Cybersecurity Exploit Techniques

New ransomware group 'Bert' highlights an old truth: it doesn’t take complexity to cause disruption. Since April, a new ransomware group dubbed Bert has been quietly making its mark, targeting organisations across the US, Europe, and Asia with a mix of familiar tactics and evolving techniques. Researchers from Broadcom, Fortra, and Trend Micro have all tracked the group, noting a few key trends: ▶️ It’s cross-platform. Bert is designed to hit both Windows and Linux systems and has even been seen shutting down virtual machines to maximise disruption. ▶️ It’s adapting. Earlier variants encrypted files after scanning directories. Newer versions use concurrent processing to start encrypting immediately. ▶️ It’s not flashy. The tooling is simple. But the group doesn’t need sophisticated exploits, just working paths to access, escalate, and encrypt. ▶️ Healthcare, technology and event services organisations have been primary targets, with victims spanning from Turkey to Taiwan. The key takeaway is that even basic techniques can have big impacts if your defences aren’t layered, maintained, and monitored. Keep in mind: ✅ Prevention still beats reaction ✅ PowerShell scripts and loaders are still a common initial vector ✅ No system - Windows, Linux or virtual is immune to modern ransomware No fear, no hype. Just a reminder: consistent patching, detection tools, staff awareness, and a solid response plan still go a long way. If you want to improve your strategy, please get in touch. #CyberSecurity #Ransomware #ThreatIntel #BlackSwanCyber #BertRansomware #SmallBusinessSecurity #LinuxSecurity #IncidentResponse

Nation-states don’t exploit weak security. They exploit workplace dynamics. I know, because this is exactly how I recruited insiders. Espionage doesn’t start with secrets. It starts with validation. A compliment at the right moment. A shared frustration. Someone who listens when your company doesn’t. That’s not spycraft. That’s just a Tuesday at work. I never asked for sensitive information up front. I asked what was broken. Who made their job harder than it needed to be. What they would fix if anyone actually listened. They thought they were venting. I was mapping access, influence, and motivation. That’s called elicitation. Companies like to believe insider threats come from “bad actors.” They don’t. They come from good employees in very human moments: burnout, loyalty conflict, money stress, bruised ego, identity cracks, resentment that’s been quietly fermenting. And yes, your highest performers were always my favorite targets. They were trusted. They were visible. They had access. And they cared enough to talk. Remote work didn’t invent this. It removed friction. You trained people to network. We trained people to recruit. Same skills. Different intent. If your organization still treats espionage as a cyber problem or a personality flaw, you’re already behind. Because the easiest way into your organization was never through the firewall. It was through someone who finally felt understood. #InsiderThreat #HumanRisk #Espionage #TrustIsASystem #Cybersecurity #Leadership #HR *Photo of me back in the day, post deployment*

Snowflake, CrowdStrike, and Mandiant (part of Google Cloud) just published a statement on our preliminary findings associated with a threat campaign impacting Snowflake customers.   Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication.    Any SaaS solution that is configured without multifactor authentication is susceptible to be mass exploited by threat actors. We anticipate threat actors will replicate this campaign across other SaaS solutions that contain sensitive enterprise data.   Here are some of Mandiant’s observations related to infostealers from the past few years: ☣️ Since the beginning of 2020, employees and contractors working from home increasingly use their personal computers to access corporate systems.  ☣️ People often synchronize their web browsers on their work computers and personal computers. ☣️ People (or their children) sometimes inadvertently install software laced with infostealing malware on their personal computers. The malware can capture credentials from their web browsers. ☣️ Threat actors opportunistically search for corporate credentials stolen by infostealing malware and use them to compromise enterprises, steal data, and conduct extortion. 

WORD OF WARNING JOB SEEKERS! A dear friend of mine was recently contacted by someone presenting as a recruiter about a role with a well-known software company. He provided very specific details — the role, company, salary, and benefits. He even boasted that the candidates he puts forward “always get interviews” because he prescreens their references and submits both the resume and the references to the client. Trusting the process, she provided several references. Soon after, all of those contacts received calls — not about her candidacy, but with sales pitches for the recruiter’s services. Here’s what she uncovered: there was no job. When she called the company directly, they confirmed they weren’t hiring for that role and had never heard of his recruiting firm. She documented everything with screenshots and reported him to LinkedIn. Red flags to watch for: • Requests for multiple references before you’ve had any interview or confirmation of candidacy. • A recruiter who emphasizes “prescreening” or “special access” to gain your trust. The job market is challenging enough without tactics like this. Sharing this as a reminder to all candidates: protect your network, and trust your instincts.

🗞️ The joint #Cybersecurity Advisory including a dozen Allied agencies including 🇫🇷 ANSSI - Agence nationale de la sécurité des systèmes d'information just issued this report documenting an extensive cyber-espionage campaign led by Russia’s GRU 85th Main Special Service Center =unit 26165 = APT28 =Fancy Bear🐻 What ? 🔹An extensive campaign, active since 2022, targeting Western logistics and tech firms involved in the coordination and delivery of military aid to Ukraine. 🇺🇦 🔹 Compromise aims to harvest logistical information such as shipment contents, routes, and sender/receiver identities. 🧰 How ? 🔹It employs spearphishing, brute force, credential theft, exploitation of vulnerabilities (e.g., Outlook, Roundcube, WinRAR), and surveillance via hacked IP cameras to gain persistent access to sensitive systems and data. 🔹 Post-access, the actors utilize native tools (Impacket, PsExec, RDP) for lateral movement, abuse Active Directory for persistence, and exfiltrate data using standard protocols like IMAP or EWS. 🔹Notably, they manipulate mailbox permissions for long-term espionage and exfiltrate emails, credentials, and network configs. 🎥 They also exploit vulnerabilities in IP cameras near Ukrainian borders to monitor aid flows, sending DESCRIBE RTSP requests using default or brute-forced credentials. Most affected cameras are in Ukraine 🇺🇦 and neighboring countries like Romania 🇷🇴 and Poland.🇵🇱 🎯 Who is targeted by Unit 26165’s operations? 🔹#NATO countries and #Ukraine 🔹affecting both government and private sector entities in the defense, transport, maritime, and IT sectors, & exploiting trust relationships to expand access across connected entities. 🔹Key targets include air traffic systems, ports, rail management, and ICS manufacturers. 👉🏼 The advisory urges heightened vigilance, especially for entities supporting Ukraine, recommending blocking suspicious domains/services and monitoring anomalous access or traffic patterns. 👉🏼This operation reflects a persistent, well-resourced, and adaptive threat actor focused on undermining Western support to Ukraine through strategic #cyber intrusion.

Last month, India’s biggest crypto exchange CoinDCX lost ₹368–378 crore. Not because of a customer hack. But because an internal wallet got compromised. Here’s how it played out 👇 → Attacker hijacked a liquidity wallet → Bridged funds (Solana ↔ Ethereum) → Laundered via Tornado Cash Customer wallets? ✅ Safe. But the breach? ❌ Server-side, deep inside their own infra. Most teams think “cold storage = safe.” Reality check: internal wallets are the real blind spot. Here’s what 99% of teams don’t do when it comes to high-risk wallets,  automation accounts, and liquidity ops. So here’s a 6-point Internal Wallet Risk Audit you can run this week: 𝟭. 𝗪𝗮𝗹𝗹𝗲𝘁 𝗥𝗼𝗹𝗲 𝗠𝗮𝗽𝗽𝗶𝗻𝗴 List every wallet → check what it should do vs what it can do. ⚠️ Red flag: liquidity wallet can move treasury funds. 𝟮. 𝗧𝗿𝗮𝗻𝘀𝗮𝗰𝘁𝗶𝗼𝗻 𝗟𝗶𝗺𝗶𝘁𝘀 + 𝗩𝗲𝗹𝗼𝗰𝗶𝘁𝘆 Can the wallet push $10M at once? Or 10x in 2 min? ⚠️ Red flag: no daily caps or auto-delays. 𝟯. 𝗔𝗽𝗽𝗿𝗼𝘃𝗮𝗹 & 𝗦𝗶𝗴𝗻𝗶𝗻𝗴 𝗪𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀 Who signs off on big moves? Forced multi-sigs? JIT approvals? ⚠️ Red flag: backend automation with always-on keys. 𝟰. 𝗕𝗿𝗶𝗱𝗴𝗲 𝗕𝗲𝗵𝗮𝘃𝗶𝗼𝗿 𝗪𝗮𝘁𝗰𝗵 Monitor transfers across chains. Auto-pause weird routes/off-hours. ⚠️ Red flag: first-time bridge + big amount + midnight = no alert. 𝟱. 𝗞𝗲𝘆 𝗥𝗼𝘁𝗮𝘁𝗶𝗼𝗻 𝗗𝗶𝘀𝗰𝗶𝗽𝗹𝗶𝗻𝗲 How often do you rotate keys? Retire old ones? ⚠️ Red flag: stale keys from 2022 still active. 𝟲. 𝗥𝗲𝗱 𝗧𝗲𝗮𝗺𝗶𝗻𝗴 ‘𝗥𝗼𝗴𝘂𝗲 𝗪𝗮𝗹𝗹𝗲𝘁𝘀’ When did you last simulate a compromised wallet? ⚠️ Red flag: confident → but never tested. Know friends or colleagues trading crypto?  ♻️ Re-share this with them, they should know where the real risks are. This wasn’t a crypto-specific failure. It was a visibility, privilege, and control failure. What are your thoughts on the CoinDCX breach? #CyberSecurity #CryptoSecurity #BlockchainSecurity #CryptoNews #DataBreach #HackPrevention #Web3Security #CloudSecurity #InfoSec #CryptoHack #CoinDCX #SecurityAwareness #FinTech #RiskManagement #SecurityTips #HackingNews

🚨 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲 𝗔𝗹𝗲𝗿𝘁 A sneaky new attack method is making waves — exploiting 𝗲𝗺𝗮𝗶𝗹 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 by "𝗮𝘁𝗼𝗺𝗶𝘇𝗶𝗻𝗴" 𝗺𝗲𝘀𝘀𝗮𝗴𝗲𝘀 to bypass 𝘁𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗵𝗲𝗰𝗸𝘀! 🔍 𝗛𝗼𝘄 𝗜𝘁 𝗪𝗼𝗿𝗸𝘀 : • Attackers split a single 𝗲𝗺𝗮𝗶𝗹 into multiple 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 ("𝗮𝘁𝗼𝗺𝘀") before it reaches the inbox. • Each 𝗮𝘁𝗼𝗺 looks harmless alone — no full malicious payload is visible at once. • When the 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 𝗮𝗿𝗲 𝗿𝗲𝗮𝘀𝘀𝗲𝗺𝗯𝗹𝗲𝗱 by the 𝗲𝗺𝗮𝗶𝗹 𝗰𝗹𝗶𝗲𝗻𝘁, the full phishing or malicious email is revealed. • This bypasses 𝗦𝗣𝗙, 𝗗𝗞𝗜𝗠, and 𝗗𝗠𝗔𝗥𝗖 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀, making the email appear 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲. 🎯 𝗪𝗵𝗼’𝘀 𝗕𝗲𝗶𝗻𝗴 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱? • Enterprises relying on 𝗲𝗺𝗮𝗶𝗹 𝗴𝗮𝘁𝗲𝘄𝗮𝘆𝘀 and 𝘀𝘁𝗮𝗻𝗱𝗮𝗿𝗱 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗰𝗵𝗲𝗰𝗸𝘀. • Organizations with 𝘄𝗲𝗮𝗸 𝗲𝗺𝗮𝗶𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀. 🛡️ 𝗛𝗼𝘄 𝘁𝗼 𝗦𝘁𝗮𝘆 𝗦𝗮𝗳𝗲 : • Apply 𝘀𝘁𝗿𝗶𝗰𝘁 𝗶𝗻𝗯𝗼𝘂𝗻𝗱 𝗲𝗺𝗮𝗶𝗹 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀 — 𝗲𝘀𝗽𝗲𝗰𝗶𝗮𝗹𝗹𝘆 𝗳𝗼𝗿 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗲𝗺𝗮𝗶𝗹𝘀. • Monitor 𝗲𝗺𝗮𝗶𝗹 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿, not just static properties like 𝗵𝗲𝗮𝗱𝗲𝗿𝘀. • Educate teams about spotting suspicious 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀. • Strengthen 𝗲𝗺𝗮𝗶𝗹 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 and 𝗮𝗻𝗼𝗺𝗮𝗹𝘆 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼𝗼𝗹𝘀. ⚡ This isn’t just bypassing a filter — it’s a whole new way to weaponize the very structure of email itself. - #CyberSecurity #Phishing #EmailSecurity #ThreatIntel #InfoSec #AtomizedAttack #SPF #DMARC

When “Confidential” isn’t This week, Microsoft confirmed that a flaw in Copilot allowed emails marked “Confidential” to be read and summarised despite Data Loss Prevention controls designed to prevent that. Microsoft identified the issue and began rolling out a fix, but has not disclosed how many companies were impacted. If AI systems can override data classifications, the consequences are real: 🔹 Sensitive negotiations may surface 🔹 M&A discussions, pricing strategy, or legal correspondence may surface 🔹 Regulated data processing may trigger compliance scrutiny 🔹 Trust with partners, customers and regulators can erode. Encryption does not prevent this. Encryption protects against outsiders. Copilot operated as an authorised insider. That distinction matters. For decades, corporate governance rested on a human-centered model: ▫️ Classify information ▫️ Control access ▫️ Audit behaviour Humans open documents, forward emails, and violate policy. Generative AI does not merely access a file: 🔹 It interprets across many. 🔹 It synthesises context 🔹 It generates new meaning. In this case, the interpretive layer moved ahead of the control layer. If “Confidential” can be bypassed by a misalignment inside a trusted platform, how many other safeguards rely on assumptions that have never been tested against AI behaviour? Most enterprises have Copilot embedded across Microsoft 365. In many environments, AI features are enabled by default. Updates are continuous. Capabilities expand quietly in the background. Oversight, however, remains static and periodic. Can similar cases happen again? Yes, as: ✔️ AI systems evolve rapidly ✔️ Vendor release cycles are continuous ✔️ Governance frameworks update slowly As long as innovation moves faster than oversight, misalignment risk persists. “Confidential” used to mean: limit who can see this. In the AI era, AI systems don’t just see information. They reason over it. They connect it. They compress it. When AI is embedded inside core systems, governance can no longer be about static permissions. It has to be about dynamic behaviour. The most underappreciated risk today is institutional lag. AI systems improve and update continuously. Oversight structures do not. In complex systems, gradual drift is more dangerous than sudden failure. The organisations that adapt will be the ones that redesign governance to operate at the same cadence as the technology. #AIGovernance #RiskManagement #AI #Boardroom #BusinessStrategy

Scattered Spider just rewrote my ransomware playbook. They didn’t just break in. They didn’t just move laterally. They fought back. Incident response started closing doors and Scattered Spider pried them back open, countered security moves in real-time, and actively sabotaged the organization’s operations on their way out. This isn’t the future of ransomware. It’s here. A few painful lessons: - Social engineering is faster than brute force. Scattered Spider impersonated a CFO and convinced the help desk to reset MFA.. and it worked! - Over-privileged executive accounts remain soft targets. They offer maximum access and minimum resistance. - Cloud misconfigurations and virtual machines are blind spots. The attackers moved through virtual desktops, spun up new machines, and operated without endpoint detection visibility. - Persistence matters. Even after discovery, the attackers leveraged administrator-level control to claw back access and delay eviction. - Real-world tug-of-war is now part of the threat landscape. They weren’t afraid to burn the environment down. Here is how we (Incident Response) can start to prepare: - Strengthen identity verification, especially for help desk resets. Voice-based verification is not enough. - Audit executive accounts for unnecessary privileges. Just because it’s the CFO doesn’t mean they need domain-wide access. - Segment and actively monitor your virtual environments. Treat VDI and VMware ESXi like critical infrastructure. - Plan for post-discovery adversaries. Assume they’ll fight to stay. Build recovery and containment playbooks for hostile evictions. Scattered Spider showed us what the next generation of attackers looks like. They don’t just steal data. They disrupt. They linger. And they’re watching how you respond. You get what you rehearse, not what you intend, start rehearsing now.

What if your biggest cyber risk isn’t malware but a highly trained “employee” you never hired? We’re watching a shift in how attacks happen. Social engineering is no longer sloppy or easy to spot. It’s polished, patient, and increasingly powered by AI. Why? Because attackers are evolving into well-run businesses. They have playbooks. They train their teams. They measure outcomes. And now AI is helping them refine tone, language, and credibility at scale, often faster than internal teams can respond. A recent Palo Alto Networks Unit 42 case involving Muddled Libra, also known as Scattered Spider, makes this very real. 🔶 They didn’t deploy malware. They didn’t dump credentials. 🔶 They called a help desk. Within 39 seconds, they leveraged existing OAuth tokens and connected APIs to extract 3 TB of data from trusted applications already inside the environment. That’s the reality. Attackers are exploiting trust, not just technology. So what can organizations do? 🔶 Re-evaluate help desk authentication and move beyond knowledge-based verification 🔶 Require stronger identity validation for password resets and privilege escalation 🔶 Apply least privilege and tighter controls to tokens, sessions, and API access 🔶 Monitor identity behavior, not just endpoints 🔶 Train teams to recognize well-crafted, professional social engineering This is where identity security becomes critical. Not just who has access, but how access is granted, validated, and monitored every step of the way. The question isn’t whether attackers will keep improving. They will. The real question is whether we are evolving our defenses at the same pace.