Month: February 2025

February 12 – Microsoft Defender XDR: How to Get the Most Out of Microsoft Defender for Vulnerability Management (MDVM)

February 18 – Setting up Microsoft Entra Verified ID, step by step.

February 18 – Microsoft Defender XDR AMA – Automatic Attack Disruption

February 19 – Security Copilot in Entra: Addressing App Risks and High-Privilege Permissions

February 19 – Microsoft Sentinel Microsoft Sentinel Repositories: Manage Your SIEM Content Like a Pro

February 25 – Microsoft Defender XDR Learn About Insider Risk Management Data in Microsoft Defender XDR

February 26 – Azure Network Security Updating Your Azure Web Application Firewall Ruleset: Common Pitfalls and How to Avoid Them

February 26 – 425 Show Security Copilot in Microsoft Entra

February 26 – Empower Admins to Protect their Environment Quickly with Risk Policy Impact Analysis

February 27 – Microsoft Entra Suite scenario deep dive​: Onboard employees easily with Microsoft Entra Suite

February 27 – Microsoft Defender XDR Licensing and Site Security in XDR

March 05 – Microsoft Defender for Cloud API Security Posture with Defender for Cloud

March 06 – Microsoft Entra Suite scenario deep dive​: Goodbye, legacy VPNs; hello, secure access to on-premises resources

March 06 – Azure Network Security Implementing Multi-Layered Security with Azure DDoS Protection and Azure WAF

Register now

As Valentine’s Day approaches, users will likely shop online, send and receive messages and e-cards, and utilize online dating platforms. However, threat actors capitalize on the season of love, tugging at users’ heartstrings and attempting to steal more than their hearts. They impersonate known and trusted organizations, major brands, contacts, such as friends and family, and potential love interests to attempt to steal personal data, financial information, account credentials, and funds.

In the past, threat actors exploited known vulnerabilities found in websites’ digital commerce platforms, such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. Through web skimming campaigns, they targeted online retailers and shoppers to steal PII and credit card information from e-commerce websites. In a recent campaign, researchers identified a Google Tag Manager skimmer stealing credit card information from a Magento website. This campaign highlights the prevalent use of legitimate platforms to obfuscate and deploy malicious code.

Threat actors have registered legitimate domains to use as bait in Valentine’s Day-themed phishing campaigns. These domains contain keywords such as “valentine,” “love,” “gifts,” or “flowers.” The phishing emails may spoof known and trusted contacts or organizations and have themes of love, gifts, and romance, including offers too good to be true and Valentine’s Day sales or discounts. Unsuspecting victims may encounter more than a romantic surprise as threat actors use social engineering to lure them to click on malicious links, divulge sensitive data, or make fraudulent purchases.

Threat actors also engage in romance scams by creating fake profiles on online dating platforms and posing as potential love interests, building trust with their target to establish a relationship quickly. A recently reported romance scam revealed that the threat actor had built trust with their target for the target to reveal they were going through a divorce and were having financial issues. The threat actor sent purported video footage of a mailed package containing items and thousands of dollars in cash. They also claimed their military ID would be held until the package was released. Later, they informed the target that the package was supposedly stuck at the airport and threatened to extort a fee via PayPal, CashApp, or Zelle.

Additionally, the NJCCIC continues to receive reports of sextortion incidents in which victims are threatened with the release of supposed compromising or sexually explicit photos or videos if they do not pay an extortion demand. Some sextortion threats are not credible, as threat actors are unable to provide proof of such photos or videos.

The NJCCIC observed an uptick in vishing scams, a form of phishing over the phone. In these calls, threat actors attempt to gain trust and legitimacy by sharing some of the recipient’s personal data, such as name, age, and address. However, this data is typically an aggregated set of publicly available information found online. Some of this information may be outdated or pertain to a partner instead of the call recipient. The phone numbers used in vishing scams vary and change frequently, and threat actors often spoof official phone numbers to appear legitimate. Vishing calls may be persistent, and threat actors may contact potential victims multiple times daily.

Threat actors claim authority or legitimacy by impersonating various governmental agencies, financial institutions, organizations, and individuals to convince the call recipient to provide additional sensitive information, such as personally identifiable information (PII), financial information, or account credentials. They also convey urgency to extort money by persuading the call recipient to purchase fraudulent goods or services or grant access to their accounts or devices. The acquisition of additional information and this fraudulent activity can facilitate further cyberattacks.

In some instances, threat actors personally harass or threaten the call recipient or their known contacts. For example, a threat actor claimed the call recipient was responsible for a supposed accident and threatened them if they did not pay a hospital bill. In another example, the call recipient heard a woman crying in the background while a Spanish-speaking male claimed to be part of a cartel and demanded a $20,000 payment from the call recipient to keep the woman alive.

Additionally, a threat actor spoofed the phone number of the call recipient’s mother and demanded payment upon answering. If the call recipient did not make payment, the threat actor claimed they would kill the person they were supposedly holding at gunpoint. The call recipient heard crying in the background, disconnected the call, and contacted their mother on another line, confirming it was a scam. The call recipient’s sister also received a similar call spoofing their mother.

Furthermore, voice cloning technologies and artificial intelligence (AI) manipulations can be used in impersonation and extortion scams. Threat actors find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, including family emergencies, kidnappings, robberies, or car accidents.

NIST has published Internal Report (IR) 8356, Security and Trust Considerations for Digital Twin Technology. This publication introduces the concept of a digital twin (DT), which is an electronic representation of a real-world physical (e.g., buildings, electronics, living things) or non-physical (e.g., processes, conceptual models) entity. DTs utilize existing technologies to enable a broad range of capabilities that require interoperable definitions, tools, and standards.

This document discusses key components, functions, existing modeling and simulation, and cybersecurity and trust considerations for DTs. It also provides simple examples of how to apply DT technology to real-world problems and casts a broader vision for future capabilities.

Read More

NIST has released Internal Report (IR) 8532, Workshop Report on Enhancing Security of Devices and Components Across the Supply Chain, which summarizes the presentations and discussions from a recent workshop on semiconductor security. The hybrid workshop brought together experts from industry, government, and academia to explore priorities in addressing current and emerging cybersecurity threats to semiconductors.

Experts at the event provided valuable input on NIST’s efforts in developing cybersecurity and supply chain standards, guidance, and best practices. Key topics related to semiconductor development included cybersecurity measures and metrics that leverage reference data sets for the testing, attestation, certification, verification, and validation of semiconductor components across the supply chain. The workshop also highlighted the importance of automated cybersecurity tools and techniques for securing manufacturing environments throughout the development life cycle.

Read More

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released this Joint Cybersecurity Advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

The NIST Risk Management Framework (RMF) Team has released the initial public draft (ipd) of NIST Interagency Report (IR) 8011v1r1 (Volume 1, Revision 1), Testable Controls and Security Capabilities for Continuous Monitoring: Volume 1 — Overview and Methodology. This represents a major revision of the first and key volume in the multi-volume series.

IR 8011 provides a methodology for identifying testable controls from the Special Publication (SP) 800-53 control catalog that share common defense objectives in support of information security continuous monitoring. Volume 1 introduces key terminology and foundational concepts, describes the methodology, discusses conceptual operational considerations for a potential IR 8011 implementation, and identifies sample automatable control tests.

The public comment period is open through Friday, April 4, 2025. See the publication details for a copy of the draft and instructions for submitting comments. 

Read More

First discovered in 2022, XWorm malware is a remote access trojan (RAT) capable of evading detection and collecting sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data. XWorm tracks keystrokes, captures webcam images, listens to audio input, scans network connections, and views open windows. It can also access and manipulate a computer’s clipboard, potentially stealing cryptocurrency wallet credentials. Last year, XWorm was involved in many cyberattacks, including the exploitation of CloudFlare tunnels and the delivery via a Windows script file, and the upward trend of these sophisticated RATs is already evident in 2025.   Last month, researchers discovered threat actors targeted script kiddies with a trojanized version of the XWorm RAT builder. The weaponized malware propagated through GitHub, Telegram, and file-sharing platforms to infect over 18,000 devices globally, including the United States.   The malware secretly compromised computers to deploy a backdoor to perform system reconnaissance, command execution, and data exfiltration, such as browser credentials, Discord tokens, Telegram data, and system information. Threat actors have exfiltrated over 1 GB of browser credentials from multiple computers. The malware’s “kill switch” feature was identified and leveraged to disrupt operations on infected computers.     In the past month, the NJCCIC’s email security solution identified an uptick in multiple campaigns attempting to deliver XWorm malware to New Jersey State employees to gain remote access, steal credentials, exfiltrate data, and deploy ransomware. The messages impersonate Booking.com or a customer of a hospitality organization with themes of last-minute bookings to address customer complaints, inquiries about upcoming travel plans, or issues related to past travel reservations. They display subject lines containing keywords such as reservation, booking cancellation, request for action, poor evaluation, hotel accommodation, and establishment difficulty.   The messages contain various types of URLs, such as email trackers, URL shorteners, and open redirects. There are multiple redirects and filtering techniques before arriving at one of the numerous landing pages with various layouts and scripting. The URLs for the landing pages contain keywords such as book, booking, complaint, feedback, inquiry, reportguest, and stayissueguest. The threat actors use the ClickFix technique to display dialogue boxes containing fake error messages to manipulate targets to follow instructions to “fix” the problem. Sometimes, they leverage the appearance of authenticity by using a fake CAPTCHA-themed ClickFix technique to validate the target. However, the target’s clicking copies, pastes, or executes malicious payloads or scripts in the background. The payloads use PowerShell or MSHTA commands to download and execute XWorm malware.   Recommendations   Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually and only submit account credentials or sensitive information on official websites. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Reduce your digital footprint so threat actors cannot easily target you. Keep systems up to date and apply patches after appropriate testing.

Register for the 5th High-Performance Computing Security Workshop Registration deadline: April 30, 2025 High-performance computing (HPC) systems provide fundamental computing infrastructure and play a pivotal role in economic competitiveness and scientific discovery. Security is an essential component of HPC. NIST HPC Security Working Group (WG) has been leading the effort to create comprehensive and reliable security guidance for HPC systems. As part of the Working Group mission and to reach the greater HPC scientific community, NIST, in collaboration with the National Science Foundation (NSF), will host the 5th High-Performance Computing Security Workshop on May 7-8, 2025. The workshop aims to listen to the community’s needs and feedback, report and reflect on the ongoing activities at HPC Security WG, and define and discuss future directions with stakeholders from industry, academia, and government. For more information on the workshop, a list of speakers, and hotel information, please visit the event page. In-Person Registration fee: $200/person. Fee includes morning/afternoon snacks and lunch. Virtual Registration fee: $46/person In-Person Registration closes on April 30, 2025. Virtual attendee registration closes on May 8, 2025. Click on the button below to register. Register Now

A vulnerability has been discovered in Trimble Cityworks that could allow for remote code execution. Trimble Cityworks is a system that helps manage the lifecycle of assets for public infrastructure. It uses GIS (geographic information systems) to help with tasks such as permitting, licensing, construction, maintenance, and replacement. Successful exploitation of this vulnerability could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, threat actors could then install programs or view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence The Cybersecurity and Infrastructure Security Agency (CISA) reports CVE-2025-0994 has been exploited in the wild.

Systems Affected

Cityworks: All versions prior to 15.8.9 Cityworks with office companion: All versions prior to 23.10

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Trimble to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Trimble: https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0?  CISA: https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04