The IT Nerd

The fifth annual online Gone Phishing Tournament, hosted by Fortra’s Terranova Security and Microsoft between October 9-27, 2023, is open for registrations.  

The tournament, which uses real-world scenarios to establish accurate phishing clickthrough rates among end users, allows organizations to benchmark their phishing resilience against true global standards. Last year, 1.2 million users from across 250 organizations took part with over 21 phishing message languages deployed. 

The Gone Phishing Tournament assesses the limits of an organization’s security awareness, regardless of their size or industry. Participating organizations will receive a comprehensive report on the findings from the event, and recommendations for employees and security leaders alike – created by Fortra and Microsoft. 

The 2022 tournament, revealed several key findings:  

• Overall clicks on phishing links improved on 2021 numbers, but many end users were still prone to following through on requests for sensitive information.  
• Of those who clicked through, 44% completed action on the phishing website. 
• Only organizations with 500 or fewer employees managed to keep their click-to-form completion rate under 30%, suggesting that if an organization of 10,000 employees had been targeted with a phishing scam, 700 would have clicked the link and 300 would have compromised sensitive information. 
• The technology, finance, education, and public sectors boasted the highest number of participants. 
• Of the not-for-profit organizations who took part, almost a third (33%) reported having no security awareness training in place. 

Potential participants can register through this link until September 30. 

Today I’d like to bring you a story on how three companies are working together to take down the bad guys.

Cybersecurity software and services provider Fortra recently partnered with Microsoft’s Digital Crimes Unit (DCU) and the Health Information Sharing and Analysis Center (Health-ISAC), taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which has been used by cybercriminals to distribute malware, including ransomware. The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure used by criminals to facilitate their attacks. Doing so has enabled these three organizations to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers.

While the exact identities of those conducting the criminal operations are currently unknown, these three companies have detected malicious infrastructure across the globe, including in China, the United States and Russia. In addition to financially motivated cybercriminals, they have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam and Iran, using cracked copies.

Fortra’s Role

The Fortra Cyber Intelligence Team played a critical role in identifying the legitimate versus unauthorized systems as they were observed on the internet and served as the central hub for data collection from other public and private partners that was fed into the legal mechanisms to initiate the takedown processes.  

To date, there has been a decrease in the unauthorized usage of Cobalt Strike overall and what is still being observed is originating more and more from a limited set of countries.

I spoke to Bob Erdman who is the Associate VP, R&D at Fortra about this and he explained to me how this collaboration came about, and that this collaboration between Fortra and Microsoft had benefits beyond taking the actions described above. Specifically the intel the both companies along with Health ISAC gained from working together. One thing that was noted was that the threat actors behind this have moved to places that are difficult to reach for the legal system. Hopefully that changes as the thing with using pirated software is a huge risk due to the fact that threat actors can do anything to the software to get initial access to a company using this software.

I’ve only scratched the surface on this. Thus I encourage you to read more here: https://www.fortra.com/blog/stopping-cybercriminals-abusing-security-tools.

Global cybersecurity software and services provider Fortra today announced new integrations for its offensive security solutions that streamline capabilities for vulnerability management, penetration testing, and red teaming. Working together, the solutions apply the same techniques used by threat actors to identify and exploit gaps in an organizations’ security. With this proactive security approach, customers can find and fix weaknesses in their security posture before they are exploited. 

Fortra’s offensive security solutions, including Frontline Vulnerability Manager (VM), Core Impact penetration testing software, Cobalt Strike adversary simulation software, and Outflank Security Tooling are now interoperable, providing data centralization, easy information sharing, reduced console fatigue, accelerated time-to-remediation, among other benefits.  

Fortra’s offensive security offerings come in five configurations for an enhanced security stance and centralized control:    

• Essentials – Combines Fortra’s Frontline VM, the industry’s most comprehensive SaaS vulnerability management solution, with Fortra’s powerful penetration testing platform, Core Impact, to scan, evaluate and prioritize security vulnerabilities and remediation efforts throughout an organization’s network. 
• Advanced – Combining Fortra’s penetration testing and adversary simulation software solutions, Core Impact and Cobalt Strike, this provides a robust view of vulnerabilities through advanced ransomware and phishing simulations and comprehensive reporting, while also giving teams the ability to collaborate in real time.  
• Elite – Combines Frontline VM, Core Impact, and Cobalt Strike, allowing customers to evaluate security, identify vulnerabilities and proactively reduce risk. These combined vulnerability management, penetration testing, and adversary simulation tools run at the same time and are interoperable, streamlining the process to identify, analyze and prioritize vulnerabilities. 
• Red Team – Built to integrate seamlessly into Cobalt Strike’s flexible command and control framework, Outflank Security Tooling extends a company’s red teaming capabilities. Together, these tools can deploy more sophisticated adversary simulation and assess overall security posture and vulnerability.  
• Advanced Red Team – Combines Core Impact, Cobalt Strike and Outflank Security Tooling to safely evaluate security gaps, defenses and security strategies using the same tactics as today’s threat actors. Together, these solutions provide a holistic security testing methodology for advanced red teamers. 

  For more information about Fortra’s offensive security capabilities, visit: https://www.fortra.com/products/bundles/offensive-security.  

Cybersecurity software and services provider Fortra has announced the findings from its latest research on email impersonation attacks, showing that so far in 2023, the volume of nefarious emails impersonating enterprises has reached a crescendo.

According to the research, email impersonation threats such as business email compromise (BEC) make up nearly 99% of reported threats. What’s more is that credential theft attacks are back on the rise, proving that malicious actors remain in search of sensitive information such as usernames, passwords, and credit card numbers — all of which could harm the bottom line, and brand reputation.

You can read the research here.

Earlier this week, the FBI issued a warning about an uptick in malicious actors using “deepfakes” (the manipulation of benign photographs or videos) to target victims in a new wave of sextortion schemes:

The FBI is warning the public of malicious actors creating synthetic content (commonly referred to as “deepfakes”) by manipulating benign photographs or videos to target victims. Technology advancements are continuously improving the quality, customizability, and accessibility of artificial intelligence (AI)-enabled content creation. The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content. The photos or videos are then publicly circulated on social media or pornographic websites, for the purpose of harassing victims or sextortion schemes.

John Wilson, senior fellow of threat research at cybersecurity company Fortra had this to say about this FBI warning:

“Because everything can be spoofed, from websites and emails to phone numbers and caller IDs, it’s easy for trusting teens and even adults to be duped into believing they’re interacting with someone they know, or someone they admire and would like to know. And social media, email, games, chat rooms and cell phones give scammers plenty of ways to reach and extort individuals once they make a connection and establish trust. 

Aside from deepfakes, there’s another type of sextortion scheme that doesn’t involve the exchange of explicit photos. A scammer will send an email or direct social media message telling the child they’ve got access to their computer and webcam and have been recording them and the explicit sites they visit. The scammer threatens to tell the victim’s family and friends if they don’t send money. In actuality, the scammer doesn’t have access and is just hoping the victim is scared enough to pay up.”

Not everything and everyone is a threat, but kids and teens need a healthy level of suspicion in their interactions with unknown people and sites. Parental controls can only do so much. John stresses the importance of having the “other” talk to help educate young people about how to navigate the internet safely, offering these tips:

• Keep the lines of communication open. Your kids need to feel safe coming to you even if they’re in an awkward or embarrassing situation. If possible, start talking with them before they really get active online. Let them know you’ll figure out problems together.
• Think carefully about photos. Reinforce that once a photo is shared, it cannot be controlled. Any image could wind up on a forum for all to see, including a Snapchat exchange captured as a screenshot. Remove location information from photos by updating the exchangeable image file (EXIF) data. And it might sound obvious, but ensure your kids know never to send nude photos. It could even be a felony if they’re underage. 
• Think before you post. Remind kids that what’s shared on the internet is permanent. That unseemly party pic they get tagged in at 17 could cost them a job five years later when a prospective employer does social media due diligence.
• Don’t respond directly to inbound requests. The rule is if it’s inbound and unexpected, don’t give out any information. Hang up and verify contact information via a secondary channel before responding. Click on the sender’s name in the email header to view the actual domain. Many times, the sender isn’t who you think it is.
• Practice what you preach. Parents also need to be careful of how much information they post online about their families. Sharing the location of soccer practice and friends’ names is valuable intel for scammers to use in befriending kids with accurate details that build trust. Also review your social media account privacy settings and lock down access to your profile and posts so only trusted contacts can see them.

This is really good advice from Mr. Wilson that everyone should follow. Because deepfakes are popping up everywhere, and you need to do everything that you can to make sure that you’re not a victim.

Fortra announced today a compelling connection between JAMS, its top-rated workload automation and job scheduling solution and Automate, its robotic process automation solution. This first-of-its-kind integration allows organizations to supercharge their automation footprint by incorporating Automate’s low code approach to building automation with the powerful orchestration capabilities of JAMS.

The integration also comes as more organizations turn to hyperautomation, the concept of automating as many processes as possible using a mix of tools and technology to further transform operations.

The new Automate Execution Method simplifies job creation, leading to improved process efficiency, increased productivity, and faster turnaround times for tasks such as report generation, data entry, and employee onboarding. Through Automate’s no-code, drag-and-drop development, users can leverage predefined native actions to common applications, connect to API endpoints, and use a built-in step recorder to capture user actions on a website or desktop application. 

Automate can also be used to create complex automation workflows using steps, logic, and more. Users can then schedule, manage, and run their RPA workflows directly from JAMS.

“We’re excited to help our customers bridge a critical gap in automation while giving them more visibility and control over the automation running in their environment,” said Laun. “Bringing workload automation and robotic process automation together further amplifies their efforts with the convenience of a single vendor.”

For more information, visit jamsscheduler.com.

Black Friday and Cyber Monday are right around the corner which means online shoppers need to be extra vigilant and watch out for email scams such as phishing. These emails can make it past most security controls because they appear to be coming from a trusted source; someone they know or a trusted brand.

Common scenario: You receive an email from the sporting supply company you purchased from several times in the past. But look carefully, is it really coming from that well-known brand?

John Wilson, senior fellow of threat research at Agari by Fortra says:

Take a minute to pause and check. Before you click on that link with that great savings offer, check the body of the email and the sender information to look for misspellings. Is the email from amaz0ndeelz2022@gmail.com, not Amazon.com? Do not click on any links but hover over them to see if the URL is correct. Clicking on that offer link may be all it takes to grant a grinch access to personal or business data. If an email receiver does click on the link, it could be an imposter website created by a scammer imitating a trusted brand’s website domain. Make sure the URL in your browser’s address bar matches the brand’s actual website before giving up any personal information such as a username or password.

Google it. Type a short description of the situation plus the word “scam.” If you see 40 entries with similar stories, you’ve just saved yourself a lot of hassle.

Verify another way. If you get an email from what looks like a trusted organization or contact, verify that it’s real by phone. Just don’t use the number shown in the footer of the email, as fraudsters may have switched out the actual number with their own. If you receive a phone call that’s supposedly from your bank, hang up and dial the number on the back of your card.

Report the incident. Criminals count on victims to be too embarrassed or hesitant to report scams. But it’s important to file a police report and notify the Internet Crime Complaint Center (ic3.gov) about the fraud.”

Fortra announced today that it welcomes Matthew Schoenfeld to the organization as its new president. A software industry veteran with more than a decade of experience in cybersecurity, Schoenfeld has a proven record as a dynamic, purposeful leader. He has a strong history of growing sales and revenue while helping customers solve challenges through a collaborative approach, a Fortra hallmark. Current president Jim Cassens will continue to support the business as an executive director.  

Schoenfeld joins Fortra from Absolute Software, where he was EVP and chief revenue officer overseeing global sales, channel partnerships, and the customer experience. He has an impressive background in the technology and cybersecurity space developed over more than two decades, which included his tenure as executive in residence at Greylock Partners, senior vice president of the Americas and partner channel at FireEye and as an advisory board member for Abnormal Security.  

Cassens will continue to play a crucial role in the next phase of the company’s strategy as an advisor to Matthew and the entire executive team. Cassens joined the organization in 2001. Over the next two decades, he influenced the direction of the business through numerous executive roles, most recently as president leading the sales organization. As executive vice president of mergers and acquisitions, he led the company toward its historic growth on a global scale. Cassens also served as president of the cross-platform business units, chief technical officer, and vice president of international sales.  

Fortra is a cybersecurity company like no other. They’re creating a simpler, stronger future for their customers. Their trusted experts and portfolio of integrated, scalable solutions bring balance and control to organizations around the world. They’re the positive changemakers and your relentless ally to provide peace of mind through every step of your cybersecurity journey. Learn more at fortra.com.       

In early September 2022, researchers identified a threat group called Worok that targeted many victims, including government entities around the world, to gain access to devices. They concealed malware used to steal information inside PNG images by least significant bit (LSB) encoding which attaches malicious code to the LSB in the image’s pixels.

To get a view of this attack from the security industry, I have Alyn Hockey, VP Product Management at cybersecurity software and services provider Fortra:

“It’s a hack that’s easily undetected and the old technique is increasingly used to hide malware payloads. So, when an image is viewed by a member of an organization, the payload, otherwise known as a virus, worm or Trojan, can start work immediately – resulting in damage to systems and loss of data.

Steganography examples can be traced back as early as 5 BC when used as a defense tactic by Histiaeus, a Greek ruler of Miletus. Histiaeus shaved and tattooed a man’s head with messages that would go unnoticed once his hair grew back. The alleys, aware of the practice, found the warning messages on the man’s scalp.

Fast forward to 2022 when an employee of General Electric was convicted of conspiracy to commit economic espionage. While this sounds like something out of a thrilling motion picture, the former employee simply used steganography. He was able to take company secrets in files by downloading, encrypting, and hiding them in a seemingly mundane sunset photo. He used his company email address to email the image to his personal email address. According to court documents, the encryption process took less than 10 minutes. 

Again, while not as common as other cyberattacks, the shocking and quick way it can fly under the radar is reason enough to have a security solution that protects not only from external threats like malware but keeps data safe through effective data loss prevention methods. Organizations can apply an anti-steganography feature to sanitize all images as they pass through the secure email gateway. Anti-steganography removes anything hidden within the image, which will not visually alter the image but make it impossible for recipients to recover hidden information – including accidental opening of malware. While this will cleanse all images, it mitigates the overall risk thereby keeping the organization safe – doing so in milliseconds, so the flow of business won’t be disrupted.”

The Bleeping Computer story that I linked to has a lot of detail that is very much worth reading.

As 2022 comes to a close and people look forward to 2023, one has to wonder what’s on the horizon in terms of information security. To that end I have gathered some executive quotes from cybersecurity company Fortra who under their umbrella have Alert Logic, Digital Guardian, Cobalt Strike, Tripwire, Digital Defense, Agari, PhishLabs, Core Security, and other well-known software and services providers:

Donnie MacColl, Senior Director of Technical Support / GDPR Data Protection Officer

• We are already seeing many organizations taking action and consolidating their vendors. However, a large number of businesses are also making the decision to consolidate and merge their solution providers. Companies are becoming very aware that, after reviewing and understanding the functionality of their solutions, one supplier is capable of providing much more value than they are currently receiving from two separate ones. Organizations can then combine solutions together, creating a much stronger proposition. For example, a vulnerability management solution can pass prioritized vulnerabilities to an automation tool to perform remediation tasks, as opposed to displaying the vulnerability on a screen and waiting for a person to manually step in.
• When it comes to laws and regulations, I suspect we will start seeing countries introducing more granular, local regulations. For example, in the UK, there is already talk that the Data Protection and Digital Information Bill will be refined or replaced by the “British GDPR”. By introducing more country-specific regulations, organizations will not only protect personal data but will also simplify international business operations by removing a considerable amount of red tape.
• Outsourcing will increase in Managed Security Services, as we saw with operations many years ago. Companies are realizing that IT takes resources away from their core business – particularly when it comes to data protection and security which is difficult and challenging to maintain. In addition to this, Managed Security Services will broaden to become Vulnerability Management, Managed Detection and Response, Penetration Testing and Red Teaming, likely on a more “buy what you need” model.

Nick Hogg, Director of Technical Training

• Security Awareness and Compliance Training – Organizations will be re-evaluating their security awareness and compliance training programs to move away from the traditional once-a-year, ‘box-ticking’ exercises that have proven to be less effective. The goal is to deliver ongoing training that keeps security and compliance concerns front and center in employees’ minds, allowing them to better identify phishing and ransomware risks as well as reducing user error when handling sensitive data.
• DLP and Compliance – Organizations will be using digital transformation and ongoing cloud migration initiatives to re-evaluate their existing DLP and compliance policies. The goal is to ensure stronger protection of their sensitive data and meet compliance requirements, while replacing complex infrastructure and policies to reduce the management overhead and interruptions to legitimate business processes. It’s important to gather metrics to build confidence in executive leadership and ensure that changes to policy and systems do not have a negative impact on business processes or increase any form of risk.
• Email Security – Organizations will be looking to plug gaps in their Microsoft 365 defenses to combat increasingly sophisticated phishing, ransomware and spyware attacks, while reducing the time spent by busy security teams triaging and responding to reports of suspicious messages. The goal is to prevent attacks such as sophisticated credential theft or business email compromise from making it into employees’ mailboxes. In 2023, it will be important to provide security teams with automated analysis of risks within reported messages, along with identification of other messages that have entered the organization as part of the same phishing campaign, in order to reduce time spent on triage and remediation.

Chris Reffkin, CISO

• Security as a Business Enabler – People, processes and technology controls are all key to a good security program. Where people and technology controls will be tied to the size of an organization, organizations of any size can focus on processes to positively impact their security program’s capabilities. As all parts of an organization overlap with security, it could benefit all other functional areas such as support, manufacturing, design, services, delivery, to enhance revenue and increase positive customer outcomes. This creates a unique role for security to enhance business operations whilst increasing its security posture.

Wade Barisoff, Director of Product – Data Protection

• Data Centric Security – As companies moved collaboration to cloud-based providers, the natural reaction was to extend what was already understood, which was attempting to control access to the containers where the data was stored rather than the data itself. As the use of cloud rapidly expanded, organizations had large volumes of customer and company data that was not well understood, in environments they may have had some access control over. Today, global organizations are starting to focus more on access to the data rather than the containers, as that is easier for business groups to understand. Tools that help secure data regardless of repository are coming into focus, as poorly maintained access control lists to repositories, that have been failing internally for decades, are now being pushed to cloud environments.
• Data Classification Standards – Interoperability – For the last decade, data classification has slowed to zero adoption, primarily utilized by government and military organizations in any scale. File classification, for the most part, is a one-way street, where labels or tags only mean something to the company that created the data, but if shared, those classifications are lost on any external organization. There are a number of discussions (NIST for example) that are looking to create a standardization of labels in use to extend value beyond a single company. As a result, companies in the same industry can apply proper protections to the data shared with them and avoid labeling and re-labeling the same data, leading to systems such as data loss prevention having consistent actions on the content.

Tom Huntington, Executive Vice President of Technical Solutions

• Open Source Creates More Targets – As more organizations deploy open source worldwide, this creates a larger target for bad actors to find loopholes in poorly engineered modules. Vulnerability scans and penetration testing efforts need to be taken seriously to help find where organizations are still running vulnerable code. The process of automating the deployment of patches through RPA can help to alleviate the shortages of staff.

John Grancarich, EVP, Strategy

• Supply Chain Attacks on Organizations Will Increase – Between 2020 to 2021, supply chain attacks increased four-fold across the globe. As organizations get better at protecting themselves, sophisticated attackers will increasingly look more broadly at the end-to-end value chain of an organization for an opening. These supply chain targets will include everything from raw material providers to the retail channels that deliver goods to customers.
• Attack Surface Management Evolves Into Critical Surface Management – We are all familiar with the term ‘attack surface management’, which is the process of continuously assessing and improving the security of an organization’s assets. However, this is inconsistent with how value is created in an organization – for example, is a development test server in a remote office as valuable as the intellectual property associated with a firm’s new invention? Organizations will evolve from a ‘how much can I protect’ approach to a ‘what is most critical to protect first’ mindset, improving the allocation of resources and value preservation in the process. Zero Trust architecture will play a critical role in this evolution.
• A Shift From Product to Platform – We often hear from our customers that there are too many vendors, too many products, not enough integration and not enough optimization. This is a big reason why the cybersecurity industry is trying to hire 3 million more people around the world. It’s a broken paradigm, and the way to fix it is for the industry to shift to modular platforms which offer a simpler user experience and a more comprehensive and interoperable/integrated set of capabilities. Done well, organizations will be able to solve the majority of their cybersecurity challenges, with far fewer vendors than they typically use today.

Tom Huntington, Executive Vice President of Technical Solutions

• Dismal Economy Strives Security Fatigue – As managements worries about the economy in 2023, the continued attempts by the bad actors of the world creates a security fatigue in the market. End users and IT teams are worn out by trying to keep up on a depleting battery. Now more than ever managed security offerings in DLP (Data Loss Prevention), File Monitoring, Email, MDR (Managed Detection and Response) and Digital Risk Management have become popular as security teams can’t keep up with their desired management needs. CISOs realize it is the right time to turn to a managed offering.

Tom Gorup, Vice President, Security Operations, Alert Logic by Fortra

• Struggle to Bridge the Talent Gap – Demand for security will skyrocket in 2023 driven by economic downturn, consumer expectations and new compliance requirements. Meanwhile the talent pool for addressing the demand will remain depleted. This mismatch of security expectations and lack of quality talent supply will drive businesses to seek out third parties to solve their problems. As a result, we will experience choice overload in the MDR, MSPs and MSSPs spaces, seeking to fill the gaps for companies that don’t have the resources or in-house expertise to manage their own security challenges.
• Security Complexity Grows – Security tools as standalone solutions are failing to enable businesses to effectively protect themselves. Tools that lack integration, offer complicated metrics and reporting, and generate exorbitant volumes of alerts, incidents, and telemetry are complicating the lives of CISOs and their teams. Even with the grandiose promises of Artificial Intelligence and Machine Learning technologies, designed to deliver increased efficiency and insight, security operations remain tough. Economic downturns will exacerbate these problems as organizations seek to reduce their expenses and turn to more 3rd parties for help. Businesses will begin to better understand the value of Managed Detection and Response services which are purpose-built to standardize and solve these operational challenges.
• Ransomware Attacks Rise in Economic Downturn – Don’t expect ransomware attacks to abate any time soon – not only are they simply too lucrative and have a high potential for success, but, as we experience economic downturn, digital crimes will increase at an alarming rate. As a result, the demand for security solutions will rise dramatically.

Eric George, Director, Solutions Engineering, Digital Risk Protection and Email Security

• Phishing As A Service use will expand – PaaS platforms simplify the creation and execution of credential theft phishing attacks which target the customers or employees of enterprise brands. These platforms cater to the lesser experienced threat actors and therefore have the potential to significantly expand the number of criminals conducting phishing attacks. 
• Impersonation scams will increase and become more complicated and believable – 2022 saw a substantial amount of brands and individuals impersonated to add legitimacy to an assortment of online scams. And, in 2023, this will only increase in volume and complexity. We’re already beginning to see the possibilities of ‘deep fake’ on social media platforms and the Open Web, but as technology improves, these scams will become more common and harder to combat. 
• MFA Platforms Targeted by phishers – Compliance requirements are making MFA more prevalent among enterprise organizations and, as such, it’s likely that attackers will follow suit. By compromising MFA, threat actors can potentially access multiple enterprise applications. 
• Mobile device targeting increases – SMS phishing is much more difficult for the security community to track and respond to than traditional phishing attacks. In 2023, these attacks will likely continue to increase as our society continues to move toward mobile. 
• Is this the year for web 3 or other decentralized platforms (such as blockchain domains) scams to grab the spotlight? Scams leveraging web 3 or other decentralized platforms haven’t yet targeted the bigger brands in a notable way, but it’s only a matter of time.