North Korea Responsible for $1.5 Billion Bybit Hack

The Federal Bureau of Investigation (FBI) is releasing this PSA to advise the Democratic People’s Republic of Korea (North Korea) was responsible for the theft of approximately $1.5 billion USD in virtual assets from cryptocurrency exchange, Bybit, on or about February 21, 2025. FBI refers to this specific North Korean malicious cyber activity as “TraderTraitor.”

TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency.

Read full details HERE

Threat Actors Exploit Trusted Accounting Software

Individuals and businesses may use trusted accounting software to keep track of finances, generate invoices, and run payroll. Accounting software can also automate bookkeeping, create reports, analyze financial trends, and organize and manage data, making tax season easier. The software is linked to a designated bank account to securely pull transactions automatically and update them regularly. Although accounting software can be convenient, there are potential risks to the security of financial information, such as accounts vulnerable to data breaches, unauthorized access to accounts, and data modification. Threat actors may also phish for credentials or sensitive information, steal funds, and install malware, including ransomware. Since the beginning of 2025 and continuing into tax season, the NJCCIC observed an uptick in threat actors exploiting trusted accounting software through impersonation, phishing emails, account compromises, fraudulent invoices or transactions, and fake manual software patches.
The NJCCIC’s email security solution identified multiple phishing and malware campaigns impersonating legitimate businesses related to accounting, tax filing, and payments. Threat actors can sign up for free accounts for legitimate services and target victims from within those services, utilizing email addresses from domains not flagged by typical security tools. In one phishing campaign, threat actors impersonated Intuit QuickBooks, using their branding and the legitimate sender’s domain name. However, the emails are suspicious because they contain phishing links to non-Intuit domain names, unlike official emails that always include links to “intuit.com” addresses. The phishing links prompt a fraudulent Intuit authentication page to harvest user credentials that can be used in account compromises.
Additionally, the NJCCIC received multiple reports of unauthorized users logging into QuickBooks Online accounts using the victim’s compromised account credentials. The unauthorized users updated existing and added new vendor accounts with their own Automated Clearing House (ACH) information. They then made payments to these vendor accounts, with some successfully deducted from the victim organization’s bank account and some failing due to insufficient funds to cover the transactions.
Threat actors targeted accounting firm employees and impersonated UltraTax CS, Thomson Reuters’ professional tax preparation software. The username in the sender’s email address was misspelled as “subcriptions.” Although UltraTax CS is configured to automatically download and install updates by default, the email recommended manually downloading and installing the supposed software patch. If clicked, potential victims were directed to a malicious link in which threat actors weaponized the legitimate ConnectWise ScreenConnect remote access software to connect to computers and send malicious commands remotely.
Recommendations
Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.

Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources.

Navigate directly to official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages.

Safeguard your information and accounts, including account credentials and other sensitive information.

Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.

Restrict access based on assigned user roles to ensure only authorized users can view or modify financial information. Keep systems up to date and apply patches after appropriate testing.

Monitor accounts, set up alerts, review account transactions and activity, and report any suspicious activity, identity theft, or fraud to your financial institution, local police department, the FTC, or the credit reporting bureaus.

Report phishing emails and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.

Account Compromises

According to 2024 statistics, the United States is one of the top countries for account compromises or account takeovers (ATOs). Microsoft and Amazon are among the top five domain sources for these attacks. The percentages of targeted and impacted industries are relatively prevalent across the board. The NJCCIC continues to receive reports of compromised accounts for New Jersey residents, businesses, and local governments. These reported compromised accounts include email accounts, social media platforms, bank accounts, cryptocurrency wallets, and utility companies.
One of the ways threat actors compromise accounts is by using information from data breaches to target potential victims via social engineering tactics. Threat actors convince their targets to take action, divulge sensitive information, or inadvertently install malware to gain unauthorized access to legitimate user accounts. Besides phishing campaigns, threat actors increasingly exploit mobile devices and their apps in mishing attacks to compromise accounts, infiltrate networks, and steal data. Mobile platforms contain unique features and vulnerabilities, including text messages, voice calls, and QR codes. Mishing is a growing threat to individuals and organizations, as evident in recent SMiShing, vishing, and quishing campaigns. The prevalence of mishing is due to increased mobile usage, the expanded attack surface of remote work on personal devices, extensive access to sensitive information, and little or no security protections.
Once an account is compromised, threat actors impersonate the victim to conduct further malicious activity, such as changing account information, sending communications on their behalf, transferring funds, installing malware, exfiltrating data, and more. On average, threat actors can move from initial compromise to privilege escalation to lateral movement in approximately less than an hour, and the objectives of their full targeted attack can take four hours and 29 minutes. These timeframes are concerning as users or administrators take longer to identify and remediate.

NIST CSF 2.0 Profile for Semiconductor Manufacturing

The NIST National Cybersecurity Center of Excellence (NCCoE), along with the SEMI Semiconductor Manufacturing Cybersecurity Consortium, has released Draft NIST Internal Report (NIST IR) 8546, Cybersecurity Framework (CSF) 2.0 Semiconductor Manufacturing Community Profile for public comment until 11:59 PM ET on Monday, April 14, 2025.

About the Draft

Draft NIST Internal Report (IR) 8546, Cybersecurity Framework 2.0 Semiconductor Manufacturing Community Profile, provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cybersecurity risk to semiconductor manufacturing. The semiconductor manufacturing environment is a complex ecosystem of device makers, equipment OEMs, suppliers and solution providers. This Profile focuses on desired cybersecurity outcomes and can be used as a guideline to improve the current cybersecurity posture of the semiconductor manufacturing ecosystem.

“NIST, in collaboration with industry leaders and government agencies, has developed and is releasing a comprehensive Framework designed to safeguard semiconductor manufacturing from emerging threats and vulnerabilities,” said Sanjay Rekhi, group leader of the Security Components and Mechanisms Group at NIST. “This initiative is part of a broader, multi-year effort to strengthen the security of critical infrastructure, with a particular focus on the security of semiconductors and their supply chain.”

Comment Now!

NCCoE Cybersecurity and AI Workshop

Event Date: April 3, 2025

Event Time: 9:00 AM – 5:00 PM EST 

Event Location: Virtual and at the National Cybersecurity Center of Excellence (NCCoE)

Recent advancements in Artificial Intelligence (AI) technology bring great opportunities and challenges to organizations, including how AI can affect their cybersecurity capabilities and risks. The potential positive and negative impacts of AI need to be understood and managed.

NIST is proposing the creation of a NIST Cybersecurity Framework (CSF) Profile (Cyber AI Profile), in collaboration with the cybersecurity and AI communities, to focus on three sources of risk that impact an organization’s operational risk: Cybersecurity of AI Systems, AI-enabled Cyber Attacks, and AI-enabled Cyber Defense. 

To inform these discussions, join our upcoming workshop where we will explore ideas discussed in the newly released Cybersecurity and AI Workshop Concept Paper* through a variety of hybrid presentations and panel discussions and in-person only working sessions.

Registration for in-person attendance closes on March 27, 2025. 

Due to space limitation, registration is limited to the first 150 registrants on a first come, first served basis. 

There is no registration needed to attend virtually. Please see the link to the event page and watch the stream on April 3, 2025: https://www.nccoe.nist.gov/get-involved/attend-events/cyber-and-ai-workshop

We look forward to your participation at this event.

*Please provide any feedback using the form found on our project page before 11:59 p.m. EDT on Friday, March 14, 2025, to inform workshop topics. 

Register Now!

Microsoft Security Public Webinars

February 12 – Microsoft Defender XDR: How to Get the Most Out of Microsoft Defender for Vulnerability Management (MDVM)

February 18 – Setting up Microsoft Entra Verified ID, step by step.

February 18 – Microsoft Defender XDR AMA – Automatic Attack Disruption

February 19 – Security Copilot in Entra: Addressing App Risks and High-Privilege Permissions

February 19 – Microsoft Sentinel Microsoft Sentinel Repositories: Manage Your SIEM Content Like a Pro

February 25 – Microsoft Defender XDR Learn About Insider Risk Management Data in Microsoft Defender XDR

February 26 – Azure Network Security Updating Your Azure Web Application Firewall Ruleset: Common Pitfalls and How to Avoid Them

February 26 – 425 Show Security Copilot in Microsoft Entra

February 26 – Empower Admins to Protect their Environment Quickly with Risk Policy Impact Analysis

February 27 – Microsoft Entra Suite scenario deep dive​: Onboard employees easily with Microsoft Entra Suite

February 27 – Microsoft Defender XDR Licensing and Site Security in XDR

March 05 – Microsoft Defender for Cloud API Security Posture with Defender for Cloud

March 06 – Microsoft Entra Suite scenario deep dive​: Goodbye, legacy VPNs; hello, secure access to on-premises resources

March 06 – Azure Network Security Implementing Multi-Layered Security with Azure DDoS Protection and Azure WAF

Register now

Valentine’s Day Scams Attempt to Steal More Than Hearts

As Valentine’s Day approaches, users will likely shop online, send and receive messages and e-cards, and utilize online dating platforms. However, threat actors capitalize on the season of love, tugging at users’ heartstrings and attempting to steal more than their hearts. They impersonate known and trusted organizations, major brands, contacts, such as friends and family, and potential love interests to attempt to steal personal data, financial information, account credentials, and funds.
In the past, threat actors exploited known vulnerabilities found in websites’ digital commerce platforms, such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. Through web skimming campaigns, they targeted online retailers and shoppers to steal PII and credit card information from e-commerce websites. In a recent campaign, researchers identified a Google Tag Manager skimmer stealing credit card information from a Magento website. This campaign highlights the prevalent use of legitimate platforms to obfuscate and deploy malicious code.
Threat actors have registered legitimate domains to use as bait in Valentine’s Day-themed phishing campaigns. These domains contain keywords such as “valentine,” “love,” “gifts,” or “flowers.” The phishing emails may spoof known and trusted contacts or organizations and have themes of love, gifts, and romance, including offers too good to be true and Valentine’s Day sales or discounts. Unsuspecting victims may encounter more than a romantic surprise as threat actors use social engineering to lure them to click on malicious links, divulge sensitive data, or make fraudulent purchases.
Threat actors also engage in romance scams by creating fake profiles on online dating platforms and posing as potential love interests, building trust with their target to establish a relationship quickly. A recently reported romance scam revealed that the threat actor had built trust with their target for the target to reveal they were going through a divorce and were having financial issues. The threat actor sent purported video footage of a mailed package containing items and thousands of dollars in cash. They also claimed their military ID would be held until the package was released. Later, they informed the target that the package was supposedly stuck at the airport and threatened to extort a fee via PayPal, CashApp, or Zelle.
Additionally, the NJCCIC continues to receive reports of sextortion incidents in which victims are threatened with the release of supposed compromising or sexually explicit photos or videos if they do not pay an extortion demand. Some sextortion threats are not credible, as threat actors are unable to provide proof of such photos or videos.

Uptick in Vishing Scams

The NJCCIC observed an uptick in vishing scams, a form of phishing over the phone. In these calls, threat actors attempt to gain trust and legitimacy by sharing some of the recipient’s personal data, such as name, age, and address. However, this data is typically an aggregated set of publicly available information found online. Some of this information may be outdated or pertain to a partner instead of the call recipient. The phone numbers used in vishing scams vary and change frequently, and threat actors often spoof official phone numbers to appear legitimate. Vishing calls may be persistent, and threat actors may contact potential victims multiple times daily.
Threat actors claim authority or legitimacy by impersonating various governmental agencies, financial institutions, organizations, and individuals to convince the call recipient to provide additional sensitive information, such as personally identifiable information (PII), financial information, or account credentials. They also convey urgency to extort money by persuading the call recipient to purchase fraudulent goods or services or grant access to their accounts or devices. The acquisition of additional information and this fraudulent activity can facilitate further cyberattacks.
In some instances, threat actors personally harass or threaten the call recipient or their known contacts. For example, a threat actor claimed the call recipient was responsible for a supposed accident and threatened them if they did not pay a hospital bill. In another example, the call recipient heard a woman crying in the background while a Spanish-speaking male claimed to be part of a cartel and demanded a $20,000 payment from the call recipient to keep the woman alive.
Additionally, a threat actor spoofed the phone number of the call recipient’s mother and demanded payment upon answering. If the call recipient did not make payment, the threat actor claimed they would kill the person they were supposedly holding at gunpoint. The call recipient heard crying in the background, disconnected the call, and contacted their mother on another line, confirming it was a scam. The call recipient’s sister also received a similar call spoofing their mother.
Furthermore, voice cloning technologies and artificial intelligence (AI) manipulations can be used in impersonation and extortion scams. Threat actors find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, including family emergencies, kidnappings, robberies, or car accidents.

Security and Trust Considerations for Digital Twin Technology | NIST Releases IR 8356 

NIST has published Internal Report (IR) 8356, Security and Trust Considerations for Digital Twin Technology. This publication introduces the concept of a digital twin (DT), which is an electronic representation of a real-world physical (e.g., buildings, electronics, living things) or non-physical (e.g., processes, conceptual models) entity. DTs utilize existing technologies to enable a broad range of capabilities that require interoperable definitions, tools, and standards.

This document discusses key components, functions, existing modeling and simulation, and cybersecurity and trust considerations for DTs. It also provides simple examples of how to apply DT technology to real-world problems and casts a broader vision for future capabilities.

Read More

NIST Releases IR 8532, Workshop Report on Enhancing Security of Devices and Components Across the Supply Chain

NIST has released Internal Report (IR) 8532, Workshop Report on Enhancing Security of Devices and Components Across the Supply Chain, which summarizes the presentations and discussions from a recent workshop on semiconductor security. The hybrid workshop brought together experts from industry, government, and academia to explore priorities in addressing current and emerging cybersecurity threats to semiconductors.

Experts at the event provided valuable input on NIST’s efforts in developing cybersecurity and supply chain standards, guidance, and best practices. Key topics related to semiconductor development included cybersecurity measures and metrics that leverage reference data sets for the testing, attestation, certification, verification, and validation of semiconductor components across the supply chain. The workshop also highlighted the importance of automated cybersecurity tools and techniques for securing manufacturing environments throughout the development life cycle.

Read More