hunting queries provided by
Microsoft:
// Find sign-ins by a labeled password spray IP
IdentityLogonEvents
| where Timestamp between (startTime .. endTime)
| where isnotempty(IPTags) and not(IPTags
has_any('Azure','Internal Network IP','branch office'))
| where IPTags has_any ("Brute force attacker", "Password
spray attacker", "malicious", "Possible Hackers")
// Find MailItemsAccessed or SaaS actions performed by a
labeled password spray IP
CloudAppEvents
| where Timestamp between (startTime .. endTime)
| where isnotempty(IPTags) and not(IPTags
has_any('Azure','Internal Network IP','branch office'))
| where IPTags has_any ("Brute force attacker", "Password
spray attacker", "malicious", "Possible Hackers")
Network traffic analysis can be a powerful tool in detecting
password spray attacks. Here are some methods that
organizations can use:
• Intrusion Detection Systems (IDS): IDS tools monitor
network traffic and flag suspicious login activities. They
analyze login attempts, account lockouts, and
authentication failures to identify potential password
spraying attacks
• Security Monitoring: Continuous monitoring of user
login activities and abnormal patterns can help identify
potential attacks. Monitoring tools can track login
attempts from unusual locations, or at unusual times,
which could indicate a password spraying attack
• User Behavior Analysis: Analyzing user behavior can
help detect suspicious activities. Deviations from
normal behavior, such as login attempts outside of
regular working hours or simultaneous login attempts
from multiple locations, can be red flags for password
spraying attacks
• Configure Security Password Settings: If your
organization utilizes a Security Logging Platform,
ensure that it's configured to identify or detect failed
login attempts across all systems. This will help you
detect those tell-tale signs of password spraying attacks
in the future
• Monitoring and Logging: These are some of the best
proactive ways to detect password-spraying attacks.
They help to detect failed login attempts and inform the
IT Administrator accordingly. For example, if there are
5 unsuccessful login attempts, the password policy locks
out the user account, and the network monitoring
solution triggers an alarm to the IT Administrator
• SIEM (Security Information and Event Management):
In case there is unusual behavior in your organization,
your SIEM will pick it up. SIEM solutions aggregate
and analyze event data in real time from network
devices, servers, domain controllers and more,
providing security intelligence for real-time analysis of
security alerts generated by applications and network
hardware
Organizations can use OAuth application permissions to
detect potential security vulnerabilities in several ways:
• Investigate and Remediate Risky OAuth Apps:
Organizations can use tools like Microsoft Defender for
Cloud Apps to investigate and remediate risky OAuth
apps. This involves scrutinizing apps that have not been
updated recently, apps that have irrelevant permissions,
8. Read more: Boosty
and apps that appear suspicious based on their name,
publisher, or URL. The OAuth app audit can be exported
for further analysis of the users who authorized an app
• Create Policies to Control OAuth Apps: Organizations
can set permission policies to get automated
notifications when an OAuth app meets certain criteria.
For example, alerts can be set up for apps that require a
high permission level. OAuth app policies enable
organizations to investigate which permissions each app
requested and which users authorized those permissions
• Identify Vulnerabilities in OAuth Implementation:
Vulnerabilities can arise in the client application's
implementation of OAuth as well as in the configuration
of the OAuth service itself. Identifying and exploiting
these vulnerabilities can help organizations protect their
own applications against similar attacks
• Monitor for Malicious OAuth Applications: Threat
actors can misuse OAuth applications to automate
financially driven attacks. Monitoring for such misuse
can help organizations detect and respond to potential
security vulnerabilities. For example, Microsoft
provides queries that can be used to identify high
outbound email senders and suspicious email events
• Understand the Impact of Malicious OAuth Application
Consent: If a user grants access to a malicious third-
party application, the application can access the user's
data and perform actions on their behalf. Understanding
the impact of such actions can help organizations
develop strategies to detect and mitigate potential
security vulnerabilities