Get expert threat analysis weekly. Sign up to receive our Threat Briefing:
Date: 6/7/2022
A particularly well-branded, brazen and prolific ransomware group, the Russia-based “Conti” gang attacked several Costa Rican government institutions in early May, 2022. On May 31, 2022, the Costa Rican Social Security agency was attacked by the “Hive” ransomware group. This attack crippled the country’s healthcare system last week. Ransomware researchers suspect collaboration between the Hive and Conti groups, and further suggest that this collaboration is part of a rebranding effort by Conti, in order to evade law enforcement, a bounty offered by the US government, and other such actions.
As governments and international law enforcement pursues criminal gangs, rebranding efforts will likely become more common, and may add difficulty to associating tools, techniques, and procedures with particular threat actor groups, which adds to the complexity of defending corporate networks. Furthermore, this news story emphasizes the fact that ransomware continues to be a massive global problem.
Implement an effective vulnerability management program: Regular assessment and remediation of vulnerabilities is a key foundation to any information security program.
Acquire an incident response retainer with a reputable cybersecurity company and contact them early in the incident response process.
For more information, fill out the form below and we will be in touch shortly
Traditional phishing links lead to registered domains that hosting providers provide. This poses a challenge to threat actors as, normally, hosting providers will respond to complaints and actively take down phishing sites. To combat this some threat actors are now combining the use of reverse tunnel services and URL shorteners to bypass detection and response capabilities.
Reverse tunnels allow threat actors to host phishing pages on their local computers and route connections through external services. Additional URL shortening services can allow for rapid generation of new links to obscure the activity and bypass detection. Some phishing links are even being refreshed in less than 24 hours. CloudSEK, a digital risk protection company, has identified the most widely abused reverse tunnel services to be Ngrok, LocalhostRun, and Cloudflare’s Argo; along with that they have identified Bit.ly, is.gd, and cut.ly as the primary URL shortening services.
(image source: CloudSEK)
As these malicious sites are hosted directly on threat actor-owned computers, victim data is immediately stored and no longer requires exfiltration from the domain. Most of these sites are impersonating banking organizations and attempt to steal credentials, PAN card numbers, unique identification numbers, and mobile phone numbers. This information can then be sold on the dark web for other threat actors to initiate different attacks.
Conduct Regular Social Engineering Testing
When it comes to security, employees are not unlike servers: they require constant ‘patching’ (security awareness training) and ‘updates’ (security reminders) in conjunction with regular testing in order to reduce vulnerabilities and susceptibility to exploitation. Therefore, all personnel should continue to undergo regular awareness training and testing. Seek to pair testing services chronologically with training services in order to have the greatest effect on increasing awareness and reducing susceptibility to social engineering attacks.
Conduct Security Awareness Training
Without proper cybersecurity awareness training, you can’t trust that employees are up to date on the latest cyber risks and how stay protected. Awareness is as much about psychology as security. It is important to provide a complete suite of education, training, testing and measurement services which are all designed to change behaviors and reduce risk.
On June 1, 2022, GitLab Enterprise Edition (EE) 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1 are affected by an account take over vulnerability tracked as CVE-2022-1680. The vulnerability was discovered by the internal GitLab team and no exploitation has been observed.
Any owner of a Premium group can invite users through their username and email and then change those users’ email addresses via SCIM to take over the accounts. This can occur in the absence of multifactor authentication and when group SAML SSO is configured.
Short Term:
GitLab has fixed CVE-2022-1680 in the latest version and all installations running an affected version should be updated as soon as possible.
Long Term:
Consider a Cloud Security Assessment
As organizations continue to move infrastructure, services, applications and other critical data stores from on-premises networks to public or private cloud environments, there’s an immediate need for more robust security solutions. It’s crucial not to assume the transition to cloud platforms is secure by default. Organizations should also consider that not all legacy cybersecurity tools can transition seamlessly into virtualized Cloud environments.
Be sure to examine cloud and related elements to ensure that organizations don’t rely on default or typical security settings to protect critical data. Rely on quality assessments to help you align with best practices and strike the ideal balance between operation and security.
Sources
https://securityonline.info/cve-2022-1680-gitlab-account-take-over-vulnerability/
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html
Brian Krebs recently published a review of the US Department of Justice’s recent policy revision on charging violations of the Computer Fraud and Abuse Act of 1986 (!), which stand as the primary statute used in cybercrime cases. Recent changes aim to define what sort of violations are cybercrime, distinct from efforts performed in “good faith” such as security research or investigation to detect and report vulnerabilities.
It is important to note that this is just a change in interpretation and enforcement by the current DOK, and it underlines the need for changes, updates, and creation of modern laws concerning cybersecurity practitioners and the industry at large. Several notable cases of corporations and municipals entities regarding “friendly” cybersecurity experts as hostile and/or malicious, even when they’ve been contractually engaged to test the security posture of the organization.
Notices or submission of issues are ignored until they are exploited by malicious actors, at which point the organization seeks a scapegoat in the form of the researcher who tried responsibly disclosing an issue and, likely, had no part in the later compromise, even from an informational standpoint.
There is also some uncertainty in the new policy about provisions concerning preventing harm to third parties. Also keep in mind that a policy does nothing to protect a cybersecurity practitioner from civil suits. While the new policy is a step in the right direction, new laws must be formulated to protect and encourage well-meaning cybersecurity researchers and white hat activists, while shifting the advantage away from cybercriminals.
Sources
https://krebsonsecurity.com/2022/06/what-counts-as-good-faith-security-research/
For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.
For non-strategic clients, please reach out to your Advisor for further discussion.
Offerings
Industries
Compliance
Copyright © 2023 GreyCastle Security. All Rights Reserved
Copyright © 2022 GreyCastle Security. All Rights Reserved
Ho Chin is Chief Financial Officer at GreyCastle Security. In this role, Ho leads Finance, HR, IT and Professional Development. As part of the executive leadership team, Ho works to establish the company’s overall strategy and ensure proper execution of the supporting initiatives pertaining to the above areas of responsibility.
Prior to joining GreyCastle Security, Ho led finance and administrative functions at multiple private equity and venture-backed portfolio companies across multiple industries. Ho holds a bachelor’s degree in Accounting from Pennsylvania State University in Centre County, Pennsylvania and a master’s degree in Business Administration from the Wharton School of Business at the University of Pennsylvania in Philadelphia, Pennsylvania.
Dan Kalil is Chief Executive Officer (CEO) and Board Chairman at GreyCastle Security. In this role, Dan provides vision, leadership and strategies that drive GreyCastle Security’s position as an industry leader. With an emphasis on customer success, Dan’s profitable growth model leverages a customer-centric business approach that balances employee wellbeing and social responsibility.
Prior to becoming CEO, Dan served as the company’s Chief Strategy Officer, during which he supported multiple acquisitions and helped the organization achieve substantial sales growth. In addition to serving as CEO at GreyCastle Security, Dan continues to hold the position of Chief Commercial Officer (CCO) at Assured information Security (AIS) in Rome, New York, a company he co-founded in 2001.
Over the course of the last 22 years, Dan has been committed to advancing the state of cybersecurity and has played an instrumental role in the identification and development of critical, next-generation cyber capabilities. He has held positions in almost every facet of cybersecurity, beginning as a computer forensic examiner and progressing through the management and executive leadership ranks. In addition to co-founding AIS, Dan has facilitated multiple cybersecurity startups, raised investment capital and has served in various lead and support roles toward the acquisition of five companies in the last eight years.
Dan has a bachelor’s degree in Cybersecurity and a master’s degree in Cybersecurity from Utica College in Utica, New York.
Michael Stamas is an entrepreneur, board member, Vice President and a founder of GreyCastle Security. With more than two decades of experience in the technology sector, Mike pairs his management and business development skills with a deep understanding of cybersecurity. Mike brings a unique brand of risk-based advising to GreyCastle clients and prospects.
Mike holds certifications in numerous security and technology related areas, including the Department of Homeland Security and other security technologies like Symantec, Cisco and Microsoft.
Mike plays an active role in his community and serves as a board member and Vice President of InfraGard Albany as well as an advisory board position with the Capital Region YMCA.
Mike has been recognized for his numerous achievements through various honors including the Albany Business Review’s prestigious 40 Under 40 award.
Dan Maynard serves as GreyCastle Security’s Chief Operating Officer, where he currently leads Sales, Marketing and Legal.
Dan has enjoyed a 30+ year career in the Information Technology and Telecommunications industry, during which time he has held various leadership positions for organizations such as Rochester Tel/RCI, Citizens Communications (Frontier), PAETEC Communications, IntegraOptics, tw telecom/Level3 and Centurylink.
In addition to various voice and data technology platforms, he possesses a strong background in leadership development, sales and marketing leadership, transformational leadership and strategic planning. Dan has a thirst for knowledge and as a committed lifelong learner, he encourages and supports professional development initiatives for his teams and continues his involvement with Vistage International.
Dan holds a bachelor’s degree in Biology from Lafayette College in Easton, Pennsylvania, where he was selected as a member of their Athletic Hall of Fame in 2016.
When not at work, Dan enjoys traveling, golfing, attending Utica Comets hockey games and relaxing in the Adirondacks on beautiful Canada Lake with family and friends.
Dan Didier is the Vice President of Solutions and board member at GreyCastle Security.
Dan has been a cybersecurity practitioner for more than 20 years and uses his knowledge and experience to develop cybersecurity solutions that ensure readiness and preparedness.
Dan received his bachelor’s degree in Telecommunications from SUNY Polytechnic Institute in Utica, New York, and graduated Summa Cum Laude with a master’s degree in Information Assurance from Norwich University in Northfield, Vermont.
Our Computer Incident Response Teams (CIRTs) have responded to hundreds of breaches, intrusions, malware infections, thefts, employee investigations, fraud cases and other incidents. Our highly-certified experts have extensive experience in command, coordination and correction of incidents in nearly every industry throughout North America, from local businesses to Fortune 500 international conglomerates.
Francesca LoPorto-Brandow is Director of Culture at GreyCastle Security. In this role, Francesca leads all social responsibility efforts and partnerships and develops effective strategies that promote organizational-wide behaviors and attitudes consistent with a culture of safety, inclusion, teamwork, motivation and high-performance.
Prior to this role, Francesca was Director of People & Culture at GreyCastle and with her leadership, the company’s culture has been recognized by Inc. Magazine as a Nationally recognized Best Workplace, Albany Business Review Best Places to Work and Albany Times Union Top Workplaces.
Before joining GreyCastle Security, Francesca worked as an OD consultant and focused on strategic culture change at The Kaleel Jamison Consulting Group, Inc. for more than six years. There, she facilitated client education sessions, coached leaders and teams, developed and executed consulting interventions and served as strategy project leader on various client engagements. Her work has taken her into Fortune 100 companies and across borders including Panama, Singapore and beyond.
Francesca is a Lean Six Sigma–certified Green Belt, a proud YWCA-GCR board member and in 2013, she coordinated and emceed the inaugural TEDx Troy—a livestream of TEDCity 2.0. Since 2012, she has coordinated and emceed the Troy 100 Forum, a biannual forum for government, religious and community leaders to discuss issues vital to the future of Troy, New York.
Bilingual in English and Italian, Francesca holds a bachelor’s degree in Management and Technology from the Rensselaer Polytechnic Institute’s Lally School of Management & Technology. She was awarded Cybersecurity Recruiter of the year North America in 2017 by the Cybersecurity Excellence Awards.
Jamie Aiello is Senior Vice President of Services and Product Management at GreyCastle Security. In this position, Jamie is responsible for leading a high performing and well-balanced team that is ultimately responsible for the identification, selection, execution and successful performance of our company’s diverse portfolio of cybersecurity offerings.
Prior to joining GreyCastle Security, Jamie has held leadership positions with Annese and Associates, ConvergeOne and BlueSky IT Partners with a focus on delivering cost effective information technology solutions for companies across multiple verticals.
Jamie holds a bachelor’s degree in Political Science from Le Moyne College in Syracuse, New York, a master’s degree in Business Administration from Gardner-Webb University in Boiling Springs, North Carolina and a master’s degree in Computer Information Systems from University of Phoenix in Phoenix, Arizona.