Cary, North Carolina, 10th September 2024, CyberNewsWire
The post Small Business, Big Threats: INE Security Launches Initiative to Train SMBs to Close a Critical Skills Gap appeared first on Security Boulevard.
Key insights and defense strategies were shared at Blue Team Con 2024 in Chicago, where defenders gathered to advance their skills for fighting today’s toughest threats.
The post Blue Team Con 2024: Sharing Security Insights and Defense Strategies in Chicago appeared first on Security Boulevard.
Netskope announced several new innovations in the Netskope One platform, including expanded digital experience management (DEM) features and benefits. Combining key network and security capabilities, Netskope One continues to revolutionize the effectiveness of enterprise network infrastructure and operations (I&O) and security teams, enabling the entire organization to optimize the user experience while protecting critical data and reducing risk, cost, and complexity. Coming on the heels of Netskope being recognized as a Leader in the 2024 … More →
The post Netskope accelerates cloud networking and security operations appeared first on Help Net Security.
A recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) has highlighted a significant threat to critical infrastructure sectors across the United States: RansomHub ransomware.
The post RansomHub Ransomware Targets Critical Infrastructure: A Detailed Look at the CISA-FBI Advisory appeared first on Security Boulevard.
Written by: Aurora Blum, Kelli Vanderlee
Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of Mexican society. Mexico also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise.
Threat actors with an array of motivations continue to seek opportunities to exploit the digital infrastructure that Mexicans rely on across all aspects of society. This joint blog brings together our collective understanding of the cyber threat landscape impacting Mexico, combining insights from Google's Threat Analysis Group (TAG) and Mandiant's frontline intelligence. By sharing our global perspective, especially during today's Google for Mexico event, we hope to enable greater resiliency in mitigating these threats.
Cyber Espionage Operations Targeting MexicoAs the 12th largest economy in the world, Mexico draws attention from cyber espionage actors from multiple nations, with targeting patterns mirroring broader priorities and focus areas that we see elsewhere. Since 2020, cyber espionage groups from more than 10 countries have targeted users in Mexico; however, more than 77% of government-backed phishing activity is concentrated among groups from the People's Republic of China (PRC), North Korea, and Russia.
Figure 1: Government-backed phishing activity targeting Mexico, January 2020 – August 2024
The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Mexico. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation.
PRC Cyber Espionage Activity Targeting MexicoSince 2020, we have observed activity from seven cyber espionage groups with links to the PRC targeting users in Mexico, accounting for a third of government-backed phishing activity in the country.
This volume of PRC cyber espionage is similar to activity in other regions where Chinese government investment has been focused, such as countries within China's Belt and Road Initiative. In addition to activity targeting Gmail users, PRC-backed groups have targeted Mexican government agencies, higher education institutions, and news organizations.
North Korean Government-Backed Groups Targeting MexicoSince 2020, North Korean cyber actors have accounted for approximately 18% of government-backed phishing activity targeting Mexico. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus.
One of the emerging trends we are witnessing globally from North Korea is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. We note the potential for this threat to present a future risk to Mexican enterprises given historical activity by North Korean threat actors in Mexico and the challenges associated with the expansive problem of North Korean actors attempting to gain employment in other countries.
Russian Cyber Espionage Activity Targeting MexicoRussian cyber espionage groups have targeted users in Mexico regularly for several years; however, since the start of Russia's war in Ukraine, Russian activity targeting Mexico has scaled back considerably—likely an indication of Russia's efforts to focus resources on Ukrainian and North Atlantic Treaty Organization (NATO) targets in the context of the Russia-Ukraine war. Of the four Russia-backed groups observed targeting Mexico, over 95% of the related phishing activity comes from one group, APT28 (aka FROZENLAKE).
Since 2020, Russian cyber actors have accounted for approximately one-fifth of government-backed phishing activity targeting Mexico. However, in 2023 and 2024, Russian cyber actors only account for less than 1% of government-backed phishing activity targeting Mexico.
Commercial Surveillance VendorsSpyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents, and opposition-party politicians. These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell to governments and nefarious actors the ability to exploit vulnerabilities in consumer devices. Google offers a range of tools to help protect high-risk users from online threats.
Over the past several years, open sources have reported multiple cases involving the use of spyware to target many sectors of Mexican civil society, including journalists, activists, government officials, and their families in Mexico. TAG has previously highlighted the negative outcomes of commercial spyware tools, including the proliferation of sophisticated cyber threat capabilities to new operators and sponsors, the increasing rates of zero-day vulnerability discovery and exploitation, and harm to targets of these tools. Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech and the free press and the integrity of democratic processes worldwide. TAG continues to observe evidence of several commercial surveillance vendors operating in Mexico. As recently as April 2024, TAG observed spyware being used in Mexico with Mexican news-themed lures.
Insights on Cyber Crime Targeting Users and Enterprises in MexicoCyber crime represents a common, moderate-impact threat to Mexico. Notably, we have observed a variety of operations, including ransomware and extortion, targeting of banking credentials, cryptomining, and threat actors offering compromised access and/or credentials for sale. TAG continues to detect and disrupt multiple financially motivated groups targeting users and organizations in Mexico. Of these groups, three of the top four most frequently observed groups in the past year have been initial access brokers for extortion groups. Mandiant observed evidence of threat actors using a variety of initial access vectors, including phishing, malvertising, infected USB drives, and password spray. This initial access subsequently supported threat activity including ransomware and extortion operations, cryptomining, and threat actors offering compromised access and/or credentials for sale.
Like other countries in the region, Mexico is affected by threat activity from actors primarily active in Latin America as well as operations with global reach. A significant amount of observed campaigns focus on stealing credentials for banking or other financial accounts, including use of banking trojans such as METAMORFO aka "Horabot," BBtok, and JanelaRAT. Many threat actors in the Latin American underground appear to focus on simpler operations in which they can quickly and easily generate profits, such as payment card theft and fraud.
Figure 2: Financially motivated actors most frequently observed in Mexico, Q3 2022 – Q2 2024
Extortion's Impact on MexicoExtortion operations, including ransomware, multifaceted ransomware, and extortion, continue to affect organizations across regions and industries, including Mexico, leading to significant financial losses and business disruption. For detailed guidance on defensive strategies for ransomware, please see our blog post: Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities, and Endpoints and the accompanying white paper.
Mandiant tracks multiple data leak sites (DLSs) dedicated to releasing victim data following ransomware and/or extortion incidents in which victims refuse to pay a ransom demand. From January 2023 to July 2024, Mexico was surpassed only by Brazil as the Latin American and Caribbean country most affected by ransomware and extortion operations, based on counts of DLS listings, though the global distribution of extortion activity as indicated by DLS listings remains heavily skewed towards the U.S., Canada, and Western Europe. The most frequently impacted sectors in Mexico include manufacturing, technology, financial services, and government. DLSs that most often listed Mexican organizations include LockBit, ALPHV, and 8BASE.
Figure 3: Data leak listings for Mexican organizations by industry
Impersonating Official Government Services to Distribute MalwareMalware distribution campaigns targeting users in Mexico frequently use tax- and finance-themed lures to convince recipients to open malicious links or files. Throughout 2023 and into 2024, Mandiant observed UNC4984 activity distributing either malicious browser extensions or the SIMPLELOADER downloader using multiple distribution vectors, including using email lures for malware distribution. The malicious websites leveraged in these campaigns often masquerade as tax- or financial-related Chilean or Mexican government websites, and the malicious browser extensions specifically target Mexican bank institutions.
Figure 4: UNC4984 website spoofing the Mexican Tax Administration Service (SAT) prompting users to download a malicious browser extension
Another financially motivated group, tracked as UNC5176, uses emails and malicious advertisement (aka "malvertising") campaigns to compromise users from various countries, including Brazil, Mexico, Chile, and Spain. Mandiant observed multiple malicious email campaigns delivering the URSA (aka Mispadu) backdoor to Latin American organizations in multiple industries, including a December 2023 UNC5176 campaign spoofing Mexico's state-owned electric utility, the Comisión Federal de Electricidad. In April 2024, an UNC5176 phishing campaign distributed URSA to organizations primarily located in Latin America using malicious PDF attachments containing an embedded link to a ZIP archive. In some incidents, the ZIP archives were hosted and retrieved from legitimate file-hosting services such as S3 buckets, Azure, Github, and Dropbox.
Figure 5: Screenshot of phishing email
Using Threat Intelligence to Protect Users and Customers
Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in, proactive security measures to protect from ransomware attacks, and there have been no reported ransomware attacks ever on any Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We also deploy and constantly update Android detections to protect users' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and highly encouraging device updates and the use of Enhanced Safe Browsing for Chrome. Additionally, Google Cloud customers can access insight into these threats through our Google Threat Intelligence product announced earlier this year.
ConclusionMexico will remain an attractive target for threat actors driven by diverse motivations. Global cyber espionage actors from the PRC, North Korea, and Russia as well as multinational cyber criminals pose longstanding threats. To effectively safeguard Mexican enterprises and users, it is important to understand this unique interplay of threats and adopt a proactive approach to cybersecurity.
We hope the analysis and research here helps to inform defenders in Mexico, providing fresh insights for collective defense. At Google, we are committed to supporting the safety and security of online users everywhere and will continue to take action to disrupt malicious activity to protect our users and enterprise customers and help make the internet safe for all.
Ketch launched its product suite for digital media brands. The digital media industry faces increasing challenges. Intense FTC scrutiny on targeted advertising, growing pressure to deliver precise, permissioned targeting, and the existential threat of AI-driven content all contribute to a rapidly shifting and highly competitive landscape. Ketch Data Permissioning for Media Companies ensures media companies can activate data with confidence, from dynamic preference collection to real time data stack enforcement and visibility. With Ketch, digital … More →
The post Ketch helps media brands enable privacy-safe data activation appeared first on Help Net Security.
The Rhysida ransomware group may have been behind the July attack on on the city of Columbus, Ohio, but there was never a ransom demand and the hackers ignored attempts by city officials to contact them, according to the head of the city's IT department.
The post No Ransom Demand by Rhysida Before Columbus Data Leak: City IT Chief appeared first on Security Boulevard.
Explore how autonomous penetration testing with NodeZero helps organizations meet NIS 2 compliance by enhancing cybersecurity through scalable, efficient risk assessments.
The post Stay Ahead of Cyber Threats with Autonomous Penetration Testing appeared first on Horizon3.ai.
The post Stay Ahead of Cyber Threats with Autonomous Penetration Testing appeared first on Security Boulevard.