Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Incident response. Show all posts
Threat Intelligence
Active Defense Cyber Security Cybercrime Groups Deception Security Honeypot Technology Incident response Network Intrusion Synthetic Data Threat Intelligence

Targeted Cyberattack Foiled by Resecurity Honeypot


 

There has been a targeted intrusion attempt against the internal environment of Resecurity in November 2025, which has been revealed in detail by the cyber security company. In order to expose the adversaries behind this attack, the company deliberately turned the attack into a counterintelligence operation by using advanced deception techniques.

In response to a threat actor using a low-privilege employee account in order to gain access to an enterprise network, Resecurity’s incident response team redirected the intrusion into a controlled synthetic data honeypot that resembles a realistic enterprise network within which the intrusion could be detected. 

A real-time analysis of the attackers’ infrastructure, as well as their tradecraft, was not only possible with this move, but it also triggered the involvement of law enforcement after a number of evidences linked the activity to an Egyptian-based threat actor and infrastructure associated with the ShinyHunter cybercrime group, which has subsequently been shown to have claimed responsibility for the data breach falsely. 

Resecurity demonstrated how modern deception platforms, with the help of synthetic datasets generated by artificial intelligence, combined with carefully curated artifacts gathered from previously leaked dark web material, can transform reconnaissance attempts by financially motivated cybercriminals into actionable intelligence.

The active defense strategies are becoming increasingly important in today's cybersecurity operations as they do not expose customer or proprietary data.

The Resecurity team reported that threat actors operating under the nickname "Scattered Lapsus$ Hunters" publicly claimed on Telegram that they had accessed the company's systems and stolen sensitive information, such as employee information, internal communications, threat intelligence reports, client data, and more. This claim has been strongly denied by the firm. 

In addition to the screenshots shared by the group, it was later confirmed that they came from a honeypot environment that had been built specifically for Resecurity instead of Resecurity's production infrastructure. 

On the 21st of November 2025, the company's digital forensics and incident response team observed suspicious probes of publicly available services, as well as targeted attempts to access a restricted employee account. This activity was detected by the company's digital forensics and incident response team. 

There were initial traces of reconnaissance traffic to Egyptian IP addresses, such as 156.193.212.244 and 102.41.112.148. As a result of the use of commercial VPN services, Resecurity shifted from containment to observation, rather than blocking the intrusion.

Defenders created a carefully staged honeytrap account filled with synthetic data in order to observe the attackers' tactics, techniques, and procedures, rather than blocking the intrusion. 

A total of 28,000 fake consumer profiles were created in the decoy environment, along with nearly 190,000 mock payment transactions generated from publicly available patterns that contained fake Stripe records as well as fake email addresses that were derived from credential “combo lists.” 

In order to further enhance the authenticity of the data, Resecurity reactivated a retired Mattermost collaboration platform, and seeded it with outdated 2023 logs, thereby convincing the attackers that the system was indeed genuine. 

There were approximately 188,000 automated requests routed through residential proxy networks in an attempt by the attackers to harvest the synthetic dataset between December 12 and December 24. This effort ultimately failed when repeated connection failures revealed operational security shortcomings and revealed some of the attackers' real infrastructure in the process of repeated connection failures exposing vulnerabilities in the security of the system. 

A recent press release issued by Resecurity denies the breach allegation, stating that the systems cited by the threat actors were never part of its production environment, but were rather deliberately exposed honeypot assets designed to attract and observe malicious activity from a distance.

After receiving external inquiries, the company’s digital forensics and incident response teams first detected reconnaissance activity on November 21, 2025, after a threat actor began probing publicly accessible services on November 20, 2025, in a report published on December 24 and shared with reporters. 

Telemetry gathered early in the investigation revealed a number of indications that the network had been compromised, including connections coming from Egyptian IP addresses, as well as traffic being routed through Mullvas VPN infrastructure. 

A controlled honeypot account has been deployed by Resecurity inside an isolated environment as a response to the attack instead of a move to containment immediately. As a result, the attacker was able to authenticate to and interact with systems populated completely with false employee, customer, and payment information while their actions were closely monitored by Resecurity. 

Specifically, the synthetic datasets were designed to replicate the actual enterprise data structures, including over 190,000 fictitious consumer profiles and over 28,000 dummy payment transactions that were formatted to adhere to Stripe's official API specifications, as defined in the Stripe API documentation. 

In the early months of the operation, the attacker used residential proxy networks extensively to generate more than 188,000 requests for data exfiltration, which occurred between December 12 and December 24 as an automated data exfiltration operation. 

During this period, Resecurity collected detailed telemetry on the adversary's tactics, techniques, and supporting infrastructure, resulting in several operational security failures that were caused by proxy disruptions that briefly exposed confirmed IP addresses, which led to multiple operational security failures. 

As the deception continued, investigators introduced additional synthetic datasets, which led to even more mistakes that narrowed the attribution and helped determine the servers that orchestrated the activity, leading to an increase in errors. 

In the aftermath of sharing the intelligence with law enforcement partners, a foreign agency collaborating with Resecurity issued a subpoena request, which resulted in Resecurity receiving a subpoena. 

Following this initial breach, the attackers continued to make claims on Telegram, and their data was also shared with third-party breach analysts, but these statements, along with the new claims, were found to lack any verifiable evidence of actual compromise of real client systems. Independent review found that no evidence of the breach existed. 

Upon further examination, it was determined that the Telegram channel used to distribute these claims had been suspended, as did follow-on assertions from the ShinyHunters group, which were also determined to be derived from a honeytrap environment.

The actors, unknowingly, gained access to a decoy account and infrastructure, which was enough to confirm their fall into the honeytrap. Nevertheless, the incident demonstrates both the growing sophistication of modern deception technology as well as the importance of embedding them within a broader, more resilient security framework in order to maximize their effectiveness. 

A honeypot and synthetic data environment can be a valuable tool for observing attacker behavior. However, security leaders emphasize that the most effective way to use these tools is to combine them with strong foundational controls, including continuous vulnerability management, zero trust access models, multifactor authentication, employee awareness training, and disciplined network segmentation. 

Resecurity represents an evolution in defensive strategy from a reactive and reactionary model to one where organizations are taking a proactive approach in the fight against cyberthreats by gathering intelligence, disrupting the operations of adversaries, and reducing real-world risk in the process. 

There is no doubt that the ability to observe, mislead, and anticipate hostile activity, before meaningful damage occurs, is becoming an increasingly important element of enterprise defenses in the age of cyber threats as they continue to evolve at an incredible rate.

Together, the episodes present a rare, transparent view of how modern cyber attacks unfold-and how they can be strategically neutralized in order to avoid escalation of risk to data and real systems. 

Ultimately, Resecurity's claims serve more as an illustration of how threat actors are increasingly relying on perception, publicity, and speed to shape narratives before facts are even known to have been uncovered, than they serve as evidence that a successful breach occurred. 

Defenders of the case should take this lesson to heart: visibility and control can play a key role in preventing a crisis. It has become increasingly important for organizations to be able to verify, contextualize, and counter the false claims that are made by their adversaries as they implement technical capabilities combined with psychological tactics in an attempt to breach their systems. 

The Resecurity incident exemplifies how disciplined preparation and intelligence-led defense can help turn an attempted compromise into strategic advantage in an environment where trust and reputation are often the first targets. They do this quiet, methodically, and without revealing what really matters when a compromise occurs.
Read more »
Third Party Risk
Cybercrime Groups Data Breach Employee Data Exposure enterprise cybersecurity Incident response Ransomware As A Service Ransomware attack supply chain security Third Party Risk

Ingram Micro Reveals Impact of Ransomware Attack on Employee Records


 

Ingram Micro quietly divulged all the personal details of their employees and job applicants last summer after a ransomware attack at the height of the summer turned into a far-reaching data exposure, exposing sensitive information about their employees and job applicants and illustrating the growing threat of cybercrime. 

A significant breach at one of the world's most influential technology supply-chain providers has been revealed in the July 2025 attack, in which the company confirms that records linked to more than 42,000 people were compromised, marking the most significant breach of the company's history. It is evident that in the wake of the disruptions caused by older, high-profile cybercriminals, emerging ransomware groups are swiftly targeting even the most established businesses. 

These groups are capitalizing on disrupting these older, high-profile cyber criminal operations by swiftly attacking even the most established businesses. It is a stark reminder to manufacturers, distributors, and mid-market companies that depend on Ingram Micro for global logistics, cloud platforms, and managed services to stay protected from cybersecurity risks, and the breach serves as a warning that cybersecurity risk does not end within an organization's boundaries, as third-party cyber-incidents are becoming increasingly serious and problematic. 

The largest distributor of business-to-business technology, Ingram Micro, operates on a global scale. The company employs more than 23,500 associates, serves more than 161,000 customers, and reported net sales of $48 billion in 2024, which was much greater than the previous year's gross sales of $6 billion. 

As stated in the notification letters to the Maine Attorney General and distributed to affected individuals, the attackers obtained documents containing extensive information, including Social Security numbers, that they had stolen. 

There was a security incident involving the company on July 3rd, 2025, and, in its disclosure, the company indicated that an internal investigation was immediately launched, which determined that an unauthorized third party had access to and removed files from internal repositories between July 2 and July 3rd, 2025. 

In addition to the information contained in the compromised records, there were also information regarding current and former employees and potential job applicants, including names, contact details, birthdates, and government-issued identification numbers such as Social Security numbers, driver's license numbers, and passport numbers, as well as employment records in certain cases. 

A major attack on Ingram Micro's infrastructure may also have caused widespread disruptions to internal operations, as well as taking the company's website offline for a period of time, forcing the company to instruct its employees to work remotely as remediation efforts were underway. 

In spite of the fact that the company does not claim the breach was the result of a particular threat actor, it confirms that ransomware was deployed during the incident, in line with earlier reports linking the incident with the SafePay ransomware group, which later claimed responsibility and claimed to have stolen about 3.5 terabytes of data, and then published the name of the company on its dark web leaks.

In addition to drawing renewed attention to the systemic threat posed by attacks on central technology distributors, the incident also shed light on the risk that a single compromise can have a ripple effect across the entire digital supply chain as well. 

Analysts who examined the Ingram Micro intrusion claim that the ransomware was designed to be sophisticated, modular, and was modeled after modern malware campaigns that are operated by operators. The malicious code unfolded in carefully sequenced stages, with the lightweight loader establishing persistence and neutralizing baseline security controls before the primary payload was delivered.

The attackers subsequently developed components that enabled them to move laterally through internal networks by exploiting cached authentication data and directory services in order to gain access to additional privileges and harvest credentials. The attackers also employed components designed to escalate privileges and harvest credentials. 

The spread across accessible systems was then automated using a dedicated propagation engine, while at the same time manual intervention was still allowed to prioritize high-value targets using a dedicated propagation engine. As part of the attack, the encryption engine used a combination of industry-grade symmetric cryptography and asymmetric key protection to secure critical data, effectively locking that data beyond recovery without the cooperation of the attackers. 

As an extension of the encryption process, a parallel exfiltration process used encrypted web traffic to evade detection to quietly transfer sensitive files to external command-and-control infrastructure. Ultimately, ransom notes were released in order to exert pressure through both operational disruptions as well as the threat of public data exposure, which culminated in the deployment of ransom notes. 

The combination of these elements illustrates exactly how contemporary ransomware has evolved into a hybrid threat model-a model that combines automation, stealth, and human oversight-and why breaches at key nodes within the technology ecosystem can have a far-reaching impact well beyond the implications of one organization. 

When Ingram Micro discovered that its data had been compromised, the company took a variety of standard incident response measures to address it, including launching a forensic investigation with the help of an external cybersecurity firm, notifying law enforcement and relevant regulators, and notifying those individuals whose personal information may have been compromised. 

Additionally, the company offered two years of free credit monitoring and identity theft protection to all customers for two years. It has been unclear who the attackers are, but the SafePay ransomware group later claimed responsibility, alleging in its dark web leak site that the group had stolen 3.5 terabytes of sensitive data. Those claims, however, are not independently verified, nor is there any information as to what ransom demands have been made.

The attack has the hallmarks of a modern ransomware-as-a-service attack, with a custom malware being deployed through a well-established framework that streamlines intrusion, privilege escalation, lateral movement, data exfiltration, and data encryption while streamlining intrusion, privilege escalation, lateral movement, and data encryption techniques.

As such, these campaigns usually take advantage of compromised credentials, phishing schemes, and unpatched vulnerabilities to gain access to the victim. They then combine double-extortion tactics—locking down systems while siphoning sensitive data—with the goal of putting maximum pressure on them. 

During the event, Ingram Micro's own networks were disrupted, which caused delays across global supply chains that depended on Ingram Micro's platforms, causing disruptions as well as disruptions to transactions. There is an opportunity for customers, partners, and the wider IT industry to gain a better understanding of the risks associated with concentration of risk in critical vendors as well as the potentially catastrophic consequences of a relatively small breach at a central node.

A number of immediate actions were taken by Ingram Micro in the aftermath of the attack, including implementing the necessary measures to contain the threat, taking all affected systems offline to prevent further spread of the attack, and engaging external cybersecurity specialists as well as law enforcement to support the investigation and remediation process. 

As quickly as possible, the company restored access to critical platforms, gradually restoring core services, and maintained ongoing forensic analysis throughout the day to assess the full extent of the intrusion, as well as to assure its customers and partners that the company was stable. It is not only the operational response that has been triggered by the incident, but the industry has largely reflected on the lessons learned from a similar attack. 

It is apparent that security experts are advocating resilience-driven strategies such as zero trust access models, network microsegmentation, immutable backup architectures, and continuous threat monitoring in order to limit breaches' blast radius. 

It is also evident from the episode that the technology industry is becoming increasingly dependent on third-party providers, which is why it has reinforced the importance of regular incident response simulations and robust vendor risk management strategies. This ransomware attack from Ingram Micro illustrates the importance of modern cyber operations beyond encrypting data. 

It also illustrates how modern cyber operations are also designed to disrupt interconnected ecosystems, in addition to exerting pressure through theft of data and a systemic impact. As a result of this incident, it was once again reinforced that enterprise security requires preparation, layers of defenses, and supply chain awareness. 

A response of Ingram Micro was to isolate the affected servers and segments of the network in order to contain the intrusion. During this time, the Security Operations Center activated a team within its organization to coordinate remediation and forensic analysis as part of its response. This action corresponds with established incident handling standards, which include the NIST Cybersecurity Framework and ISO 27035 guidelines. 

Currently, investigators are conducting forensic examinations of the ransomware strain, tracking the initial access vectors, and determining whether data has been exfiltrating in order to determine if it was malicious or not. Federal agencies including the FBI Internet Crime Complaint Center and the Cybersecurity and Infrastructure Security Agency have been informed about the investigation. 

In the recovery process, critical systems are restored from verified backups, compromised infrastructure is rebuilt, and before the environment can be returned to production, it is verified that a restored environment does not contain any malicious artifacts.

It is no surprise to security specialists that incidents of this scale are increasingly causing large companies to reevaluate their core controls, such as identity and access management, which includes stronger authentication, tighter access governance, and continuous monitoring.

It is believed that these actions will decrease the risk of unauthorized access and limit the impact of future breaches to a great extent. This Ingram Micro incident is an excellent example of how ransomware has evolved into a technical and systemic threat as well, one that increasingly targets the connective tissue of the global technology economy, rather than isolated enterprises, to increasingly target. 

A breach like the one in question has demonstrated the way that attacks on highly integrated distributors can cascade across industries, exposing information, disrupting operations, and amplifying risks that extend far beyond the initial point of compromise. It is likely that the episode will serve as a benchmark for regulators, enterprises, and security leaders to evaluate resilience within complex supply chains as investigations continue and recovery efforts mature. 

During a period of time when the industry relies heavily on scale, speed, and trust, the attack serves as a strong warning that cybersecurity readiness cannot be judged solely by its internal defenses, but also by its ability to anticipate, absorb, and recover from shocks originating anywhere within the interconnected digital ecosystem as well as to measure its readiness for cybersecurity.
Read more »
Vulnerability Exploit
Clop Group Cybersecurity Breach Data Breach Enterprise security GlobalLogic Incident response Oracle Zero-Day Ransomware attack SQL Threat Intelligence Vulnerability Exploit

GlobalLogic Moves to Protect Workforce After Oracle-related Data Theft

 


A new disclosure that underscores the increasing sophistication of enterprise-level cyberattacks underscores the need to take proactive measures against them. GlobalLogic has begun notifying more than ten thousand of its current and former employees that their personal information was compromised as a result of a security breach connected to an Oracle E-Business Suite zero-day flaw. 

An engineering services firm headquartered in the United States, owned by Hitachi, announced the breach to regulators after determining that an unknown attacker exploited an unpatched vulnerability in the Oracle platform, the core platform used to manage finance, human resources, and operational processes at the company, so that sensitive data belonging to 10,000 employees was stolen. 

The Maine Attorney General's office reported to the Maine State Attorney General that attackers had infiltrated GlobalLogic's environment with an advanced SQL-injection chain mapped to MITRE techniques T1190 and T1040, deploying a persistent backdoor through an Oracle Forms vulnerability, obtaining extensive employee data, including identification, contact information, passport information, tax and salary data, and bank account numbers, as well as extensive employee records. 

The signs of compromise point to a coordinated data-extortion campaign in which privilege-escalation events were used to maintain prolonged access to data. Indicators like malicious IP ranges and rogue domains indicate that the attack was coordinated. In the aftermath of Oracle's security patches being released, GlobalLogic announced that an immediate investigation had been conducted, and the company is now urging the rapid implementation of vendor updates, enhanced logging, and temporary hardening measures in order to mitigate further risk. 

With Hitachi's acquisition of the company in 2021, it has now served more than 600 enterprise clients around the world, and the company has officially reported the breach to California and Maine regulators, who confirmed that more than 10,500 current and former employees' personal information was exposed in the attack. 

During GlobalLogic's investigation, it was discovered that the intrusion was a part of a larger campaign that was coordinated by the Clop ransomware group, which has been exploiting a zero-day flaw in Oracle's E-Business Suite since at least July in order to snare huge amounts of corporate information. There have been reports that several companies have been caught in this wave of attacks, and many are only aware of their compromise after they receive extortion emails from extortionists. Analysts are claiming that dozens of companies have been compromised.

It is reported by GlobalLogic that the company discovered the breach on October 9 but it was later discovered that the attackers gained access to the server on July 10, with the most recent malicious activity occurring on August 20 according to GlobalLogic's filings. Despite the fact that the incident was contained to the Oracle platform, the sheer amount of sensitive and high-level data stolen—from contact information to internal identifiers to passports to tax records to salary information to bank account numbers—does not make it easy for the severity of the attack to be noted. 

A spokesperson for the company said that they immediately activated their incident response protocols, notified the law enforcement, and consulted external forensic experts after the zero-day exploit was discovered (CVE-2025-61882) was discovered, and that Oracle's patch for the vulnerability (CVE-2025-61882) was applied once it was released. 

Security researchers later confirmed that Clop hacked numerous victims over a period of several months by exploiting multiple vulnerabilities within the same platform, demanding ransoms that often reached eight-figure sums. It has been reported that nearly 30 organizations are currently listed on Clop's website after a breach of their systems was discovered last week. If these organizations do not pay the restitution, they will face public exposure. The kind of information exposed in the GlobalLogic breach highlights how sophisticated the attackers were. 

According to the company's disclosure, the stolen data was representative of a wide range of personal information that is typically kept in human resources systems, such as names, home addresses, telephone numbers, addresses for emergency contacts, and identifiers for internal employees.

There were a variety of individuals whose exposure to cyber attacks was far more in-depth and involved email addresses, dates and countries of birth, nationalities, passports, tax and national identification numbers such as Social Security details, salary information, and full banking credentials for their online banking accounts. 

A ransomware group known as Clop has been associated with several high-profile Oracle EBS data theft operations, as well as adding major companies to its Tor-based leak site, including Harvard University, Envoy Air, and The Washington Post, whose stolen data is already available via torrent downloads from a number of sources. Despite the fact that GlobalLogic's information has not yet appeared on the leak portal, security analysts have said that the omission may be indicative of ongoing negotiations, or that a ransom has already been paid by the company. 

The company spokesperson refused to comment on whether any demands were being addressed, but confirmed Clop has publicly claimed responsibility for the breach. Now that the gang is being questioned more closely by the U.S. authorities after previously exploiting Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer in mass-scale data breaches, they are under greater scrutiny than ever before. 

According to the State Department, there is a reward for intelligence that can be provided tying the group's operations to a foreign government worth up to $10 million. In light of this incident, industry officials are calling for improved patch management, proactive threat hunting, and tighter oversight of third-party platforms supporting critical business operations that are used by critical business units. 

According to GlobalLogic's analyst, the company's experience shows just how quickly a single vulnerability can lead to widespread damage when exploited by highly coordinated ransomware groups, particularly if the vulnerability has not yet been patched. 

Despite continuing to investigate Clop's broader campaign, experts urge organizations to adopt continuous monitoring, strengthen vendor risk controls, and prepare for the likelihood that they will be the victim of future zero day exploits in the following years, as the modern enterprise threat landscape is now characterized by zero-day threats.
Read more »
Threat Intelligence
Cloud Security continuous monitoring Cyber Security Cybersecurity Endpoint Defense Incident response ransomware protection Risk Management SOC Operations Threat Intelligence

Continuous Incident Response Is Redefining Cybersecurity Strategy

 


With organizations now faced with relentless digital exposure, continuous security monitoring has become an operational necessity instead of a best practice, as organizations navigate an era where digital exposure is ubiquitous. In 2024, cyber-attacks will increase by nearly 30%, with the average enterprise having to deal with over 1,600 attempted intrusions a week, with the financial impact of a data breach regularly rising into six figures. 

Even so, the real crisis extends well beyond the rising level of threats. In the past, cybersecurity strategies relied on a familiar formula—detect quickly, respond promptly, recover quickly—but that cadence no longer suffices in an environment that is characterized by adversaries automating reconnaissance, exploiting cloud misconfiguration within minutes, and weaponizing legitimate tools so that they can move laterally far faster than human analysts are able to react. 

There has been a growing gap between what organizations can see and the ability to act as the result of successive waves of innovation, from EDR to XDR, as a result of which they have widened visibility across sprawling digital estates. The security operations center is already facing unprecedented complexity. Despite the fact that security operations teams juggle dozens of tools and struggle with floods of alerts that require manual validation, organisations are unable to act as quickly as they should. 

A recent accelerated disconnect between risk and security is transforming how security leaders understand risks and forcing them to face a difficult truth: visibility without speed is no longer an effective defence. When examining the threat patterns defining the year 2024, it becomes more apparent why this shift is necessary. According to security firms, attackers are increasingly using stealthy, fileless techniques to steal from their victims, with nearly four out of five detections categorised as malware-free today, with the majority of attacks classified as malware-free. 

As a result, ransomware activity has continued to climb steeply upward, rising by more than 80% on a year-over-year basis and striking small and midsized businesses the most disproportionately, accounting for approximately 70% of all recorded incidents. In recent years, phishing campaigns have become increasingly aggressive, with some vectors experiencing unprecedented spikes - some exceeding 1,200% - as adversaries use artificial intelligence to bypass human judgment. 

A number of SMBs remain structurally unprepared in spite of these pressures, with the majority acknowledging that they have become preferred targets, but three out of four of them continue to use informal or internally managed security measures. These risks are compounded by human error, which is responsible for an estimated 88% of reported cyber incidents. 

There have been staggering financial consequences as well; in the past five years alone, the UK has suffered losses of more than £44 billion, resulting in both immediate disruption and long-term revenue losses. Due to this, the industry’s definition of continuous cybersecurity is now much broader than periodic audits. 

It is necessary to maintain continuous threat monitoring, proactive vulnerability and exposure management, disciplined identity governance, sustained employee awareness programs, regularly tested incident response playbooks, and ongoing compliance monitoring—a posture which emphasizes continuous evaluation rather than reactive control as part of an operational strategy. Increasingly complex digital estates are creating unpredictable cyber risks, which are making continuous monitoring an essential part of modern defence strategies. 

Continuous monitoring is a real time monitoring system that scans systems, networks, and cloud environments in real time, in order to detect early signs of misconfiguration, compromise, or operational drift. In contrast to periodic checks which operate on a fixed schedule and leave long periods of exposure, continuous monitoring operates in real time. 

The approach outlined above aligns closely with the NIST guidance, which urges organizations to set up an adaptive monitoring strategy capable of ingesting a variety of data streams, analysing emerging vulnerabilities, and generating timely alerts for security teams to take action. Using continuous monitoring, organizations can discover latent weaknesses that are contributing to their overall cyber posture. 

Continuous monitoring reduces the frequency and severity of incidents, eases the burden on security personnel, and helps them meet increasing regulatory demands. Even so, maintaining such a level of vigilance remains a challenge, especially for small businesses that lack the resources, expertise, and tooling to operate around the clock in order to stay on top of their game. 

The majority of organizations therefore turn to external service providers in order to achieve the scalability and economic viability of continuous monitoring. Typically, effective continuous monitoring programs include four key components: a monitoring engine, analytics that can be used to identify anomalies and trends on a large scale, a dashboard that shows key risk indicators in real time, and an alerting system to ensure that emerging issues are quickly addressed by the appropriate staff. 

With the help of automation, security teams are now able to process a great deal of telemetry in a timely and accurate manner, replacing outdated or incomplete snapshots with live visibility into organisational risk, enabling them to respond successfully in a highly dynamic threat environment. 

Continuous monitoring can take on a variety of forms, depending on the asset in focus, including endpoint monitoring, network traffic analysis, application performance tracking, cloud and container observability, etc., all of which provide an important layer of protection against attacks as they spread across every aspect of the digital infrastructure. 

It has also been shown that the dissolution of traditional network perimeters is a key contributor to the push toward continuous response. In the current world of cloud-based workloads, SaaS-based ecosystems, and remote endpoints, security architectures mustwork as flexible and modular systems capable of correlating telemetrics between email, DNS, identity, network, and endpoint layers, without necessarily creating new silos within the architecture. 

Three operational priorities are usually emphasized by organizations moving in this direction: deep integration to keep unified visibility, automation to handle routine containment at machine speed and validation practices, such as breach simulations and posture tests, to ensure that defence systems behave as they should. It has become increasingly common for managed security services to adopt these principles, and this is why more organizations are adopting them.

909Protect, for instance, is an example of a product that provides rapid, coordinated containment across hybrid environments through the use of automated detection coupled with continuous human oversight. In such platforms, the signals from various security vectors are correlated, and they are layered on top of existing tools with behavioural analysis, posture assessment and identity safeguards in order to ensure that no critical alert goes unnoticed while still maintaining established investments. 

In addition to this shift, there is a realignment among the industry as a whole toward systems that are built to be available continuously rather than undergoing episodic interventions. Cybersecurity has gone through countless “next generation” labels, but only those approaches which fundamentally alter the behavior of operations tend to endure, according to veteran analysts in the field. In addressing this underlying failure point, continuous incident response fits perfectly into this trajectory. 

Organizations are rarely breached because they have no data, but rather because they do not act on it quickly enough or cohesively. As analysts argue, the path forward will be determined by the ability to combine automation, analytics, and human expertise into a single adaptive workflow that can be used in an organization's entirety. 

There is no doubt that the organizations that are most likely to be able to withstand emerging threats in the foreseeable future will be those that approach security as a living, constantly changing system that is not only based on the visible, but also on the ability of the organization to detect, contain, and recover in real time from any threats as they arise. 

In the end, the shift toward continuous incident response is a sign that cybersecurity resilience is more than just about speed anymore, but about endurance as well. Investing in unified visibility, disciplined automation, as well as persistent validation will not only ensure that the path from detection to containment is shortened, but that the operations remain stable over the longer term as well.

The advantage will go to those who treat security as an evolving ecosystem—one that is continually refined, coordinated across teams and committed to responding in a continuity similar to the attacks used by adversaries.
Read more »
Ransomware
BianLian Business Continuity Data Breach Incident response Ransomware

BianLian Ransomware Strikes: US Companies Grapple with Data Breach Fallout


The BianLian ransomware organization is accused of cyberattacking against three major US companies, consisting of large amounts of sensitive data. The victims of the BianLian ransomware attack—Island Transportation Corp., Legend Properties Inc., and Transit Mutual Insurance Corporation of Wisconsin—had their breaches detailed on a dark web forum by the ransomware gang.

This escalation illustrates the growing threat ransomware attacks present against important sectors across the United States.

The Targets

1. Island Transportation Corp.: A heavyweight in the bulk carrier industry, Island Transportation Corp. services the petroleum sector. Unfortunately, they fell victim to the BianLian ransomware attack, compromising a staggering 300 GB of organizational data. Among the exposed information are vital business records, accounting files, project details, and personal data.

2. Legend Properties Inc.: As a well-established commercial real estate and brokerage firm, Legend Properties Inc. found itself in the crosshairs. The attackers gained unauthorized access to 400 GB of sensitive data, including critical business information, accounting records, and personal details.

3. Transit Mutual Insurance Corporation of Wisconsin: A key player in the insurance industry, Transit Mutual Insurance Corporation of Wisconsin suffered a similar fate. The ransomware breach exposed 400 GB of organizational data, encompassing business records, accounting files, project data, and personal information.

The Broader Implications

  • Data Privacy: The compromised data includes personal information, which could lead to identity theft or financial fraud. Companies must prioritize robust data protection mechanisms.
  • Business Continuity: Disruptions caused by ransomware attacks can cripple operations. Organizations need robust backup systems and incident response plans.
  • Industry Vulnerability: No sector is immune. Whether shipping, real estate, or insurance, all must fortify their defenses against cyber threats.

Recommendations

  • Multi-Layered Security: Companies should adopt a multi-layered security approach, including firewalls, intrusion detection systems, and regular security audits.
  • Employee Training: Educate employees about phishing, social engineering, and safe online practices. Human error remains a significant vulnerability.
  • Incident Response Plans: Develop and test incident response plans to minimize damage during an attack.

The situation underscores the growing threat posed by ransomware attacks to critical sectors across the United States. 

While Island Transportation Corp.'s website remains functional, Legend Properties Inc. and Transit Mutual Insurance Corporation of Wisconsin have displayed blocking messages, indicating potential disruptions due to the attack.

Read more »
Zero-Day Vulnerabilities
APT Group cyber intrusion forensic analysis Incident response Ivanti Connect Secure malware nation-state actor NERVE environment Security Breach Zero-Day Vulnerabilities

MITRE Links Recent Attack to China-Associated UNC5221

 

MITRE recently provided further insight into the recent cyber intrusion, shedding light on the new malicious software employed and a timeline detailing the attacker's actions.

In April 2024, MITRE announced a breach in one of its research and prototyping networks. Following the discovery, MITRE's security team swiftly initiated an investigation, ejected the threat actor, and enlisted third-party forensics Incident Response teams for independent analysis alongside internal experts. It was revealed that a nation-state actor had infiltrated MITRE's systems in January 2024 by exploiting two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).

The intrusion was detected when MITRE noticed suspicious activity from a foreign nation-state threat actor targeting its Networked Experimentation, Research, and Virtualization Environment (NERVE), which is utilized for research and prototyping purposes. MITRE promptly took NERVE offline and commenced mitigation procedures. Although investigations are ongoing to ascertain the extent of compromised information, MITRE has informed relevant authorities and affected parties while endeavoring to restore alternative collaboration platforms.

Despite MITRE's adherence to industry best practices, vendor recommendations, and governmental directives to bolster its Ivanti system, oversight led to unauthorized access into its VMware infrastructure. However, MITRE emphasized that neither its core enterprise network nor its partners' systems were impacted by the breach.

MITRE researchers identified indicators of compromise associated with UNC5221, a China-linked APT group, coinciding with the security breach. The hackers gained initial access to NERVE on December 31, deploying the ROOTROT web shell on Internet-facing Ivanti appliances.

On January 4, 2024, the threat actors conducted reconnaissance within the NERVE environment, leveraging compromised Ivanti appliances to access vCenter and communicate with multiple ESXi hosts. Subsequently, the attackers utilized hijacked credentials to infiltrate accounts via RDP, accessing user bookmarks and file shares to probe the network and manipulate VMs, compromising the infrastructure.

Further malicious activities ensued, including deploying the BRICKSTORM backdoor and the BEEFLUSH web shell on January 7, 2024, facilitating persistent access and arbitrary command execution. The hackers maintained control through SSH manipulation and script execution, exploiting default VMware accounts and establishing communication with designated C2 domains.

Additional payloads, such as the WIREFIRE (aka GIFTEDVISITOR) web shell and the BUSHWALK web shell for data exfiltration, were deployed on the target infrastructure. Despite attempts at lateral movement between mid-February and mid-March, the threat actors failed to compromise other resources beyond NERVE.

MITRE concluded its update with malware analysis and Indicators of Compromise for the involved payloads, highlighting the adversary's persistent attempts to infiltrate and maintain control within the network.
Read more »
Third-Party Risks
customer privacy Cyber Security data security Incident response Third-Party Risks

Data Breach at Giant Tiger: Protecting Customer Information in the Digital Age

Data Breach at Giant Tiger: Protecting Customer Information in the Digital Age

In an increasingly interconnected world, data breaches have become a recurring nightmare for organizations of all sizes. The recent incident at Giant Tiger Stores Ltd., a popular discount retailer based in Ottawa, serves as a stark reminder of the importance of safeguarding customer information.

The Breach

On March 4, Giant Tiger discovered that its customer data had been compromised. The breach affected various categories of customers:

Email Subscribers: Names and email addresses of those who subscribe to Giant Tiger emails.

Loyalty Members and Online Orders: Names, emails, and phone numbers of loyalty members and customers who placed online orders for in-store pickups.

Home Delivery Orders: Some customers who placed online orders for home delivery may have had their street addresses compromised.

Thankfully, no payment information or passwords were part of the data breach. However, the incident highlights the vulnerability of customer data and the need for robust security measures.

Third-Party Vendor Involvement

Giant Tiger’s breach was linked to a third-party vendor. While the retailer did not disclose the vendor’s name, it relies on this external partner for managing customer communications and engagement. This situation underscores the risks associated with outsourcing critical functions to third parties. Organizations must carefully vet their vendors and ensure they adhere to stringent security protocols.

The Fallout

The fallout from a data breach can be severe:

Reputation Damage: Customers trust companies with their personal information. When that trust is violated, it erodes brand reputation. Giant Tiger now faces the challenge of rebuilding customer confidence.

Legal and Regulatory Consequences: Data breaches often trigger legal and regulatory investigations. Organizations may face fines, lawsuits, and compliance requirements. In Giant Tiger’s case, the breach occurred in Canada, where privacy laws are stringent.

Financial Impact: Remediation efforts, legal fees, and potential compensation to affected customers can strain an organization’s finances. Moreover, the cost of reputational damage can be immeasurable.

Mitigation Strategies

To prevent such incidents, companies must adopt proactive measures:

Vendor Risk Assessment: Regularly assess third-party vendors’ security practices. Understand their data handling processes and ensure they align with your organization’s standards.

Encryption and Access Controls: Encrypt sensitive data and limit access to authorized personnel. Implement robust access controls to prevent unauthorized entry.

Employee Training: Educate employees about cybersecurity best practices. Human error remains a significant factor in data breaches.

Incident Response Plan: Have a well-defined incident response plan in place. Swift action can minimize damage and protect customer trust.

Transparency and Communication

Giant Tiger’s response has been commendable. They hired cybersecurity experts for an independent investigation and promptly informed affected customers. Transparency is crucial during a breach. Customers appreciate honesty and timely updates.

Read more »
Ransomware attack
Cyber Attacks Incident response MGM Resort Ransom Payment Ransomware attack

Cyberattack Responses at MGM and Caesars Required Brutal Actions

 

Twin assaults on MGM Resorts and Caesars Entertainment have offered an unusual perspective at what happens when two comparable organisations, under similar attack by the same threat actor, use divergent incident response techniques. 

Both parties in this case were the victims of a cyberattack called Scattered Spider /ALPHV. Caesars was able to resume operations very soon after engaging in a fast negotiation with the cyber attackers and paying a $15 million ransom demand. 

However, MGM firmly refused to pay and only recently declared that its operations had resumed after more than 10 days of operational downtime at its hotels and casinos, costing the company tens of millions of dollars in lost income. 

Although it may be tempting to judge which strategy was superior, experts believe that any direct comparison of the Caesars and MGM responses to the incident is oversimplified. 

As an example, Rob T. Lee, chief curriculum director and faculty lead at SANS Institute, emphasises that the fundamental idea behind incident response is to strive to make the "least worst decision." And this is typically a difficult choice with both favourable and unfavourable (some would say harsh) consequences.

He explains, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."

Caesars or MGM: Who was right? It's complex 

One of those difficult decisions incident responders are pressed to make under pressure is whether or not to pay a ransom after a hack. It is commonly known that paying a ransom does not ensure data security or system restoration.

Even worse, it encourages more attacks by establishing a market for these cybercrimes. Business risk decisions, however, don't always boil down to black-and-white choices of right or wrong, and expediency is always a factor.

"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," stated Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective." 

The chief security scientist of Delinea and advisory CISO Joseph Carson argues that there are other issues at play. Companies that deliberate over their choices may come to the conclusion that forgoing payment makes more sense. 

According to his observations, organisations only have a four-day opportunity to reach a compromise with ransomware threat actors before views on both sides harden. After that, ransomware attackers often lose patience and enterprise security teams tend to grow entrenched in their positions. 

Another factor to consider is the cost of recovery. If recovery is unsettling but only costs a few million dollars, it may be a better option than an eight-figure extortion payment, Carson added.
Read more »
supply chain attacks
Cyber Culture Cyber defense Cyber Security Data protection Data Retention Employee Training HR Strategies Incident response Security Preparedness supply chain attacks

Boost Cybersecurity: HR's Key Role in Guarding Your Business

 

If your company were to fall victim to ransomware today, whom would you contact? Or perhaps a more pertinent question: How would you go about contacting them? 

This scenario might appear ludicrous, there are  instances where organizations have been immobilized during the initial hours following a breach simply due to the absence of readily available contact information. 

With email and messaging systems rendered inaccessible, communication grinds to a halt, causing confusion among employees, customers, and suppliers alike. What begins as mild panic rapidly escalates into a full-blown crisis.

Commonly, people tend to associate cybersecurity exclusively with the IT or security department. However, safeguarding your company hinges on two crucial factors: the prevailing organizational culture and meticulous planning. This is precisely why some of the most pivotal players in the realm of cyber defense aren't housed within the IT team – they reside within the human resources (HR) department.

The HR team occupies a unique vantage point, enabling them to seamlessly integrate cybersecurity preparedness into the daily operations of an organization. 

Their responsibilities encompass establishing policies and processes to mitigate risks and fostering a business environment equipped to withstand foreseeable challenges, cyberattacks included. Notably, HR teams are also prime targets for hackers, given their role as custodians of sensitive personal information belonging to employees.

Regrettably, the significance of this role often goes unnoticed. Thus, sharing five strategies by which HR can fortify your business against cybercriminals.

1. Foster a Culture of Cybersecurity

Maintaining eternal vigilance is the requisite price for preserving our liberty to navigate the internet. The sheer volume of threats is staggering – recent findings indicate that educational institutions fend off over 2,300 intrusion attempts on average each week, while healthcare organizations combat more than 1,600 attacks. Given the barrage of digital threats, capturing them all becomes an incredibly daunting task. Yet, a robust cybersecurity culture equips an organization to counter these attacks and minimize the scope of damage when they do breach defenses. The challenge lies in uniting everyone under a shared understanding of appropriate online conduct.

To initiate this process, it is imperative to provide training tools that equip employees with the knowledge of permissible and prohibited online behaviors. Most organizations excel in this aspect. However, the implementation of this information on a daily basis often falls short.

The most effective means of ingraining cybersecurity as an integral aspect of individual responsibilities is its incorporation into performance evaluations. Rather than chastising employees for inadvertently clicking on dubious links, the approach should be constructive, focusing on how they uphold their cyber literacy training. Cyber health-check tools can be employed by workers to analyze their online conduct and address vulnerabilities (such as employing identical passwords across multiple platforms or neglecting two-factor authentication). Moreover, these tools can be harnessed to monitor the progress towards cybersecurity objectives at an organizational level.

Regular discourse on safety measures will seamlessly integrate them into the modus operandi of your business.

2. Safeguard Sensitive Information

HR assumes custodial responsibility for some of the most sensitive data within an organization – a fact not lost on hackers. Over the past half-decade, numerous companies have embraced platforms that empower employees to independently manage routine tasks such as vacation requests. However, these third-party platforms carry inherent risks. Cybercriminals often target them through supply chain attacks, cognizant of the potential to access vast troves of data from multiple organizations. In 2021, a widely-used file transfer system fell victim to a breach, compromising over 300 organizations. The University of California was among those affected, with exposed information spanning employees' social security numbers, driver's licenses, and passport details (prompting the UC system to provide its staff with complimentary ID monitoring services).

Primary among the duties of HR professionals is to ensure the confidentiality of employee data. Rigorous due diligence is essential before enlisting the services of any third-party HR provider. Preference should be accorded to entities conforming to international standards (notably SOC 2 and ISO 27001), while online research should uncover any past security incidents associated with the provider. It is equally vital to ascertain the storage and backup mechanisms employed for your data. Depending on your geographical location and industry, compliance with data residency regulations may be obligatory.

3. Rationalize Data Retention Policies

Updating the data retention policy should be a priority for every HR department. Even if your organization's policy isn't documented, a policy nevertheless exists – the default being the indefinite retention of all data. This exposes you to significant risks. The severity of a breach is exacerbated by the volume of data at stake, especially if you retain unnecessary data. Many jurisdictions stipulate limits on the duration for which companies should retain sensitive information – typically around seven years for records pertaining to former employees.

4. Appoint an Incident Commander

While cybersecurity constitutes an ongoing collective responsibility, a designated individual should assume leadership during a breach. In cybersecurity parlance, this figure is known as the incident commander. Despite diverse perspectives on the most suitable course of action, decision-making authority rests with the incident commander.

The qualifications for an incident commander are succinct: they should possess a profound understanding of cybersecurity matters within your organization. Depending on the size of your enterprise, this individual could be a cybersecurity expert, the head of IT, or even an individual like Joanne from the accounting department, provided she has undergone relevant training. Regardless of the appointee's identity, their role should be pre-established, communicated clearly to your team, and ready to be activated in the event of an incident. Given the swiftness with which cybersecurity events unfold – exemplified by instances where hackers gave a mere 45-minute warning prior to disclosing sensitive information – identifying the incident commander ahead of time is critical to minimizing response delays.

5. Conduct Preparedness Drills

Effective cybersecurity hinges on both planning and practice. Numerous studies underscore the fact that individuals struggle to make sound decisions under stress. Much like fire or earthquake drills provide a framework for emergencies, the same principle applies to cybersecurity incidents. Allocate a two-hour window annually to execute a tabletop exercise involving key personnel, simulating the actions to be taken in the event of a hack. During these drills, a designated moderator outlines the attack's nature and scope, while participants collaboratively devise their responses.

Initial attempts at conducting such exercises may result in confusion, yet this is by design. The ensuing scramble highlights deficiencies in your strategies. Over time, these drills become second nature, enhancing your organization's capacity to effectively respond to cyber threats.
Read more »
Third-party software security
3CX Update Incident response malware Software Updates Third-party software security

The Risks of Automatic Updates: A Closer Look at the Malicious 3CX Update

3CX Malicious Update

On March 31, 2023, several companies reported that their 3CX phone systems had suddenly stopped working. Upon investigation, they found that their systems had been compromised by a malicious software update delivered by 3CX's automatic update system. In this blog, we'll take a closer look at the incident and explore the lessons that can be learned from it.

The 3CX Incident: How It Happened

The attackers had managed to gain access to 3CX's update servers and replace a legitimate software update with a malicious version. This update, which was automatically installed on thousands of 3CX systems, contained a backdoor that gave the attackers full access to the compromised systems. They were able to steal sensitive data, listen in on calls, and even make unauthorized calls.

The Risks of Automatic Updates

The incident highlights the risks associated with automatic software updates, which are designed to keep systems up to date with the latest security patches and bug fixes. While automatic updates can be a convenient way to keep systems secure, they can also be a vector for malware and other malicious software.

In the case of the 3CX incident, the attackers were able to compromise the update system itself, which meant that even systems that were fully up to date were still vulnerable to the attack. This is a particularly worrying development, as it means that even the most security-conscious organizations may be at risk if their software vendors are compromised.

The Importance of Multi-Layered Security Measures

The incident also highlights the importance of multi-layered security measures. While automatic updates can be an important part of an organization's security strategy, they should not be relied upon as the sole defense against attacks. Other measures, such as regular vulnerability scanning, threat intelligence monitoring, and user training, can help to reduce the risks associated with automatic updates.

Organizations should also ensure that they have a robust incident response plan in place, which includes procedures for dealing with unexpected software failures or security breaches. This can help to minimize the impact of a security incident and ensure that systems are quickly restored to normal operation.

Evaluating Third-Party Software Security

Finally, organizations should carefully evaluate the security risks associated with any third-party software they use, including the software update mechanisms. Vendors should be asked about their security practices and measures, such as encryption, authentication, and monitoring, to ensure that their systems are protected against attacks.

3CX's Response

In response to the incident, 3CX has released a statement urging all users to immediately update their systems to the latest version, which includes a fix for the backdoor. They have also announced that they are conducting a full investigation into the incident and working with law enforcement to identify the attackers.

The 3CX incident is a stark reminder of the importance of multi-layered security measures and the risks associated with automatic software updates. While automatic updates can be a convenient way to keep systems up to date with the latest security patches and bug fixes, they can also be a vector for malware and other malicious software.

Organizations should carefully evaluate the security risks associated with any third-party software they use and take a proactive approach to security, including regular vulnerability scanning, threat intelligence monitoring, and user training. With the right security measures in place, organizations can help to reduce the risks associated with automatic updates and ensure that their systems remain secure against cyber threats.

Read more »
Subscribe to: Comments (Atom)