In the realm of cybersecurity, danger hides where we least expect it and threats never, ever, go out of style! Over the past few months, Trustwave SpiderLabs has seen a rising trend in threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.

The Cybersecurity & Infrastructure Security Agency (CISA) has released its 2024-2026 Cybersecurity Strategic Plan, which the agency says will change the trajectory of our national cybersecurity risk by focusing not just on how to defend but developing metrics to measure progress.

There are few security tasks more important, yet more difficult, to conduct than a vulnerability scanning program. A properly conducted scanning program requires a team of human-led experts with the technology to search for issues that might give a threat actor access to a network. Only the largest organizations with equally large wallets can afford to take on this task, but there is an option.

In this blog post, we will explore how the computer security landscape has expanded to reach below the operating system levels, aiming to address areas that are often overlooked or completely neglected in cybersecurity. Attackers have discovered techniques to establish long-term persistence in compromised hosts by injecting malicious code to run before the operating system loads in areas commonly referred to as Basic Input Output System (BIOS).

QR Codes, the square images that contain coded information that can be scanned by a smartphone, are becoming increasingly popular. With the number of smartphone users reaching 6.92 billion this year, access to the information within these ingenious images is within reach by around 86% of the world’s population. Since most, if not all, of the smartphones today feature QR scanners and for those that don’t come so equipped, free apps can be downloaded to add this functionality.

As the world shifted into remote work and distant learning during the pandemic lockdown, e-commerce accelerated as more consumers turned to online shopping apps and websites. Customers who shop online are familiar with email confirmation for their orders. But what if you receive an email confirmation for something that you never bought? It might be a fake order scam, and they are now being sent through Google Groups.

Anyone who has played a Tower Defense-style game, (Plants Vs. Zombies being a favourite) knows the only way to hold off the hoard of brain-eating zombies is to know your weaknesses before the next wave attacks and to plan accordingly. Oddly, preparing a cybersecurity defense is somewhat similar: the player/organization knows attacks are coming, they have an idea from where and how they will be conducted, and they need to place the proper pieces on the board at the right place to stay safe.

Business Email Compromise (BEC) remains a lucrative threat vector for attackers. The FBI’s IC3 reported that in 2022, they received 21,832 complaints with adjusted losses of over $2.7 billion. When it comes to targeted attacks, threat actor sophistication is evident in their ever-evolving tactics, even as detection capabilities and preventative measures improve. Let’s take a look at the current BEC landscape for the first half of 2023.

Cybersecurity is the pressing concern most organizations face when it comes to securing data, but not every hacker launches an attack from thousands of miles away; sometimes, the threat can walk right in through the front door to gain access to your IT system. Adversaries are not shy about using a more direct approach, which is why an organization should not overlook its physical security plan.

If you're a Microsoft-focused organisation you may be able to leverage the technology you already have to become more secure. Nirvana, for many of the organisations I speak with on a daily basis is to maximise what is already included in their licensing agreement and use the current people already in their IT and security department. This presents a challenge for smaller organisations without the extensive security analyst teams of a big financial institution.

By now, the facts of the recent MOVEit breach are well known (although the victim total keeps climbing), but it never hurts to be reminded that these attacks do not take place in a vacuum and threat actors are more than happy to repeatedly use the same tactics if their targets remain vulnerable. Trustwave SpiderLabs, has tracked and documented these events explaining how threat actors were found to be exploiting three vulnerabilities, including a zero-day, (CVE-2023-34362, CVE-2023-35036.

One of my "pastimes," if you will, is to check out the features of various security tools. I had been curious about Microsoft's Defender for IoT's just-released Firmware Analysis feature. Essentially, I wanted to test its capabilities because, as we all know, adversaries are continuously upping their game making tools like this increasingly important when it comes to maintaining an organization's security.

The UK Government is "committed to helpingreduce vulnerability to attacks and ensure that the UK is the safest place todo business" . One strand of the strategy was an executivebriefing on cyber security to UK businesses – which included a top 10 focusareas for businesses to concentrate on. Within that briefing document, Ian Lovain(The Diretor of GCHQ) put it most frankly, "Value,Revenue and Credibility are at stake. Don't let cyber security become theagenda – put it on the agenda" .

Municipalities are no strangers to cyberattacks, but the introduction and ready availability of malware through ransomware-as-a-service providers has led to an increasing number of attacks against cities and counties. One small sample taken from the past six months revealed that Lowell, Mass., Spartanburg County, S.C. and Suffolk Country, N.Y. were victimized, knocking services offline and causing millions of dollars in recovery costs.

Recently, we’ve seen a noticeable surge in malware cases linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors.

Cyberattacks have not only become more frequent, sophisticated, and costly, but they are not about to stop. This means unprepared organizations right now are scrambling to protect their sensitive data and systems and part of this scramble is finding people to staff their open cybersecurity positions. This scenario will become a bit more desperate as forthcoming Australian federal cybersecurity strategy is set to make Australia the most cyber-secure nation in the world by 2030.

The role humans play in cybersecurity generally focuses on how people can be the weakest link in an organization’s defense structure. However, when it comes to securing the healthcare industry, people are still paramount, but for quite different reasons.

As technology continues to evolve, there is a growing concern about the potential for large language models (LLMs), like ChatGPT, to be used for criminal purposes. In this blog we will discuss two such LLM engines that were made available recently on underground forums, WormGPT and FraudGPT. If criminals were to possess their own ChatGPT-like tool, the implications for cybersecurity, social engineering, and overall digital safety could be significant.

ChatGPT continues to lead the news cycle and increase in popularity, with new applications and uses seemingly uncovered each day for this innovative platform. However, as interesting as this solution is, and as many efficiencies as it is already providing to modern businesses, it’s not without its risks.

The role of the CISO is expanding alongside the growing adoption of digital technologies, which has resulted in a faster and more interconnected workforce. The dynamic and evolving nature of cyber threats is posing challenges for security teams in terms of visibility and expertise required to defend against them.

The digital transformation of healthcare, involving patients, staff, doctors, and technology, presents significant challenges to security teams in terms of skills and capacity. This challenge can be seen in the U.S. Department of Health and Human Services' Office for Civil Rights which reported 609 data breaches with more than 500 records being compromised in 2021.

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.

Since Redis is becoming increasingly popular around the world, we decided to investigate attacks on the Redis instance. We didn’t have to wait long for the first results of the Honeypot. The trap caught an activity about which the Western world does not hear too often while analyzing SkidMap. More importantly, this variant turned out to be a new, improved, dangerous variation of the malware. Its level of sophistication surprised us quite a bit.

For threat actors looking to create widespread damage, attacking a third-party supplier with services and software that organizations can’t always control the security measures for continues to be an enticing target. The supply chain is now the weakest link.

In modern network environments focused on cloud technology, organizations have undergone a significant transformation in the development and deployment of their IT assets. The introduction of cloud technology has simplified and expedited the deployment process, but it often lacks centralized change management. The cloud's shared responsibility model enables quick deployment and scaling but can pose security risks if not properly managed and understood.