Cyber Intelligence Weekly

Cyber Intelligence Weekly (Oct 24, 2021): Our Take on Three Things You Need to Know

Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.

Away we go!

1. Ransomware Gang Recruits Tech Talent Through Fake Company

A recent Wall St. Journal article highlights an interesting story about the group linked to the Colonial Pipeline hack, FIN7. The WSJ article highlights research performed by Gemini Advisory / Recorded Future, that tells a story about how they believe the FIN7 group created a fake company in order to recruit employees to help carry out their misdeeds. This company which was supposedly created by FIN7 was named ‘Bastion Secure’ or ‘BS’ for short (coincidence unlikely). Shockingly, this would not mark the first time that the FIN7 group has done something like this. In 2018, they were running a shell company called ‘Combi Security’ for similar purposes.

No alt text provided for this image

The Recorded Future research and intelligence was gathered by a source who was recruited by the supposed fake firm, Bastion Secure. During the interview process the candidate was given several tool sets to use in the hiring process as they carried out example operations in order for their employer to analyze their technical aptitude. It turns out, those very tool sets that they were given are tool sets that have been tied specifically to the FIN7 group before.

The team at Gemini performed an amazing amount of research that shows the lengths that FIN7 went to in order to make their company appear legitimate. For example, the name they chose for the company is similar to legitimate security companies in the United States. In addition, their website also referenced office addresses that once belonged to companies with similar names. Lastly, their website was nearly a copy/paste of a real cybersecurity company based out of the UK.

This story clearly outlines the fact that the global cybersecurity talent shortage is likely a real thing that affects criminal hackers too. In addition, it is likely cheaper for FIN7 and other hacking groups to make hires like this. They can turn civilians into accomplices in their crimes without the civilians even knowing about it. This is a scary reality, imagine a group of penetration testers that are given an assignment that they believe is to carry out a penetration test against a company, but in reality they are gaining access to accommodate future ransomware attacks.

2. High Profile YouTube Accounts Targets for Hackers

As we all know, bad actors will find any way to monetize their hacking skills, and they are always looking for new and creative ways to carry out their misdeeds. It has been reported recently by Wired and Google that bad actors have been hard at work hijacking popular YouTube accounts for money, share of the ad revenue, or to carry out cryptocurrency scams.

The Wired story goes into detail about how the attacks are carried out. The YouTube creators are targeted through spear phishing campaigns, whereby the email looks like an offer to collaborate with a legitimate company. The creators are then usually directed to a legitimate looking website that downloads malware to the YouTube creators’ computer. The threat actors then steal authenticated session cookies that are sent back to their command-and-control servers to be used to authenticate to YouTube illegitimately.

Once the smash and grab occurs, and access has been established to take over a YouTube account, then the fun happens. Many of the hijacked channels are being rebranded for crypto-stealing scams, some are going up for auction/sale on account trading markets. These attacks are being carried out by hack-for-hire attackers that are being recruited on Russian forums.

While Google is reportedly doing all that they can to help prevent these types of attacks from being successful, many of the security controls that need to be in place are the responsibility of the user, or the YouTube account holder. The YouTube account owners need to take care and be wary of phishing emails, run regular antivirus scans on their computers as well as anything that they download, and protect their accounts with two-factor authentication.

This story is a great lesson to anyone who has any account of value, whether it be a YouTube account, banking account, trading account, personal healthcare account or more, these cybersecurity best practices apply everywhere!

3. Maker of Candy Corn Hit by Ransomware, Halloween Ruined or Saved?

Ferrara Candy, one of the country’s top candy companies, producer of the polarizing candy corns, fell prey to a ransomware attack earlier this month that caused a disruption in production. Systems were locked up and production was limited for an extended period of time. The company said in a statement that they were working with law enforcement and were also able to restore most of their systems in a timely manner.

No alt text provided for this image

While several of their brands are Halloween staples, the company notes that consumers need not worry as most of the Halloween treats were shipped much earlier and should already be on store shelves across the country.

I for one, am indifferent about candy corn. I can’t tell you the last time I had one, I am definitely more a Reese’s guy myself…

Have a Happy Halloween everyone!

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.