Threat Briefing: June 21, 2024

Mitigating cyber threats can come in various forms and from a variety of sources, from an organization deciding to implement multi-factor authentication (MFA) for user accounts to the U.S. government banning the sale and usage of a software. However, even with the best of intentions, cyber threat actors can find ways to abuse these mitigation efforts.

One way cyber criminals work around MFA is to overwhelm users with notifications and trick them into accepting those notifications. This is another way they gain access to victim accounts using stolen credentials. Cyber threat actors also use malware, which has been proven successful for gaining access to systems, evading detection, and stealing valuable information.

While organizations make decisions on how to safeguard their assets and their customers, the U.S. government also works to make decisions to help safeguard computer systems in the U.S. They have been working to implement new frameworks and policies as well as blocking foreign bad actors from doing business in the U.S.

• U.S. Government Bans Sale of Software from Kaspersky Lab Due to National Security Reasons – The ban will go into effect on September 29, 2024 and will prohibit existing Kaspersky customers from upgrading software or the company from offering services in the United States. Kaspersky and its United Kingdom-based affiliate will be added to the U.S. Department of Commerce’s entity list due to its support of Russian government. The U.S. Government previously banned the use of Kaspersky in civilian government agencies in 2017, and in 2022 the Federal Communication Commission also deemed the company a threat to national security. The Record
• Chinese Threat Actor Deploying Various Malware Variants Against U.S. Technology Companies and Governments Around the World – The threat actor tracked as SneakyChef has used malware to engage in a global espionage campaign. The SugarGh0st remote access trojan (RAT) is a variation of the Gh0st RAT, and has been used against entities involved in artificial intelligence such as academic and private companies. SugarGh0st has been used in attacks against government organizations in Asia. A second malware deployed by SneakyChef, called SpideRAT has been deployed against a government organization in Africa. The Hacker News
• Ransomware Attacks Linked to LockBit Increase Despite February Disruption by Law Enforcement – Following the attack, LockBit launched a new data leak site and relaunched infrastructure to support ransomware operations. Attacks linked to LockBit accounted for 37% of all ransomware attacks in May. However, it’s possible that LockBit may have inflated the number of attacks. Security Week
• Cisco Talos Finds Approximately Half of Security Incidents Involve Issues with Multi-Factor Authentication (MFA) – During Cisco Talos incident engagements, 21% of engagements involved MFA not being properly implemented. Another 25% of engagements involve users accepting MFA push notifications sent by a cyber threat actor. Cisco found the majority of push notifications were sent before or during work hours, hoping to get victims to authenticate as part of their normal logging-in routine. Talos
• Foreign Leaders from Group of Seven (G7) Countries Agree to Develop Cybersecurity Framework for Operational Technology – This framework would help the operators and manufacturers of operational technology. Leaders from Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States, highlighted the energy sector as a target of cyber attacks during a meeting. The group also announced the development of a new G7 Cybersecurity Working Group. The Record