Another genuine enterprise software platform is being misused by cybercriminals to deliver malware and ransomware to unwitting victims. The DFIR Report's cybersecurity analysts identified many threat actors using Action1 RMM, an otherwise benign remote desktop monitoring and management tool. Action1, like any other remote management tool, is used by managed service providers (MSPs) and other IT teams to manage endpoints in a network from a remote location. It can be used to handle software patches, software installation, troubleshooting, and other related tasks.

“Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue,” Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, told BleepingComputer.

In accordance with the Polish CERT and Military Counterintelligence Service, an ongoing cyberespionage effort linked to a Russian nation-state entity is targeting European government agencies and diplomats in order to collect Western government intelligence on the Ukraine war. According to a Thursday advisory from the two federal agencies, a campaign linked to the Russian 

APT organization Nobelium is targeting government agencies and diplomats involved with NATO and the European Union, as well as African states to a lesser extent. Per the Polish authorities, the hackers are targeting victims using spear-phishing emails that look to be from European embassies, inviting them to a meeting or event at one of the embassies.

"We believe the target of Nobelium's campaign is Western countries, especially those in Western Europe, which provide help to Ukraine," BlackBerry researchers wrote.

Over a 30-month period, cybercriminal groups and threat groups advertised for workers with expertise in software development, IT infrastructure maintenance, and designing fraudulent websites and email campaigns. In accordance with a new report from cybersecurity firm Kaspersky, demand for technically skilled individuals continues, but it spiked during the coronavirus pandemic, with double the average job advertisements coming during March 2020, the first month of the pandemic. 

The analysis gathered messages from 155 Dark Web forums between January 2020 and June 2022, focusing on those that mentioned employment — either by cybercriminal groups or individuals looking for work. The majority of job postings (83%) were from threat groups looking for highly skilled workers, such as developers (61%), attack specialists (16%), and fraudulent website designers (10%).

"Some ... living in the region suffered from the reduction of income, took a mandatory furlough, or lost their jobs altogether, which subsequently resulted in rising unemployment levels," Kaspersky stated in the report. "Some job seekers lost all hope to find steady, legitimate employment and began to search on Dark Web forums, spawning a surge of resumes there. As a result, we observed the highest ad numbers, both from prospective employers and job seekers."

"Many are drawn by expectations of easy money and large financial gain," the report stated. "Most times, this is only an illusion. Salaries offered on the Dark Web are seldom significantly higher than those you can earn legally."

"The most sought-after professionals were developers and attack specialists, particularly for coding malicious programs, phishing websites, and planning and implementing attacks," she says.

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

A TaxSlayer representative did not immediately respond to CNBC's request for comment.

Based on a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in recent years. 

Group-IB has identified the threat actor as Opera1er. Others have previously investigated some of its activities, naming it Common Raven, Desktop-Group, and NXSMS. The cybersecurity firm is aware of 30 successful attacks carried out between 2019 and 2021, with many of the victims being attacked multiple times. 

The majority of the attacks targeted African banks, but victims also included financial services, mobile banking services, and telecommunications companies. Victims were discovered in 15 countries across Africa, Latin America, and Asia.

“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”

Guardio Labs researchers have discovered Dormant Colors, a new malvertising campaign to deliver malicious Google Chrome extensions. 

Chrome extensions are used to hijack searches and insert affiliate links into web pages. The campaign was dubbed Dormant Colors by experts because the extensions permit color customization. 

“It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs. 

The researchers discovered at least 30 variants of these extensions in both the Chrome and Edge web stores by mid-October 2022. Over a million people installed malicious browser extensions. Experts discovered that the code of Chrome extensions does not contain malicious components in its initial state, but malicious snippets are later added to the code. The attack chain is based on malvertising messages designed to trick victims into clicking on the install button, as seen in the video. Victims are prompted to install a color-changing extension after clicking the 'OK' or 'Continue' button.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without. Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future.” concludes the report that also includes Indicators of Compromise (IoCs) for this campaign. 

“At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data. No extension that makes a fine-looking website look dark and ugly is worth it…”

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

The lessons learned from the SolarWinds software supply chain attack were turned into tangible guidance this week when the United States Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practises framework for developers to prevent future supply chain attacks.

In addition to the recommendations from the US government, developers received npm Best Practices from the Open Source Security Foundation in order to establish supply chain security open-source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."

Meanwhile, OpenSSF announced that the npm code repository has grown to encompass 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, praise the industry's proactive framework, but Burch adds that it is now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation to implement software bills of materials (SBOMs).

Burch  concluded, "What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security." 

An unprecedented cyber attack on Montenegro's government digital infrastructure occurred, and the government promptly implemented measures to mitigate its impact. Montenegro immediately reported the attack to other NATO members. 

“Certain services were switched off temporarily for security reasons but the security of accounts belonging to citizens and companies and their data have not been jeopardised,” said Public Administration Minister Maras Dukaj. 

The attack, according to the Minister, began on Thursday night. The US embassy in Montenegro recommended US citizens limit their movement and travel within the country to the necessities and keep their travel documents up to date and easily accessible, fearing that the attack would disrupt government infrastructure for identifying people living in Montenegro and transportation. The National Security Agency issued a warning to critical infrastructure organisations.

“A persistent and ongoing cyber-attack is in process in Montenegro,” reported the website of the U.S. Embassy in the capital Podgorica. 

“The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors.” 

EPCG, the state-owned power utility, has switched to manual handling to avoid any potential damage, according to Milutin Djukanovic, president of EPCG. The company decided to temporarily disable some of its clients' services as a safety measure. The government believes the attack was carried out by a nation-state actor.

RedAlpha, a Chinese state-sponsored cyberespionage group, has been observed targeting numerous government organisations, humanitarian organisations, and think tanks over the last three years. 

The advanced persistent threat (APT) actor, also known as Deepcliff and Red Dev 3, has been active since at least 2015, focusing on intelligence collection and surveillance of ethnic and religious minorities such as the Tibetan and Uyghur communities. 

According to cybersecurity firm Recorded Future, RedAlpha has registered hundreds of domains impersonating global government, think tank, and humanitarian organisations such as Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA).

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Singapore aims to improve its quantum computing capabilities through new initiatives to build necessary skill sets and quantum equipment. It emphasises the importance of doing so in order to keep encryption technology resilient and capable of withstanding "brute force" attacks. 

The Singapore government announced on Tuesday that it will set aside SG$23.5 million (17.09 million) to support three national platforms under its Quantum Engineering Programme (QEP) for a period of up to 3.5 years. The scheme is a component of the country's Research, Innovation, and Enterprise 2020 (RIE2020) strategy. 

Two of these platforms were presented today, including the National Quantum Computing Hub, which will pool knowledge and resources from the Centre for Quantum Technologies (CQT), as well as local universities and research institutes, to strengthen key skill sets. 

Teams from CQT, the National University of Singapore, Nanyang Technological University, A*STAR's Institute of High Performance Computing (IHPC), and the National Supercomputing Centre (NSCC) would seek to establish international collaborations and train new talent in order to address a skills shortage in the emerging industry. CQT and IHPC researchers would also create quantum computing hardware and middleware, with potential applications in finance, supply chain, and chemistry. 

The National Supercomputing Center (NSCC) would offer the supercomputing capacity required to design and train algorithms for usage on quantum computers. A second initiative, National Quantum Fabless Foundry, was launched to facilitate the micro and nano-fabrication of quantum devices in cleanrooms run by industrial partners. 

The platform, which would be hosted at A*STAR's Institute of Materials Research and Engineering, would aid in the creation of products in quantum computations, communication, and sensing. Singapore's Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, stated in his address announcing the new efforts that the country needs to stay alert in the face of growing dangers. Heng compared cyber threats to a "cat and mouse game," saying that efforts were made to keep ahead of hostile actors who were always looking for new holes to attack. 

With the cyber world rapidly developing, he believes quantum technology has the potential to be a "game changer." "Strong encryption is key to the security of digital networks. The current encryption standard, AES 256, has held up, as few have the computing power to use brute force to break the encryption. But this could change with quantum computing," he cautioned. 

"For some cryptographic functions, the fastest quantum computer is more than 150 million times faster than the fastest supercomputer. Quantum computers can solve in minutes a problem which takes a supercomputer 10,000 years." 

This underscored the importance of quantum technology research, the minister said. "Our investment in quantum computing and quantum engineering is part of our approach of trying to anticipate the future and proactively shaping the future that we want." 

He said that as digitalisation increased, so did cyber concerns and that Singapore must continue to spend to keep ahead of possible threats. He went on to say that the fabless foundry will use the country's manufacturing skills to create quantum devices that would tackle "real-world difficulties" in collaboration with industry partners.

Due to a security flaw in the file transfer programme CompleteFTP, unauthenticated attackers were able to delete arbitrary files on vulnerable installations. 

CompleteFTP is a proprietary FTP and SFTP server for Windows developed by EnterpriseDT of Australia that supports FTPS, SFTP, and HTTPS. A security researcher known as rgod uncovered a problem in the HttpFile class that stems from the failure to properly validate a user-supplied path before utilising it in file operations. 

A security advisory explains, “This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP server. An attacker can leverage this vulnerability to delete files in the context of SYSTEM.” 

The vulnerability was given CVE-2022-2560 and was addressed in CompleteFTP version 22.1.1. Other security changes in this release include the SHA-2 cryptographic hash algorithm for RSA signatures and a new format for PuTTY private keys.

An updated sample of the CopperStealer malware has been detected, infecting devices via websites providing fraudulent cracks for applications and other software.

Cyber attackers employ these bogus apps to perform a range of assaults. The hackers in this assault operation took advantage of the desire for cracks by releasing a phoney cracked programme that actually contained malware. 

The infection starts with a website or Telegram channel offering/presenting false cracks for downloading and installing the needed cracks. The downloaded archive files include a password-protected text file and another encrypted archive. 

The decrypted archive displays the executable files when the password specified in the text file is typed. There are two files in this sample: CopperStealer and VidarStealer. 

What are the impacts of Copper Stealer and Vidar Stealer on the systems? 

CopperStealer and Vidar stealer can cause many system infections, major privacy problems, financial losses, and identity theft. 

Attackers can utilise data stealers like CopperStealer to steal sensitive information for more illegal reasons. Users can stay secure by taking the following precautions: 

The cybercrime police are looking for a person who pretended to be the managing director of a private company and duped the firm's HR manager into transferring 28.8 lakh online before fleeing. 

On Sunday, the police lodged a case against the unknown individual, accusing him of different sections of the IT Act as well as cheating and impersonation under the IPC, based on a complaint filed by Nirmal Jain, the owner of the private enterprise. 

According to Mr. Jain's allegation, the accused sent a WhatsApp message to HR manager Thirupathi Rao pretending to be Paras Jain, the company's MD. The MD's image was on the WhatsApp profile, and the message stated that it was his personal number and that he was at a meeting and should not be disturbed. 

The individual then requested that Mr. Rao move the funds to three bank accounts online on an emergency basis. Mr. Rao followed the instructions and transferred a total of 28.89,807 to the private bank account numbers specified in the communication. When he told higher officials about the transactions, the scam was discovered. 

Based on the transaction information, the authorities are now attempting to locate the accused. This is a new trend among internet fraudsters who download the profile images of senior executives of organisations in order to scam their office staff, according to experts.

The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.

The FBI recently announced that the amount of money lost to business email compromise (BEC) scams is increasing each year, with a 65 per cent rise in identified global exposure losses between July 2019 and December 2021.

From June 2016 to July 2019, IC3 received victim complaints about 241,206 domestic and international occurrences, totalling $43,312,749,946 in exposed cash loss. 

The FBI stated, "Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore." 

This was revealed in a new public service announcement issued on the Internet Crime Complaint Center (IC3) site as an update to a prior PSA dated September 2019, in which the FBI stated victims reported losses to BEC attacks totalling more than $26 billion between June 2016 and July 2019. 

BEC scams were the cybercrime type with the highest recorded overall victim losses last year, according to the IC3 2021 Internet Crime Report [PDF]. Based on 19,954 registered complaints relating to BEC attacks against individuals and businesses in 2021, victims reported losses of about $2.4 billion. BEC scammers use a variety of techniques to infiltrate business email accounts, including social engineering, phishing, and hacking, to transfer payments to attacker-controlled bank accounts. 

Small, medium and big enterprises are frequently targeted in this form of scam (also known as EAC or Email Account Compromise). Nonetheless, if the payout is high enough, they will attack individuals. Given that they often imitate someone who has the target's trust, their success rate is also very high. 

However, "the scam is not always associated with a transfer-of-funds request," as the FBI explained in the PSA alert. "One variation involves compromising legitimate business email accounts and requesting employees' Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets."

The FBI also offered advice on how to protect yourself from BEC scams:

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

While automated attacks remain a major security concern to enterprises, findings from a Bulletproof analysis highlight the challenge created by inadequate security hygiene. According to research conducted in 2021, bot traffic currently accounts for 70% of total web activity.

Default credentials are the most popular passwords used by malicious attackers, acting as a 'skeleton key' for criminal access. With attackers increasingly deploying automated attack methods 

Brian Wagner, CTO at Bulletproof stated, “On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are more than 200,000 machines on the internet running the standard Raspberry Pi OS, making it a reasonable target for bad actors. We also can see what looks like credentials used on Linux machines (un:nproc/pwd:nproc). This highlights a key issue – default credentials are still not being changed.”

“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow attackers to avoid detection and makes investigating and monitoring attacks much harder.” 

According to the findings, attackers are continuously utilising the same typical passwords to gain access to systems. Some are default passwords that haven't been updated since the company started using them. The RockYou database leak from December 2009 is accountable for a quarter of all passwords used by attackers today. This degree of activity suggests that these passwords are still valid. 

During the period of the research, threat actors started almost 240,000 sessions. The top IP address, which came from a German server, started 915 sessions and stayed on the Bulletproof honeypot for a total of five hours. Another attacker spent 15 hours on the honeypot, successfully logging in 29 times with more than 30 different passwords. In sum, 54 per cent of the more than 5,000 distinct IP addresses had intelligence indicating they were bad actor IP addresses.

Wagner continued, “Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities. Botnets will be targeting it and a host of malicious traffic is then being driven to the server.” 

“Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts. These insights, combined with our data, highlight the importance of proactive monitoring to ensure you are aware of the threats to your business on a daily basis, as well as a tried and tested incident response plan.”

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.