My information Resource (blog.mir.net)

The Federal Bureau of Investigation (FBI) released this Private Industry Notification (PIN) to highlight cybercriminals’ activity using phishing and Short Message Service (SMS) phishing (SMiShing) campaigns against employees at US retail corporate offices in order to create fraudulent gift cards resulting in financial loss.

As of January, the FBI noted a cybercriminal group labeled STORM-0539, also known as Atlas Lion, targeting national retail corporations; specifically the gift card departments located in their corporate offices. STORM-0539 used SMiShing campaigns to target employees and gain unauthorized access to employee accounts and corporate systems. Once they gained access, STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards.

This FBI PIN includes some of the techniques, tactics, and procedures (TTPs) observed by STORM-0539 actors, recommended mitigations to reduce the likelihood and impact associated with similar attack campaigns, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

The Cyber Army of Russia Reborn (CARR), a hacktivist group connected to the Russian government, is actively targeting Water and Wastewater facilities across the United States to break into Supervisory Control and Data Acquisition (SCADA) systems, which are commonly used to control and monitor water utilities.

Numerous incidents have been reported nationally, and the frequency of these incidents has spiked in recent weeks. While none of the cyberattacks impacted drinking water for communities, the incidents mark a notable escalation in Russia’s targeting of critical infrastructure in the United States.

In January, a cyberattack against a water facility in Muleshoe, Texas caused a water tank to overflow. During the incident, hackers used a compromised password to break into a remote login system for industrial software that allows operators to interact with the water tanks. Officials took the system offline and switched to manual operations following the attack. Around the same time, authorities in several nearby Texan towns also implemented defensive strategies after detecting suspicious activity on their networks.

Related cyber threat activity targeting water utilities has recently increased, with additional incidents across the United States. CARR has claimed responsibility for the cyberattacks in a series of posts shared online. The posts are accompanied by screen recordings depicting the hackers infiltrating the water supply systems, changing passwords, and manipulating controls. Similar tactics, techniques, and procedures (TTPs) have been employed in the attacks, including using compromised passwords for accounts that did not have multi-factor authentication (MFA) enabled. In all instances, the hackers were observed attempting to access SCADA systems.

Mandiant has recently determined that CARR is connected to Sandworm, also known as APT44. Sandworm is part of Russia’s GRU military intelligence agency. Their research showed that Sandworm helped create CARR and can likely influence CARR’s activities. However, they are still determining if the group is operating independently.

Recommendations:

• Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Apply the Principle of Least Privilege.
• Keep systems up to date and apply patches after appropriate testing.
• Install endpoint security solutions to help protect against malware. · Employ a comprehensive data backup plan.
• Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
• Ensure operational technology (OT) environments are segmented from the information technology (IT) environments.

Phishing attacks posing as popular delivery services are becoming more challenging to spot. Many of these scams begin with a text message or email , often claiming that a package cannot be delivered. They may use language, such as “final notice,” to scare users into acting immediately. These messages provide a link stating that more information is needed to finish the pending delivery.

USPS SMiShing attempt. Source: Akamai

Upon clicking the provided link, users are directed to a well-crafted malicious website. The website’s design may appear to be a replica of the authentic delivery service’s website, using logos, color schemes, and a falsified tracking information page. These websites may ask for address information or state that a small fee must be remitted to release the package for delivery.

These malicious threat actors often use combosquatting domains to impersonate the delivery service. Researchers compared the amount of DNS traffic to the legitimate USPS.com and combosquatted domains over five months. The study was limited to domain names, which include “USPS,” and focused on the most apparent examples of combosquatting. Fully qualified domain names were ignored during their analysis due to the use of subdomains. Even within these parameters, the researchers discovered that the impersonated USPS domains receive as much traffic as the official domain and a much higher amount during holidays.

While threat actors continue improving their techniques, there are signs of malicious attempts to steal information:

The greetings are generic, as threat actors often send mass messages and do not have specific details. The message includes problems requiring personal details, payment information, or re-entry of address information. There is no prior knowledge of the incoming delivery. The provided link does not link to the official website for the delivery service.

Recommendations

Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Track incoming packages via websites obtained from verified and official sources. Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information. Report SMiShing to the FTC, FBI’s IC3, and the NJCCIC , and forward the message to 7726 (SPAM). USPS requests for any USPS-related SMiShing should also be reported to spam@uspis.gov.

The NJCCIC previously reported on the ransomware attack against Change Healthcare, one of the largest healthcare technology companies in the United States. This cyberattack showcases the cascading ramifications of ransomware incidents, including financial impacts and risks of paying ransom demands.

Financial Impacts: The ransomware attack caused considerable impacts, including disruptions to payment processing, prescription writing, and insurance claims. UnitedHealth, the parent company of Change Healthcare, disclosed that the incident has cost the company approximately $872 million so far. According to the American Hospital Association (AHA), about 94 percent of US hospitals reported damage to cash flow due to the incident, with over 50 percent reporting severe or significant financial damage, largely due to the inability to process claims.

Initial Attack Vector: In Change Healthcare CEO Andrew Witty’s written testimony for the House Energy and Commerce subcommittee hearing, Witty states that the BlackCat ransomware group breached Change Healthcare’s network via stolen credentials that were used to log into the company’s Citrix remote access service. It is believed that the credentials were obtained via information-stealing malware. The account did not have multi-factor authentication enabled, a security failure at odds with standard industry best practices.

Risks of Paying Ransom Demands: In early March, Change Healthcare reportedly paid a $22 million ransom demand to the cybercriminals behind the attack; however, the BlackCat ransomware operators failed to pay the ransomware affiliate, known as “Notchy.” The affiliate refused to delete the four terabytes of data they stole from Change Healthcare, which includes personally identifiable information and protected health information. In early April, the cybercriminals threatened to sell or release the data unless an additional ransom payment was made. UnitedHealth was removed from the ransomware group’s leak site, indicating the company may have paid the second ransom demand.

Hi reader of this blog here is an offer from Microsoft that might interest you.

We are thrilled to announce the Azure Business Continuity Center (ABCC, replacing BCDR Center preview with a new enhanced experience), an enhanced version of Backup center. With ABCC, you can easily identify gaps in your protection estate, take action to fix them, understand your protection settings across multiple policies, perform centralized monitoring with a single location for managing Azure Backup and Site Recovery jobs, and define governance and auditing compliance using Azure policies – all in one convenient location. ABCC also provides a simplified yet powerful security posture view of advanced protection capabilities to improve recoverability from accidental, malicious, or ransomware attacks. With ABCC, you improve productivity and efficiency while enhancing your security posture and overall BCDR experience You can manage all your Azure resources protected with Azure Backup /Site Recovery as well us VMware VMs replicating with Azure Site Recovery using Azure Business Continuity Center.

You can manage all your Azure resources protected with Azure Backup /Site Recovery as well us VMware VMs replicating with Azure Site Recovery using Azure Business Continuity Center.

The new Azure Business Continuity Center experience offers a range of features to help you manage your security and protection needs. Here’s a summary of benefits that you can expect in this preview:

     •      View summary of overall security and protection estate to identify and fix issues across Azure Backup and Site Recovery in real-time.
     •      Identify the not protected resources across Azure Backup & Site Recovery.
     •      Obtain entire protection estate in primary and secondary regions, identify gaps in protection and perform BCDR operations on all protected resources across Azure Backup & Site Recovery right from the same view.
     •      Assess the security of all your BCDR data and improve it by using advanced protection capabilities like immutable vaults, soft-delete, and multi-user authorization.
     •      Centrally monitor the jobs across Azure Backup and Site Recovery from a single location.
     •      Define and govern the resources against the configuration and audit compliance using Azure Policies.
     •      View protection policies used to meet your protection requirements across Azure Backup and Site Recovery and understand the settings configured.
     •      Manage vaults across Azure Backup and Site Recovery from a single location.

We believe that the new renewed ABCC will improve productivity and efficiency while enhancing your security posture and overall BCDR experience. We invite you to join our private preview and experience the benefits of ABCC for yourself.

Getting started is easy, no prerequisites steps are required to experience as well as there is no cost associated. To start with , simply navigate to Azure portal and search for Azure Business Continuity Center.

We look forward for you to give it a try to and give us your valuable feedback to help shape the experience. Let us know if you require demo for the new management capabilities via ABCC.

Below are few resources for you to get started :

     •      Revolutionize Business Continuity and Disaster Recovery with Azure’s Business Continuity Center
     •      What is Azure Business Continuity Center?
     •      Capabilities in Azure Business Continuity Center

I be talking about Hacker Tool Kit

See what hackers use to attack your company, both technical and socially.

Key Takeaways:

• See what hardware and software hackers use
• How the tools are used
• How can you protect your company

Get more info at NJ SECON

New Privacy-Preserving Federated Learning Blog Post!

Dear Colleagues,   

ln our last Privacy-Preserving Federated Learning (PPFL) post, we explored the problem of providing input privacy in PPFL systems for the horizontally-partitioned setting. In this new post, Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two, we focus on techniques for providing input privacy when data is vertically partitioned. This is particularly challenging, and organizations will need to grapple with trade-offs between data leakage and performance costs. Learn more in the fifth post of our series.   

Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two by David Darais, Joseph Near, Mark Durkee, and Dave Buckley

Read blogs #1 – #5 on our PPFL Blog Series page. We encourage readers to ask questions by contacting us at privacyeng@nist.gov.

Meanwhile—stay tuned for the next PPFL blog post!  

All the best, 
NIST Privacy Engineering Program

Read the Post

The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the initial public draft of NIST CSWP 32 ipd, NIST Cybersecurity Framework 2.0: A Guide to Creating Community Profiles. The comment period is open through May 3, 2024.

About the Guide

The NIST Cybersecurity Framework (CSF) 2.0 introduced the term “Community Profiles” to reflect the use of the CSF for developing use case-specific cybersecurity risk management guidance for multiple organizations. This guide provides considerations for creating and using Community Profiles to help implement the Framework. The guide describes Community Profiles, provides guidance for the content that may be conveyed through a Community Profile, and offers a Community Profile Lifecycle (Plan, Develop, Use, Maintain).

Read more about this guide, including the benefits of using Community Profiles. 

Submit Comments

The public comment period closes at 11:59 p.m. EDT on Friday, May 3, 2024. Please email all draft comments to framework-profiles@nist.gov. We encourage you to submit all feedback using the comment template found on our project page.

Join the Community of Interest

Consider joining the Community of Interest (COI) to receive the latest project news and announcements. Email the team declaring your interest or complete the sign-up form on our project page.

Learn More

Create apps customized to your organization’s needs. Join us at Microsoft Tech Brief: Build Your Own Copilot with Azure, a free event, and learn how to use organizational data to help you build copilots and AI-powered intelligent applications to empower employees and transform customer engagement. You’ll learn the requirements and recommended architectures to build copilot applications and the elements that make up a copilot stack. You’ll also participate in a live demo to see how to build a customized, scalable, high-performing, and flexible copilot application based on Azure Kubernetes Service (AKS), Azure Cosmos DB, and Azure OpenAI Service. You’ll have the opportunity to: Discover how to build intelligent apps using Azure. Explore Azure AI services to support building your own copilot. Get experience with Azure Kubernetes Service (AKS), Azure Cosmos DB, and Azure OpenAI Service. Space is limited. Register for free today. Delivery language(s): English Closed captioning language(s): English Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. When: Thursday, May 02, 2024, 2:00 – 3:30 PM (GMT-04:00)

Microsoft Tech Brief: Build Your Own Copilot with Azure

Register now >

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Prepare Your Organization for Microsoft Copilot for Microsoft 365 to learn how to implement AI to help ignite creativity, enhance productivity, and strengthen computing and collaboration skills. You’ll learn about the capabilities of Copilot, including how it works, how to configure it, and how to set it up for more powerful searches. You’ll also explore how Copilot works with Microsoft Graph—and your existing Microsoft 365 apps—to provide intelligent, real-time assistance. You will have the opportunity to: Understand the key components of Copilot for Microsoft 365 and how it works. Learn how to extend Copilot with plugins. Get guidance on completing the necessary Copilot technical and business requirements to prepare for implementation. Learn how to assign Copilot licenses, prepare your organization’s Microsoft 365 data for Copilot searches, and create a Copilot Center of Excellence. Join us at an upcoming Prepare Your Organization for Microsoft Copilot for Microsoft 365 event: May 29, 2024 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >