Wednesday, 7 April 2021

LinkedIn Fake Jobs for Spear Phishing

Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times. 

Hence, targeting such unsuspecting people to carry out Spear Phishing attacks on LinkedIn with fake job offers to infect them with a sophisticated BACKDOOR TROJAN - MORE_EGGS is the latest modus operendi. 

Crafting the fake job offer based on the the target’s job position from LinkedIn increases the odds that the recipient will successfully detonate the malware. To increase the odds of success, the phishing lures take advantage of malicious ZIP archive files that have the same name as that of the victims' job titles taken from their LinkedIn profiles.

For example, if the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the 'position' added to the end), cybersecurity firm eSentire's Threat Response Unit (TRU) said in an analysis. Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs. It uses normal Windows processes to run so it is not going to typically be picked up by anti-virus and automated security solutions so it is quite stealthy. 

The below three elements make more_eggs, and the cybercriminals which use this backdoor very lethal -

Once installed, more_eggs maintains a stealthy profile by hijacking legitimate Windows processes while presenting the decoy "employment application" document to distract targets from ongoing background tasks triggered by the malware. Furthermore, it can act as a conduit to retrieve additional payloads from an attacker-controlled server, such as banking trojans, ransomware, credential stealers, and even use the backdoor as a foothold in the victim's network so as to exfiltrate data.

Reference links: 

https://www.linkedin.com/posts/nsji_cybersecurity-security-privacy-activity-6785417730028908544-rXOe/

https://thehackernews.com/2021/04/hackers-targeting-professionals-with.html

The InfoSec Wheel

In the conventional realm of information security, there tend to be two main groups:

1) The Red Team, employees or contractors hired to be Attackers, ethical hackers that work for an Organization finding security holes that a malicious individual could exploit.

2) The Blue Team, the Organization’s Defenders, who are responsible for protective measures within an Organization.

While it is good to have people dedicated to secure an Organization through defense or attack methods, Organizations and their systems do not stay static. Additional processes, automations, products and being built constantly — with the potential attack surface area growing with each new change or integration.


Only having Red and Blue Security Teams is not enough. The people building what must be defended need to be included.


Red, Blue and Yellow are our Primary Colours. Combine two of them and you get Secondary Colors


Sunday, 4 April 2021

Automating threat actor tracking

As seen in recent sophisticated cyberattacks, especially human-operated campaigns, it’s critical to not only detect an attack as early as possible but also to rapidly determine the scope of the compromise and predict how it will progress. How an attack proceeds depends on the attacker’s goals and the set of tactics, techniques, and procedures (TTPs) that they utilize to achieve these goals. Hence, quickly associating observed behaviors and characteristics to threat actors provides important insights that can empower organizations to better respond to attacks.
Microsoft uses statistical methods to improve our ability to track specific threat actors and the TTPs associated with them. Threat actor tracking is a constant arms race: as defenders implement new detection and mitigation methods, attackers are quick to modify techniques and behaviors to evade detection or attribution. Manually mapping specific indicators like files, IP addresses, or known techniques to threat actors and keeping track of changes over time isn’t effective or scalable.
To tackle this challenge, Microsoft has built a probabilistic models that enable us to quickly predict the likely threat group responsible for an attack, as well as the likely next attack stages. With these models, security analysts can move from a manual method of investigating small sets of disparate signals to probabilistic determinations of likely threat groups based on all activity observed, comparing the activity against all known behaviors, both past and present, encoded in the model. These models help threat intelligence teams stay current on threat actor activity and help analysts quickly identify behaviors they need to analyze when investigating an attack.

The model enriches targeted attack notifications with additional context on the threat, the likely attacker and their motivation, the steps the said attacker is likely to make next, and the immediate action the customer can take to contain and remediate the attack. Below we discuss an incident in which automated threat actor tracking translated to real-world protection against a human-operated ransomware attack.

Read the full article by Microsoft 365 Defender Research Team https://www.microsoft.com/security/blog/2021/04/01/automating-threat-actor-tracking-understanding-attacker-behavior-for-intelligence-and-contextual-alerting/

Thursday, 1 April 2021

Forrester 2021 Predictions

Provided below are some of the predictions for 2021 by Forrester.

In 2021, Remote Work will rise to 300% of pre-COVID levels

Most companies will employ a hybrid work model, with fewer people in the office and more full-time remote employees. As a major portion of the workforce develops the skills and preference for effective remote work, they will come to expect a work-fromanywhere strategy from their company rather than an exception-driven remote-work policy. Expect this to reshape talent acquisition, moving right into talent poaching, as the most desirable workers seek location agnostic work opportunities.

33% of data breaches in 2021 will be caused by insider incidents, up from 25% in 2020

Remote work drives uptick in insider threats. Three major factors that will produce an uptick in insider threats:

1) the rapid push of users, including some outside of companies’ typical security controls, to remote work as a result of the COVID-19 pandemic;

2) employees’ job insecurity;

3) the increased ease of moving stolen company data.

Combined, these will produce an increase of 8 percentage points in insider incidents, from 25% in 2020 to 33% in 2021

30% of firms will increase spend on cloud, security and risk, networks and mobility

Leading CIOs will embrace cloud-first and platform strategies for speed and adaptiveness, eschewing stovepipes for end-to-end solutions. Interviews with leading CIOs found that they are collaborating more across organizations, objectives, and budgets, extending IT-business partnerships into enterpriselevel shared accountability. They will also invest aggressively in employees, breaking down old ideals and resolving resistance within the organization.

CIOs focused on employee experience (EX) will help their firms attract, develop, and retain talent that can provide competitive advantage in a critical year. 

CIOs who are slow or unable to adapt will have at least two problems on their hands: 

1) massive attrition 

2) getting mired in short-term fixes, like tech modernization, simplification, and consolidation, that achieve only digital sameness through peer-comparison strategies by the end of 2021

The global public cloud infrastructure market will grow 35% in 2021

The impact of the global pandemic reinforced the tremendous value and necessity of cloud computing to the world’s economy and workforce. Without cloud apps, tools, and services, businesses could not have sent millions of workers home, maintained global supply chains, or shifted entire industry business models in a matter of weeks. 

The changes brought about by COVID-19 forced companies to prioritize speed and customer experience over cost savings and efficiency — and they flocked to public cloud services faster than ever. It is predicted that the global public cloud infrastructure market will grow 35% to $120 billion in 2021.

Regulatory and legal activity related to employee privacy infringements will double

Forrester predicts that in 2021, regulatory and legal activity regarding employee privacy will double. While European regulators are already enforcing privacy rules to protect employees’ personal data, countries such as Brazil, India, and Thailand will soon do the same. Companies must take a “privacy by design” approach when handling employee personal data. Doing this entails identifying and following all relevant requirements, including and beyond privacy; assessing specific privacy and ethical risks; and communicating transparently with employees.

Wednesday, 31 March 2021

Reduce the Risk of Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) is leading a ransomware awareness campaign, Reduce the Risk of Ransomware, with information and resources for organizations and individuals to use. 

During Ransomware awareness campaign, CISA emphasizes nine key messages that promote smart cyber behaviors or actions that individuals and organizations should implement to help prevent and mitigate ransomware attacks.

1. Keep Calm and Patch On – Patching is essential for preventive maintenance that keeps machines up-to-date, stable, safe, and secure against malware and other cyber threats. 

2. Backing Up Is Your Best Bet – It is critical to set up offline, encrypted backups of data and to regularly test your backups. The more you automate your backup system, the more frequently you can back up your data. 

3. Suspect Deceit? Hit Delete – If an email looks suspicious, do not compromise your personal or professional information by responding or opening attachments. Delete junk email messages without opening them. 

4. Always Authenticate – Implement multifactor authentication (MFA) to prevent data breaches and cyber-attacks. This includes a strong password and at least one other method of authentication. 

5. Prepare and Practice Your Plan – Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.

6. Your Data Will Be Fine If It’s Stored Offline – Local backups, stored on hard drives or media, provide a sense of security in case any issues occur. Keep your backup media in a safe and physically remote environment. 

7. Secure Your Server Message Block (SMB) – SMB vulnerabilities allow their payloads to spread laterally through connected systems like a worm. CISA recommends all IT professionals disable their SMB protocols to prevent ransomware and other malware attacks. 

8. Paying Ransoms Doesn't Pay Off – The U.S. government recommends against paying any ransom to cyber-crime organizations or malicious cyber actors. Paying a ransom only funds cybercriminals, and there is no guarantee that you will recover your data if you do pay. 

9. Ransomware Rebuild and Recovery Recommendations – Identify the systems and accounts involved in the initial data breach and conduct an examination of existing detection or prevention systems. Once the environment is fully cleaned and rebuilt, issue password resets for all affected systems and address any associated vulnerabilities and gaps in security or visibility.

CISA ResourceReduce the Risk of Ransomware Awareness Campaign

  • Part 1: Ransomware Prevention Best Practices
  • Part 2: Ransomware Response Checklist

Tuesday, 30 March 2021

Risk Management Frameworks

One of the key elements for effective Threat Mitigation through appropriate Control Implementation is to correctly identify the Risk associated, without which the ability to Detect & Protect Security Gaps, Operating Costs and Strategic Roadmaps would get affected.



Monday, 29 March 2021

Effective Red Teaming or Adversary Emulation

The Colored Teams -


Red Teaming landscape -

Red Teaming approach -


The Attack Kill Chain -


Purple team stands for collaborative workflows -


Red Team focus areas -



Sunday, 28 March 2021

Scantron - A Distributed Nmap Scanner


Scantron is a distributed nmap and masscan scanner comprised of two components. The first is a console node that consists of a web front end used for scheduling scans and storing nmap scan targets and results. The second component is an engine that pulls scan jobs from the console and conducts the actual nmap scanning. A majority of the application's logic is purposely placed on the console to make the engine(s) as "dumb" as possible. All nmap target files and nmap results reside on the console and are shared through a network file share (NFS) leveraging SSH tunnels. The engines call back to the console periodically using a REST API to check for scan tasks and provide scan status updates.


Checkout the Python Scantron API client for interacting with the Scantron API and driving automated workflows.


More details: https://github.com/rackerlabs/scantron