CV2-Forn

Chris Uhlmann: China's cyber traps already inside the castle wall | The Australian

Fri, 26 Apr 2024 10:02:42 -0400

The cyber battalions of the People's Republic of China have compromised parts of our critical infrastructure and are hunting for weaknesses in all of ...

China-linked PlugX malware infections found in more than 170 countries

Fri, 26 Apr 2024 08:04:59 -0400

Cyber Security News | The Record · Leadership · Cybercrime · Nation-state · Elections · Technology · Cyber Daily® · Click ...

Chinese Hackers Behind the Multi-Year Volkswagen Cyberattack - The Cyber Express

Fri, 26 Apr 2024 05:35:24 -0400

Moreover, the hacking tools employed, including the notorious “China Chopper,” further implicate Chinese origins, though conclusive proof remains ...

Russian Cyber Criminals Claim Responsibility for Attack Tipton Plant - WIBC

Fri, 26 Apr 2024 02:56:29 -0400

The Cybersecurity & Infrastructure Security AgencyCISA is looking into the cyber attack. A group of Russian hackers, the People's Cyber Army of Russia ...

Sweden’s liquor supply severely impacted by ransomware attack on logistics company

Pierluigi Paganini — Fri, 26 Apr 2024 02:51:46 -0400

A ransomware attack on a Swedish logistics company Skanlog severely impacted the country’s liquor supply.

Skanlog, a critical distributor for Systembolaget, the Swedish government-owned retail chain suffered a ransomware attack. Systembolaget has a monopoly on the sale of alcoholic beverages containing more than 3.5% alcohol by volume. It operates stores across Sweden and is responsible for the retail sale of wine, spirits, and strong beer.

“It affects about 15% of our sales volume. Wine and liquor most of all,” Sofia Sjöman Waas, a press officer at Systembolaget, told Euronews Next. “We are accustomed to handling small to large scales of disruptions even though they are rarely on this scale,” Waas added. “We have many other items delivered to us as usual via other distributors. Therefore, there will continuously be many alternatives available at our stores,”

Mona Zuko, Skanlog’s chief executive, attributed the cyber attack to a North Korean ransomware gang.

“We have been centrally attacked by a cyber attack, which has caused our entire system to be down until we can fix it and get it back up,” Skanlog’s Swedish CEO Mona Zuko told local newspaper Dagens Industri.

“Our systems, including our central business system, have been affected by the attack. We use a Microsoft financial system, and an inventory system called Dynaman which is critical to our operations.”

Due to the cyber attack’s impact on the logistics company, the media reported it may be difficult to get hold of alcoholic beverages this weekend. Skanlog spokesman warned that certain alcoholic beverages could be sold out within a few days.

SCMagazine reported that Systembolaget, in response to Skanlog’s uncertainty about restoring its operations, plans to implement a backup procedure to address potential delays in deliveries. This decision comes as a precautionary measure to ensure continuity in the distribution of alcoholic beverages.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

A Chinese ship remains the focus of the investigation into Baltic Sea gas pipeline damaged last year

Thu, 25 Apr 2024 23:57:48 -0400

... Coast Guard, a leak from Nord Stream ... Coast Guard via AP, File). World. A Chinese ship ... WVU hosts international cyber defense exercise 'LOCKED …

Security Expert Dmitri Alperovitch Talks Russia & Ransomware - Techopedia

Thu, 25 Apr 2024 21:15:42 -0400

A: Right now, the primary challenge in cyber warfare, particularly from Russian cybercrime groups, is ransomware. They're launching attacks not just ...

Pakistanis Trapped in Cambodia's China-Run Cyber Slave Ring Targeting US - Reddit

Thu, 25 Apr 2024 18:28:53 -0400

Even Chinese citizens have been trapped by this. It's an ever growing global human trafficking issue. Pakistan, India, China, Nepal, etc. all have ...

Chinese Keyboard Apps Open 1B People to Eavesdropping - Dark Reading

Thu, 25 Apr 2024 18:09:18 -0400

... China: Baidu, Samsung, Huawei ... cyber espionage, surveillance, and other ... China, in fact, use a Pinyin keyboard to input Chinese characters.

The Israel-Iran Conflict Through an Intelligence Lens | Flashpoint

Thu, 25 Apr 2024 17:06:01 -0400

Examining the strategic intelligence, cyber tactics, and physical confrontations that define the enduring Israel-Iran conflict.

Phl, US To Counter China's False Narratives On WPS – Envoy | OneNews.PH

Thu, 25 Apr 2024 16:49:48 -0400

Why Is The Philippines Upgrading Its Batanes Military Defense? ... Coast Guard boat patrols the West Philippine ... cyber-digital space to strengthen the ...

Another Belgian MP falls victim to Chinese cyberattack - The Brussels Times

Thu, 25 Apr 2024 16:07:29 -0400

Another Belgian MP falls victim to Chinese cyberattack ... cyberattacks from China. He contrasted this ... Chinese cyber-attacks, says hacked MP · 364 top ...

US is reviewing risks of China's use of RISC-V chip technology - teiss

Thu, 25 Apr 2024 15:37:06 -0400

The U.S. Department of Commerce is reviewing the national security implications of China's ... Capita IT Systems Outage Raises Concerns of Cyber-Attack ...

The growing threat of Chinese cyberattacks - Bewley Recruitment

Thu, 25 Apr 2024 14:24:31 -0400

The growing threat of Chinese cyberattacks. Posted by Nigel Ling. true 25 April 2024. Share this article. Cyber Attacks ... While the article focuses on ...

Cyber Threats Linked to Iran-Israel Conflict - ReliaQuest

Thu, 25 Apr 2024 13:56:28 -0400

Israeli Threats. The full extent of Israel's cyber offensive capabilities is largely speculative: Cybersecurity research and intelligence analysis has ...

North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

Thu, 25 Apr 2024 12:53:43 -0400

... Hacker News Share on Email Share on WhatsApp · Facebook Messenger Share on Facebook Messenger Share on Telegram. SHARE. cyber espionage, ...

Cyber Security Headlines: Chinese keyboard flaws, hacked news story, TikTok on the clock

Thu, 25 Apr 2024 12:18:24 -0400

Last year, researchers at Citizen Lab found that the popular Sogou Chinese keyboard app failed to use TLS when sending keystroke data to the cloud ...

Russian hackers claim responsibility for cyberattack on Tipton plant - Kokomo Tribune

Thu, 25 Apr 2024 10:58:04 -0400

The Russian hacker group "People's Cyber Army of Russia" claimed responsibility for the cyberattack in a Telegram post. The Indiana Department of ...

Iran rejects U.S. "baseless" cyber-attack charges against Iranian individuals, firms

Thu, 25 Apr 2024 10:47:42 -0400

Iran rejects U.S. "baseless" cyber-attack charges against Iranian individuals, firms. (Xinhua) 10:29, April 25, 2024. TEHRAN, April 24 (Xinhua) -- ...

U.S. Charges Four Iranians With Treasury, State Dept. Hack Attempts - MeriTalk

Thu, 25 Apr 2024 10:29:01 -0400

... cyber-criminal activity lead back to Iran,” he said. “Today's ... Easterly Touts Ransomware Warnings, Teases 'ReadySetCyber' Pilot · Information ...

Head of Belgian Foreign Affairs Committee says she was hacked by China | Reuters

Thu, 25 Apr 2024 10:16:10 -0400

... Chinese state-backed hacking activity. Beijing has denied all such accusations. Van Hoof found out about the cyber attack last month, three years ...

DHS asked to consider potentially 'devastating' impact of hacks on rural water systems

Thu, 25 Apr 2024 10:10:47 -0400

... Cyber Army of Russia, is linked to a Russian state actor, Sandworm — which has gained global notoriety for its past, and present, digital assaults ...

South Korean Defense Industry Under Siege by North Korean Hacker Groups - The Cyber Express

Thu, 25 Apr 2024 07:48:14 -0400

The National Police Agency said, “It is expected that North Korea's hacking attempts targeting defense technology will continue, so not only defense ...

Head of Belgian Foreign Affairs Committee says she was hacked by China - Yahoo Finance

Thu, 25 Apr 2024 07:14:31 -0400

Head of Belgian Foreign Affairs Committee says she was hacked by China ... Chinese state-backed hacking activity. Beijing ... cyber attack. "I have also ...

Cyber Security Headlines: Chinese keyboard flaws, hacked news story, TikTok on the clock

Thu, 25 Apr 2024 06:19:17 -0400

The researchers found a lack of TLS in apps from Baidu, Tencent, and iFlytek, as well as ones preinstalled on Android devices sold in China. The only ...

U.S. slaps fresh sanctions against Iran over alleged cyber crimes - Tehran Times

Thu, 25 Apr 2024 02:48:16 -0400

... Iran's Revolutionary Guard cyber command. The business targets, according to federal prosecutors in Manhattan, were mostly defense contractors ...

Improving Dark Web Investigations with Threat Intelligence

Tue, 09 Apr 2024 20:00:00 -0400

Safeguarding sensitive data, maintaining brand reputation, and cultivating customer trust pose continuous challenges for enterprise organizations. However, the dark web, a hidden corner of the internet, poses unique challenges for cybersecurity professionals. Criminal activities such as the sale of stolen credentials and plans for targeted attacks thrive in this dark section of the internet.

This blog post explores some of the threats that originate on the dark web and how external threat intelligence solutions can enable organizations to proactively defend themselves.

Since its inception in the early 2000s, the dark web has evolved into a hub for illegal activities. It facilitates the trade of hacking methods and compromised credentials as well as the distribution of malware and ransomware. Its also constantly evolving, with threat actors discovering, sharing, and acting on new vulnerabilities and exploits every day.

During the early stages of the dark web, secretive forums and file-sharing platforms thrived, resembling a shadowy version of Reddit or Etsy. The notorious Silk Road, extensively detailed in the book American Kingpin, and the emergence of cryptocurrencies like Bitcoin have been pivotal in shaping the dark web, giving rise to sophisticated underground markets akin to a dark eBay.

Notorious ransomware groups like LockBit and ALPHV have been operating on dark web platforms, taking credit for their actions and revealing their targets. Additionally, Telegram has emerged as a favored platform for secretive engagements, facilitating and enabling a range of activities from communication to coordination to distribution of malicious content.

Attacks stemming from conversations, information sharing, and transactions on the dark web have resulted in financial, operational, and reputational losses for organizations across the globe. However, improving dark web monitoring capabilities can help organizations be proactive in mitigating threats to their business, their customers, and their supply chain.

How does the dark web affect organizations?

The dark web in itself is not all that dangerous to most organizations, but whats taking place there should pique the interest of defenders. The dark web provides a platform for ransomware groups to operate and for bad actors to sell and exchange malware, compromised credentials, exploit kits, and stolen payment cards.

Ransomware

The dark web is a well known home for ransomware groups, which continued to wreak havoc on organizations in 2023. In the past year, ransomware payments ballooned to $1.1 billion (The Record) and, according to a report from Delinea, 76% of victims paid a ransom. The dark web provides a secure and anonymous environment for ransomware groups to communicate, collaborate, and conduct their illicit activities.

Credentials

Dark web markets and forums are popular destinations for initial access brokers and threat actors looking to sell and buy valid credentials. Valid credentials have become so popular for threat actors that under MITRE ATT&CKs initial access vectors, Valid Accounts (T1078) was the top TTP according to both Recorded Future and IBM X-Force.

Using information from our Identity Intelligence module, Recorded Future researchers found a 135% rise in the overall number of harvested credentials and a 166% increase in credentials associated with cookies. Additionally, researchers at IBM found a 266% upsurge in the use of infostealers. With the right access and contacts, someone could purchase a valid credential for just $10, enabling them to log in to a corporate network or personal account, bypass multi-factor authentication controls, and begin their infiltration.

Recorded Futures Identity Intelligence module helps organizations defend against employee and customer credentials that have been stolen by infostealer malware. Watch how Toyota Motors North America defends against compromised credentials, and take an interactive tour of Identity Intelligence.

Exploit Kits

Similar to how novice cooks purchase meal kits, less-skilled threat actors can purchase exploit kits on the dark web. Despite their slight dip in popularity, dark web exploit kits are pre-packaged tools and frameworks that cybercriminals use to exploit vulnerabilities in software and systems. These kits make it easier for threat actors to launch attacks and gain unauthorized access to targeted systems. They often provide a convenient gateway for cybercriminals to exploit vulnerabilities without needing advanced technical skills.

Payment Cards

In 2022 it looked like the dark web market for stolen credit cards was slowing down. However, supply bounced back to previous levels in 2023. According to the 2023 Annual Payment Fraud Intelligence Report from Recorded Future, 71.4 million payment cards were posted for sale on the dark web in 2023, and another 48 million were posted for free on various sources. A median fraud charge of $79 caused $9.4 billion in preventable fraud losses for card issuers and $35 billion in potential chargeback fees for merchants and acquirers.

How does Recorded Future remediate threats originating on the dark web?

Ransomware Extortion Websites

Threat actors use ransomware extortion websites to threaten to leak victim files. These files often include network details, financial information and documents, PII, employee or client credentials, and other sensitive information that motivates the victim to pay the ransom. Victims who concede typically do so based on a promise that the data will be deleted, but we saw with Lockbit that this doesnt always happen. On the other hand, victims who dont pay are likely to have additional data leaks posted to the extortion site.

For years, Recorded Future has collected information from ransomware extortion websites, analyzed it, and turned it into actionable intelligence to help organizations proactively mitigate the impact of a ransomware attack. Presently, Recorded Future collects information from text posts, images, and leaked file metadata on over 100 ransomware extortion websites.

Information found in ransomware victim metadata can help identify companies and organizations that could be direct or indirect victims of a ransomware attack. Access to leaked file metadata enables organizations to investigate leads for potential data exposure that could impact them as well as relevant third and fourth parties.

Image of Recorded Futures ransomware victim metadata analysis, which helps identify organizations that are most likely to be victims (direct or indirect) of a ransomware incident.

Dark Web Markets

Unlike e-commerce sites on the open web, dark web markets like Russian Market, 2Easy, and others make their fortunes selling compromised credentials, PII, and stolen credit cards. Threat actors can use this information to access an employees account, create personalized spearphishing campaigns, or place fraudulent transactions.

Recorded Future collects information from a number of dark web markets to help organizations mitigate any risk stemming from items for sale. For example, by identifying stolen credit card information being sold on dark web markets, card issuers can place heightened controls on cards with a high risk of being used for fraud. Additional signals, such as the card being sold or used in transactions with known tester merchants, can enable the issuer to take proactive actions to block the card from further transactions or issue the customer a new card.

According to a large North American financial institution, When transactions occur on customer cards identified by Recorded Future as being present on the dark web or used on known tester merchants, most of the time the transaction is actually fraudulent.

Recorded Future Payment Fraud Intelligence detects compromised payment cards for sale on the dark web, enabling financial institutions to take a proactive approach to preventing fraud.

Dark Web Forums

Dark web forums are often where conversations get started between threat actors, those with something to sell, and lower-skilled cybercriminals looking for more advanced tools. Threat actors can exchange information, techniques, and tools to improve their hacking skills and stay up to date on the latest trends in cybercrime. Some will use dark web forums to recruit affiliates to carry out cybercriminal activities, including distributing malware, launching phishing campaigns, and participating in ransomware attacks.

Similar to dark web markets, dark web forums also serve as marketplaces where threat actors can sell compromised credentials, personal data, financial details, and other valuable information. They can also facilitate the trade of hacking tools, exploit kits, remote access trojans (RATs), and other malicious software that can be used to compromise systems and networks.

Recorded Future collects information from over 250 top-tier and medium-tier dark web forum sources to provide actionable information to organizations. Information can include whether threat actors are mentioning an organizations brand or supply chain partners, whether any new vulnerabilities are being referenced, and which threat actors are known to utilize specific forums.

Frequent mentions of a company or product on the dark web often correlate, indicating an imminent attack, an illicit sale of company assets or accounts, or potentially more complex fraud schemes.

Dark web monitoring provides visibility into this restricted environment to help clients stay a step ahead of cybercrime campaigns that could affect their organizations, their suppliers, or the software products they use.

Since its creation in 2012, Telegram a multi-purpose chat application has quickly gained popularity among the underground cybercriminal community. Telegrams security, large number of chat options, and convenience have led to its growing popularity. Few dark web markets rival Telegrams reliability.

According to some experts, the future of large-scale, highly role-specialized criminal activity will take place on Telegram and future alternatives. Currently, cybercriminals have used Telegram groups to conduct transactions of illicit goods, post announcements from related internet forums, and communicate with fellow criminals.

Recorded Future helps organizations understand cyber-related chatter on Telegram about their own brands, relevant third parties, and other organizations of note. Since threat actors often discuss their activities on Telegram whether theyre reporting planned attacks, exchanging information, or sharing findings visibility enables organizations to stay out in front of threats and build resilience against unexpected risks.

Recorded Future helped one client detect exposed credentials on a Telegram channel, both identifying the threat and enhancing the urgency to remediate the risk. Another client in the financial services industry was able to identify a fraudulent check on a Telegram channel through Recorded Futures optical character recognition (OCR) capabilities. The analyst reported the incident to their internal fraud management team to prevent the check from being cashed.

How Recorded Future helps mitigate dark web threats

Threat actors have long used dark web sites and forums to remain anonymous and attempt to gain an advantage over their targets. This is unlikely to change anytime soon. To combat this challenge, organizations require proactive visibility into the deep recesses of the dark web to ensure that they can mitigate threats. To help security practitioners and leaders, Recorded Future provides extensive intelligence across a wide range of dark web channels, which can be delivered via alerts, playbooks, and human-curated intelligence reports.

Alert Notifications

Without timely alerting, intelligence becomes a collection of information. For many clients, the ability to prioritize alerts based on external threat intelligence and risk factors is crucial for improving their security operations and risk management. The ability to build different alert rules and manage notifications helps users ensure that theyre receiving relevant and timely alerts. In addition, Recorded Future AI Insights and transparent evidence help users swiftly determine the severity of an alert and what action to take.

Recorded Future AI Insights help organizations reduce investigation time by providing automated and actionable context. The above example shows the AI Insights for RedLine Stealer. Learn more about recent updates to Recorded Future AI Insights in this blog post.

One Recorded Future client has found it beneficial to set up automatic reporting for any mention of his organizations brand or credentials on the deep dark web. Alerts generated by Recorded Future free the organizations analysts from having to build and run the same queries over and over, giving them time to focus on more strategic tasks.

Playbook Alerts

When threats are found on the dark web, defenders need a way to rapidly distill information, triage alerts, and reduce time-to-action. Recorded Futures playbook alerts help defenders by automating large phases of the investigation, updating users on changes in risk, producing verdicts, and providing recommended next steps. In addition, playbook alerts are automatically prioritized based on severity and risk so organizations know where to focus.

Clients report being 48% faster at identifying a new threat than before, with playbook alerts being a key component in reducing mean time to detect (MTTD) and mean time to investigate (MTTI). These alerts have proven to be beneficial for high-impact third-party cyber events, helping organizations identify issues such as recent attention on ransomware extortion websites, credentials compromised by infostealer malware, and exploit chatter about vulnerabilities that could affect their tech stack.

HUMINT

Recorded Futures dark web collection is made possible by undercover engagements and human intelligence (HUMINT) from our Insikt Group, a team of expert analysts and researchers who provide analysis on nation-state threats, cybercriminals, technical sourcing and collection, and more. To infiltrate these restricted forums and deliver critical intelligence requires human expertise, an essential first step toward automating collections.

To learn more about the Recorded Future Insikt Group, check out our latest Intelligence Reports and our 2023 Annual Report.

When intelligence is neither timely nor actionable, it becomes old news quickly. To navigate todays complex threat ecosystem, organizations require proactive insights into the dark web and closed sources to help them monitor any threats to their organization, partners, or industry. With a vast collection of timely and actionable intelligence from dark web sources, Recorded Future arms defenders with distilled information to build resilience against unexpected threats.

To see how Recorded Future can improve dark web visibility for your organization, request a demo.

2023 Threat Analysis and 2024 Predictions

Mon, 08 Apr 2024 20:00:00 -0400

2023 was a year in which cybercrime evolved in significant ways. Our 2023 annual report serves as a playbook of adversaries tactics, techniques, and procedures (TTPs) in 2023, with the goal of giving your security team a 360-degree view of the threat landscape. And with its predictions for 2024, the report also offers a roadmap for your enterprise. No matter where you are in your security journey, youll find the information you need to develop more effective security operations and strategies.

The influence of macro trends on the cyber threat landscape.

The report begins by reviewing key trends and events in technology, geopolitics, macroeconomics, and cyber policy in 2023. These include:

Threat actors exploited enterprise software at scale, as observed in CL0P ransomware groups attack on third-party managed file transfer (MFT) services such as Fortras GoAnywhere and Progress Softwares MOVEit.
Offensive tooling is increasingly targeting Linux and macOS systems. Ransomware kits continue to expand beyond Windows environments, facilitating an expanded range of victims.
Nation states such as China-linked Spamouflage Dragon are already using AI-generated images to improve information operations (IO).

Youll find valuable context and insights to connect the dots between these and other macro trends and the broader cyber threat landscape.

Ransomware groups will likely increase their targeting of technologies supporting hybrid and remote work.
The phishing landscape will become the spearphishing landscape as generative AI helps attackers create particularized lures.
The rise of passwordless logins will likely drive criminal activity away from infostealers and back to email-based credential harvesting.

Key theme #1: Ransomware groups will likely increase their targeting of technologies supporting hybrid and remote work.

In 2023, threat actors inflicted widespread damage by taking advantage of the fact that hybrid work and cloud computing have made enterprises attack surfaces increasingly complex and hard to manage.

How Recorded Future can help: Recorded Future enables analysts to understand the top initial access vectors used by ransomware actors to target their victims. One of the most targeted vulnerabilities for VPN technologies in 2023 was CVE-2023-27997. Check out how you can evaluate an unpatched FortiOS VPN exposure by drilling into host details, including detected technologies. Be able to pivot to the vulnerability to see its use by FIN7.

Key theme #2: The phishing landscape will become the spearphishing landscape as generative AI helps attackers create particularized lures.

Although it will take time for threat actors to develop the knowledge and skills to integrate AI into their operations, early adopters are already working on ways to amplify their tactics with AI.

The most tangible risks involve influence operations, social engineering, data privacy breaches, and intellectual property violations. In 2023, adversaries began using AI-powered chatbots to create convincing phishing emails, support scam operations, and analyze e-commerce merchants anti-fraud systems to facilitate payment fraud. They also began advertising malicious open-source LLM projects on the dark web with the promise of producing malware, creating phishing emails, and more.

How Recorded Future can help: Analysts can examine evidence of phishing in the Recorded Future platform with the Detection Trends dashboard. This dashboard visualizes detections across multiple security platforms, from SIEMs to SOARs to email security platforms. Filtering based on a specific MITRE T-code, such as T1598(Phishing for Information), analysts can quickly view associated YARA rules to run in their environment. The Detection Explorer will also showcase relevant indicators of compromise (IoC). We can see that this IoC has been used by TAG-66.

Get the 2023 Recorded Future Annual Report today.

Download the Annual Report for a comprehensive analysis of these and other critical threat events from 2023, plus a look at what we expect from adversaries in 2024.

Get in touch with Recorded Future to find out how our technology solutions and expertise can help your organization stay a step ahead of adversaries and protect your business-critical IP.

2023 Annual Report

Wed, 20 Mar 2024 20:00:00 -0400

New Insikt research examines 2023, a year of unexpected outcomes and escalating cybersecurity threats. Throughout the year, cyber threat actors exploited the prevailing chaos to steal data, conduct espionage, and disrupt geopolitics, an example being nation-states like China targeting Taiwanese semiconductor firms. Additionally, the text highlights the rise in exploitation of "as-a-service" enterprise software and shared cloud infrastructure, which led to an increase in weaponized vulnerabilities and high-profile cyberattacks, such as the MOVEit exploit by the ransomware gang CL0P. This attack underscored the growing risk and profitability of targeting enterprise systems, suggesting a trend that could continue into 2024.

Furthermore, the abuse of legitimate internet services for malware distribution, the exploitation of Linux and macOS vulnerabilities, and the compromise of business process organizations for scams like SIM swapping were noted as tactics used by threat actors to extend their reach and effectiveness.

Finally, we present our forecasts for the cyber threat landscape in 2024. These predictions not only focus on direct cybersecurity threats but also consider the broader implications of geopolitical and regulatory changes in the cybersecurity arena.

To read the entire analysis, click here to download the report as a PDF.

Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups

Tue, 19 Mar 2024 20:00:00 -0400

New Insikt Group Research provides updated insights on the recent i-SOON leak. On February 18, 2024, an anonymous leak of documents from Anxun Information Technology Co., Ltd. (i-SOON), a Chinese IT and cybersecurity company, shed light on China's state-sponsored cyber espionage operations. The leak is significant as it reveals the connections between i-SOON and several Chinese state-sponsored cyber groups such as RedAlpha, RedHotel, and POISON CARP, indicating a sophisticated network of espionage operations that includes the theft of telecommunications data for tracking individuals.

Chinese threat activity groups linked to i-SOON (Source: Recorded Future)

Insikt Group's analysis of the leaked materials confirmed the operational and organizational ties between i-SOON and these espionage groups and also corroborates the role of digital quartermasters in providing shared cyber capabilities across Chinas offensive cyber ecosystem. This information is invaluable for network defenders, offering insights into the motivations and methodologies of targeted cyber espionage against public and private sector organizations.

Despite the leak, i-SOON, a relatively small entity within China's extensive network of private contractors engaged in state-sponsored cyber activities, is expected to continue its operations with minor adjustments. The revelations may have implications for future US legal actions against i-SOON personnel while providing a deeper understanding of the scale and sophistication of Chinese cyber-espionage efforts.

Notably, since the material was leaked, Insikt Group has already identified newly observed domain and infrastructure developments from i-SOON-linked groups RedAlpha and RedHotel.

To read the entire analysis, click here to download the report as a PDF.

Appendix A Indicators of Compromise

Note: These indicators are historical and often date back several years. They are included solely as a collation of the referenced infrastructure used in this report to identify connections between i-SOON and tracked Chinese state-sponsored threat activity and should not be used as indications of current activity.

Domains:
1ds[.]me
antspam-mail[.]services
bayantele[.]xyz
dnslookup[.]services
docx[.]1ds[.]me
gmail[.]isooncloud[.]com
gmailapp[.]me
i-soon[.]net
ip[.]1ds[.]me
lengmo[.]myds[.]me
lengmo[.]net
linercn[.]org
livehost[.]live
mailnotes[.]online
mailteso[.]online
mpt[.]buzz
mptcdn[.]com
mydigi[.]site
news[.]1ds[.]me
wcuhk[.]livehost[.]live
web[.]goog1eweb[.]com
whkedu[.]dnslookup[.]services
www[.]gmailapp[.]me
www[.]sw-hk[.]services

IP Addresses:
1.192.194[.]162
66.98.127[.]105
101.219.17[.]111
118.31.3[.]116
171.88.142[.]148
171.88.143[.]37
171.88.143[.]72
221.13.74[.]218

Email Addresses:
Chen Cheng aka lengmo:
l3n6m0@gmail[.]com

Wu Haibo aka Shutd0wn:
shutdown@139[.]com

Zheng Huadong:
yetiddbb@qq[.]com

Liang Guodong aka liner aka girder:
girvtr@gmail[.]com
liang007@outlook[.]com
gird4r@gmail[.]com
girder1992@hotmail[.]com
evalliang@163[.]com
6060841@qq[.]com
leungguodong@outlook[.]com
l3nor@hotmail[.]com

Threat Intelligence for Financial Services

Tue, 12 Mar 2024 20:00:00 -0400

Four Challenges and Four Solutions to Improve Resilience

Its no secret that cyber threat actors are hungry for customer data. According to IBM, data theft and leak was the most common impact for organizations that suffered an attack. In addition, a report from Delinea found that data exfiltration was the most prominent motivation for ransomware attacks today.

There are few industries that handle more valuable customer data than the financial services industry. Thus there are few targets more attractive to a threat actor.

Many financial services organizations have substantial amounts of money and assets, which can make them attractive to ransomware attackers keen on going after big game targets. And the interconnected nature of the financial sector means that compromising one institution or commonly used product can lead to broader impacts across the entire industry.

In Recorded Futures recent fireside chat webinar, Navigating Risk: How Threat Intelligence Is Transforming Financial Services, Citizens Bank Cyber Threat Intelligence Manager Lea Cure summed up the complex nature of financial services cybersecurity:

As a financial institution, we have money, we have peoples information. Thinking about how we protect that information is very different from other organizations. The technologies we use and the technologies we use to move money are critical. If those go down, what will we do? What are our playbooks?

In this blog well cover the challenges financial services organizations face, and how for each challenge threat intelligence provides critical context to help defenders be faster, more efficient, and more effective at preventing nefarious actors from stealing their customer data and impacting business operations.

Challenge #1: Supply Chain Attacks

On numerous occasions, prospects and clients across industries have told us that supply chain attacks are a top concern. In our fireside chat, both our client panelists said they felt the same way.

Their concern is certainly warranted, as theres often little that can be done to prevent a supply chain attack. A Gartner survey found that 45% of organizations experienced third-party-related business interruptions over the past couple years.

Outside of the financial industry theres a lot less regulation, especially in the technology service providers area, said Christopher Martinkus, a Threat Intelligence Manager for a North American commercial bank. Thats where you see a lot of these breaches occurring. I know for us, weve seen way more attacks on our third-party service providers than weve seen targeting us specifically.

As an example, threat actors like the ransomware group CL0P focus on exploiting vulnerabilities in file transfer software from Accellion, SolarWinds, and MOVEit. By gaining unauthorized access to files being transferred, CL0P has been able to steal sensitive information, encrypt files for ransom, and use the compromised files for other malicious activities.

Its becoming even more challenging to reduce risk across the supply chain in the as-a-service era. Zachary Smith, Senior Principal of Research at Gartner, said, Cybersecurity teams struggle to build resilience against third-party-related disruptions and to influence third-party-related business decisions.

Solution: Mitigate Supply Chain Risk

Can threat intelligence help organizations be more proactive in identifying risks that stem from their partners and vendors? Recorded Future client Christopher Martinkus thinks its possible to mitigate supply chain risk.

We've actually had it where an alert came through that a third party of ours was listed on a ransomware extortion site, he said, and we were notifying that vendor before they even knew that they were listed there.

Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign

Thu, 15 Feb 2024 19:00:00 -0500

Recorded Futures Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine. This activity is reminiscent of other Russian-aligned threat groups such as BlueDelta (APT28) and Sandworm, which have targeted email solutions, including Roundcube, in previous campaigns.

Geographic spread of victims of TAG-70s Roundcube exploit in October 2023 (Source: Recorded Future)

The compromised email servers represent a significant risk, particularly in the context of the ongoing conflict in Ukraine. They could expose sensitive information about Ukraine's war effort, its diplomatic relations, and its coalition partners. Moreover, the targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession.

To mitigate the risk posed by TAG-70's campaign, organizations should ensure that their Roundcube installations are patched and up-to-date, while actively hunting for indicators of compromise (IoCs) in their environments. The sophistication of TAG-70's attack methods and its targeting of government and military entities underscore the need for robust cybersecurity measures and proactive threat intelligence efforts. The widespread nature of TAG-70's activities and its potential impact on national security highlight the urgency for vigilance and preparedness among affected organizations and government agencies.

To read the entire analysis, click here to download the report as a PDF.

The Next Evolution of Recorded Future AI: Powering the Future of Threat Intelligence

Mon, 12 Feb 2024 19:00:00 -0500

Available in the following solutions:Ransomware Mitigation, Automated Security Workflows, and Mitigate Supply Chain Risk

Available in the following modules:Threat Intelligence, and Geopolitical Intelligence

In the ever-changing and converging threat landscape, organizations must remain vigilant to protect their critical assets and sensitive data from increasingly sophisticated attacks. At Recorded Future, were constantly finding new innovations to help customers deal with their most pressing security challenges. Back in April 2023, we were the first company to introduce AI for Intelligence with Recorded Future AI Insights. Today, we are excited to announce the general availability of the next evolution with Enterprise AI for Intelligence, supercharged with a generative AI-based assistant.

This capability gives security teams on-demand access to critical threat intelligence and actionable insights via a simple natural language interface. Combining the power of Recorded Futures Intelligence Cloud, the most comprehensive and transparent sourcing* in the industry. This includes research and reports from Insikt Group, Recorded Futures threat research division. Our AI continuously learns and adapts, providing security teams with the most up-to-date and relevant threat intelligence.

See Recorded Future AI in Action

The IP Intelligence Card highlights a known command and control (C2) server associated with BlueBravo.

Recorded Future AI provides powerful assistance in understanding a comprehensive list of tactics, techniques, and procedures (TTPs), and associated indicators of compromise (IoCs) with BlueBravo. As MITRE is a common framework to analyze attacks, Recorded Future AI can tie the TTPs to specific MITRE T-codes. The Red Team can use information about how BlueBravo targets Windows Management Instrumentation (WMI) and powershell to inform their next threat hunt.

Scenario 2. A CTI team needs to assess the latest zero-day vulnerabilities, prioritize by active exploits and provide an executive summary to the CISO.

Search for the latest vulnerabilities using simple English prompts and Recorded Future AI will provide a list with embedded links into each CVE showing details, remediation steps, and playbooks.

An analyst can quickly create a comprehensive executive summary of the vulnerability assessment for their CISO - and generate a report that used to take hours in a matter of minutes.

Scenario 3: An intelligence team needs to monitor geopolitical trends and their impact on cyber events.

With elections, summits, and hearings, government entities need to stay up-to-date on cybersecurity threats and provide real-time reporting to their chain of command.

Lets look at how Recorded Future AI gathers information on China's disinformation campaigns.

Suggested follow-up questions from Recorded Future AI expands the scope of your inquiry and provides additional insights. Recorded Future provided this follow-on question about the Volt Typhoon cyber campaign.

Discover Whats Next with Recorded Future AI.

For Security teams that need to detect and respond to suspicious activity, time is of the essence. Recorded Future AI will continue to evolve so that analysts can automatically aggregate and analyze commonalities across attacks, brand exposure, and much more. To stay up-to-date on the latest in AI-driven threat intelligence, sign up for our newsletter.

*Open web, dark web, technical, and our proprietary Insikt Group sources. We are the only threat intelligence provider that offers mid-point / network traffic analysis with your proprietary data.

***Recorded Future uses OpenAI's large-scale language generation model to summarize content and help our clients consume the vast intelligence available via Recorded Future more efficiently.

Leaks and Revelations: A Web of IRGC Networks and Cyber Companies

Wed, 24 Jan 2024 19:00:00 -0500

The report discusses Iranian intelligence and military entities associated with the Islamic Revolutionary Guard Corps (IRGC) involved in cyber activities targeting Western countries through their network of contracting companies. Four known intelligence and military organizations linked to the IRGC engage with cyber contractors. Iranian threat groups linked to the network of contracting parties have launched espionage and ransomware attacks and are leading efforts to destabilize target countries through information operations. The victims are linked to governments, media, non-governmental organizations, critical infrastructure, and the healthcare sector, just to name a few. Some contractors are also implicated in developing technologies that enable surveillance activity that contributes to human rights abuses.

The IRGC-related cyber companies export technologies for surveillance and offensive purposes. The report highlights some select cases of financial activities outside Iran, suggesting contractors likely rely on the IRGC Quds Force (QF) for lucrative arrangements in countries like Iraq, Syria, and Lebanon.

Major ransomware-style attacks led by pro-Iranian government fronts like Moses Staff, N3tW0rm, and Agrius (Source: Recorded Future)

The report delves into an interconnected network associated with the IRGC's cyber program, revealed by a string of multi-year leaks and doxxing efforts led by anti-government hacktivists and dissident networks. Overlaps between sanctioned individuals and specific contracting parties are observed.

To read the entire analysis, click here to download the report as a PDF.

Annual Payment Fraud Intelligence Report: 2023

Wed, 20 Dec 2023 19:00:00 -0500

In 2023, the payment fraud underground showed signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine in 2022. The dark web carding shops saw a rebound in the volume of stolen payment cards, with 119 million cards posted for sale online. The median fraud charge was $79, resulting in $9.4 billion in preventable fraud losses for card issuers and $35 billion in potential chargeback fees for merchants and acquirers.

Fraudsters refined their techniques, using sophisticated social engineering tactics, phishing, scams, and advanced cyber-based tools like 3-D Secure bypass software. The report suggests that the trend toward hybrid cyber-fraud threats is likely to accelerate in 2024, requiring financial institutions and stakeholders to allocate resources for improved collaboration between cyber threat intelligence (CTI) and fraud teams.

Magecart actors continued to use Google Tag Manager, Telegram Messenger, and attack-carrier domains for e-skimmer infections in 2023. Restaurants, bars, and online ordering platforms were targeted, and phishing and scam pages gained prominence for card compromise. Most breaches and e-skimmer infections targeted US merchants, but a significant portion affected merchants in other countries with developed e-commerce sectors.

Threat actors engaged in card-testing activity, and workflows for 3DS bypass gained popularity in 2023. Cybercriminals utilized artificial intelligence workflows for fraud schemes, and social engineering tactics exploiting victims became more prevalent. Telegram sources became increasingly important for free full card data, but the threat remained lower compared to for-sale card data on dark web carding shops.

Looking ahead to 2024, fraudsters are expected to refine their tactics, continuing to compromise cards using both old and new methods. Stolen payment cards from North American and European financial institutions led in volume throughout 2023 and are likely to persist in 2024. The report concludes that in 2024, fraudsters will likely combine sophisticated technical solutions, nuanced workflows, and social engineering tactics to bypass rules-based fraud detection.

To read the entire analysis, click here to download the report as a PDF.

Aggressive Malign Influence Threatens to Shape US 2024 Elections

Wed, 13 Dec 2023 19:00:00 -0500

New Insikt Group research outlines malign influence threats to the United States's 2024 elections from various actors, including Russia, China, Iran, domestic violent extremists (DVEs), and hacktivist groups. These entities are expected to engage in influence operations to shape or disrupt the elections for strategic geopolitical purposes. The dynamic global backdrop, including Russia's war with Ukraine, Israel's conflict with Iran-supported Hamas, China's assertiveness on Taiwan, and social media content moderation controversies, creates a conducive environment for aggressive targeting of the 2024 US elections.

The identified overarching influence trends include increasing polarization and undermining confidence in US democratic institutions, reducing domestic support for aiding US allies, and undermining political candidates with unfavorable policies while promoting those with favorable policies. Influence operations are anticipated to employ historical and innovative tactics, including cyber-enabled operations and the integration of generative artificial intelligence.

Additionally, the report warns of the likelihood of DVEs physically attacking and threatening election personnel or infrastructure and an increase in false information surrounding US-deployed voting technologies and voting systems manufacturers from domestic sources as the 2024 elections approach.

Screenshot of RTs parody video The 11th Package of Anti-Russian Sanctions Challenge featuring a deepfake of US president Joe Biden (Source: RT)

The spread of false and manipulated information by state and non-state actors has the potential to influence voter behavior and impact election outcomes. Insikt Groups findings emphasize that even unsuccessful influence activities can damage public trust in democratic institutions. Advanced actors may leverage official announcements and events opportunistically in pursuit of their objectives.

To counter these threats, a whole-of-government approach integrated with private industry is recommended. This involves publicly identifying, announcing, and refuting false information related to the elections. Prebunking, or proactively addressing misinformation, is suggested as a method to enable the public to discern credible information. Awareness among government officials, public figures, and business executives, along with pre-planned playbooks and responses, is deemed crucial to mitigating risks associated with influence activities.

To read the entire analysis, click here to download the report as a PDF.

Charting China’s Climb as a Leading Global Cyber Power

Mon, 06 Nov 2023 19:00:00 -0500

Keeping SEC-ure: Using Threat Intelligence to Stay Ahead of the New SEC Regulations

Mon, 02 Oct 2023 20:00:00 -0400

Introduction

Recently there have been millions of attacks demonstrating that public companies of all sizes and operating in all industries are susceptible to cybersecurity incidents. These incidents can cause business interruptions, impose direct costs via remediation or ransomware payments, lost revenues due to exfiltration of intellectual property and interruptions, litigation and regulatory risk, and damage to reputation.

In response, on Sept. 5, the SECs latest Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rule went into effect which fundamentally altered the way US public companies communicate with the market about cybersecurity incidents and governance.

The SEC sought to enhance and standardize disclosures to better inform investors about cybersecurity related matters. Given the ever increasing importance of availability, integrity and confidentiality of information and infrastructure as digital transformation has accelerated, it is unsurprising that the SEC has stepped in to ensure that public markets have sufficient transparency related to these issues.

Fortunately, public companies do not need to face these challenges alone. Commercial threat intelligence providers, and Recorded Future especially, can help regulated entities tackle these new regulatory obligations while mitigating their cybersecurity risk.

Third-Party Risk

One of the key statistics highlighted by the SEC in the proposal of this new rule is that 63% of breaches are linked to a third party. The SEC also clarified that updates to Item 106(b) of Regulation S-K will require disclosure concerning a registrants selection and oversight ofthird-party entities.

Recorded Futures Third-Party Intelligence Module is geared to specifically address this concern. Recorded Future Third-Party Intelligence empowers security teams and business leaders to make fast, informed decisions about the companies in their organizations supply chain and reduce the overall risk of data breaches and reputational damage. Third-Party Intelligence provides deep visibility into suspicious activity related to vendor ecosystems, and provides organizations an opportunity to conduct meaningful oversight of third-party entities.

One of the biggest differentiators of commercial threat intelligence providers, is that cybersecurity governance shifts from relying on a vendors answers to a security questionnaire that may be inaccurate and/or stale to externally sourced intelligence. This can give investors confidence that organizations are using independently collected data to have visibility into their supply chains.

Recorded Futures Third Party Intelligence Module gives real-time alerts on security incidents, breaches, and a wide variety of risky security practices allowing registrants to stay a step ahead. Plus, Recorded Future provides access to exclusive sources including high-tier dark web forums, ransomware extortion sites, and a massive leaked credential and data library to better protect organizations from emerging risk. Third Party Intelligence also provides quantitative Risk Scores for third parties better enabling cybersecurity risk assessment as required under Item 106(b).

Cybersecurity Incident Reporting

Under the updated rule, the SEC has amended Form 8-K to require current disclosure of material cybersecurity incidents. Given that organizations will be mandated to disclose these incidents, it is imperative that registrants have as much context and intelligence about incidents as possible.

Recorded Futures Intelligence Cloud is perfectly positioned to provide that insight. This extends from information about threat actors via the Threat Intelligence Module, to granular exposure insights. Examples include compromised credentials via Identity Intelligence Modules and compromised card data via the Fraud Intelligence Module to provide visibility into the exact extent of a specific breach.

One can imagine the materially different way the market may react to a disclosure with an unknown threat actor, unknown scope, and unknown intent, versus being able to provide guidance of the probable intent of the threat actor, past history of the threat actor, and the precise scale of impact. For example, the public exposure related to an incident connected with Chinese state-sponsored advanced persistent threat will be dramatically different compared to an attack associated with ransomware-as-a-service actors which are more often associated with reputational risks.

Accessible intelligence will better enable organizations to address Item 1.05 in Form 8-K to assess whether any data was stolen, altered, accessed, or used for any other unauthorized purpose. Only comprehensive threat intelligence will allow companies to confidently determine motivations of threat actors, their typical TTPs, and insights into the criminal underground where data is monetized.

Further, given that the SEC will require disclosure by organizations within four business days, it is imperative to have a threat intelligence provider, like Recorded Future, that operates in real time. It is also important to note that the ticking clock only starts upon determination of materiality - yet another analysis where threat intelligence can help in better understanding the scope and impact of the incident. The SEC itself states that the analysis should [take] into consideration all relevant facts and circumstances surrounding the cybersecurity incident and threat intelligence can provide such context.

Policies and Procedures to Identify and Manage Cybersecurity Risk

One of the elements of the SEC rule is that Item 106 will be added to Regulation S-K which will require registrants to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats.

Last year, Recorded Future launched Threat Maps which automates the analysis of threat actors targeting a clients enterprise, and organizes the intent and opportunity of those groups to harm an organization. An organizations customized Threat Map shows the most dangerous threats that have an opportunity to harm an organization, and changes over time allows security teams to better prioritize countermeasures. Use of Threat Maps allow organizations to carefully calibrate response and granularly identify specific threats - it is the difference between merely gesturing at Nation-State Threats writ large, and actually being able to point to specific threats such as Lazarus Group. This level of granularity allows organizations to have actionable insights to both be more authoritative with the market, and more efficiently deploy risk mitigation strategies.

Threat Maps join Recorded Futures expansive offerings, such as SecOps Intelligence, which collects data from a comprehensive range of sources, contextualizes it, and feeds meaningful insights directly into existing security tools and workflows to improve alert triage, threat detection, and threat blocking - providing a more comprehensive process in line with SEC requirements.

Conclusion

The SEC has ushered in a new era of cybersecurity transparency for public companies. Public companies should begin preparing immediately for the enforcement of these updates. Preparations should be focused on the collaboration between internal stakeholders and access to the relevant information from both external and internal sources to be able to comply with the new requirements.

To tackle these challenges, it is now imperative that registrants have the most comprehensive and timely intelligence available - Recorded Future is the most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains, and can be a powerful tool in complying with the new regulations.

Hear me talk to Christopher Hart (Partner at Foley Hoag LLP) and Lavonne Burke (VP Legal - Global Security & Resilience and Digital (IT) at Dell Technologies) about these regulations and how organizations can stay ahead at PREDICT 2023 in Washington D.C. on Oct. 11 at 10:05 a.m. ET.

Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities

Mon, 18 Sep 2023 20:00:00 -0400

Recorded Future's Insikt Group has conducted an analysis of a prolonged cyber-espionage campaign known as TAG-74, which is attributed to Chinese state-sponsored actors. TAG-74 primarily focuses on infiltrating South Korean academic, political, and government organizations. This group has been linked to Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia. TAG-74s targeting of South Korean academic institutions aligns with China's broader espionage efforts aimed at intellectual property theft and expanding its influence within higher education worldwide.

The motivation behind Chinese state-sponsored actors collecting intelligence in South Korea is likely driven by regional proximity and South Korea's strategic role in China's competition with the United States and its regional allies in the Indo-Pacific. Recent tensions have emerged as China expressed concerns about South Korea's closer relations with the US and its perceived involvement in Taiwan and alignment with the US and Japan's containment of China. TAG-74's intelligence collection efforts, which include spoofed domains and decoy documents related to inter-Korean cooperation, are expected to intensify as China seeks information to shape its diplomatic and business engagements with South Korean entities.

Typical infection chain observed in TAG-74 campaign targeting South Korea (Source: Recorded Future)

TAG-74 is a well-established Chinese state-sponsored threat activity group specializing in intelligence collection against South Korean, Japanese, and Russian organizations. Their tactics, techniques, and procedures (TTPs) include the use of .chm files that trigger a DLL search order hijacking execution chain to load a customized version of the VBScript backdoor ReVBShell. Additionally, a custom backdoor known as Bisonal is used to enhance capabilities once initial access through ReVBShell is established. This customized ReVBShell variant is likely shared between TAG-74 and another closely related threat activity group, Tick Group, indicating collaboration between these groups.

The persistence of TAG-74 in targeting South Korean organizations and its likely operational alignment with the Northern Theater Command suggests that the group will continue its active and long-term intelligence-gathering efforts in South Korea, Japan, and Russia. Notably, the use of .chm files by Chinese state-sponsored actors is not particularly common outside of South Korea. However, the use of this attack vector in activity targeting South Korea has been seen both in TAG-74 campaigns and, more widely, in activity attributed to North Korean state-sponsored threat activity groups such as Kimsuky and APT37. Organizations should monitor for the presence and use of .chm files, particularly if they are not commonly used within their environment, as this tactic has gained prevalence among threat actors in recent years.

To read the entire analysis, click here.

Recruiter Tips: Insights on the Hiring Process at Recorded Future

Wed, 16 Aug 2023 20:00:00 -0400

Recorded Future is the worlds largest threat intelligence company. It is the most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains. It is trusted by 1,700+ customers to get real-time, unbiased and actionable intelligence.

As a company, we strongly believe our employees are the backbone of our success. Perfecting our hiring process and candidate journey is crucial both for us and the talents we interact with on a daily basis. Recorded Future is committed to being a workplace that attracts top talents and an environment where builders thrive.

This blog shares great insights and best practices to engage top talent and provide a world-class candidate experience. We wanted to hear from an expert, so we interviewed Chris Barnes, Recruiting Manager at Recorded Future.

The Basics

Can you introduce yourself and what you do at Recorded Future?

Chris: Im Chris, I manage talent acquisition for all technical and post-sales departments in North America and I've been with Recorded Future for almost two years.

What does Recorded Future do?

Chris: Recorded Future is able to help organizations protect their security posture in a wide variety of ways. Whether it's protecting their security posture from a security operations standpoint, protecting their security posture from a brand management standpoint, or a third-party vendor management standpoint for instance. We provide clients with actionable intelligence in all of these areas and more. It helps clients take more of a proactive stance in their security posture, especially given the fact that in the last 10 years in the cyber security space, a lot of tools are being used more from a reactive approach.

Recorded Future is the most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains. It is trusted by 1,700+ customers to get real-time, unbiased and actionable intelligence. Learn more about our platform.

Can you tell us a bit about your experience at Recorded Future so far?

Chris: Its been very positive. It's a very collaborative environment here and I am really able to drive talent initiatives and recruit for a purposeful mission. What we do: securing the world with intelligence is really unique and being able to recruit for that mission is really exciting.

The Interview Process

What is the process like?

Chris: The process at Recorded Future typically consists of five stages.

Resume Review: that would be reviewing a candidate's resume.
Preliminary Screen: if their profile seems to fit the roles needs and requirements - a phone call with a recruiter is scheduled to determine if the candidate's experience aligns well with the goals for the position.
Interviews: if the preliminary screen is a success, the candidate typically moves to either a panel interview or one-on-one interviews with employees they would collaborate with, should they be hired.
For technical positions this usually includes additional assessments such as a code walkthrough, product demonstration, or scenario-based exercise. For some of the client-facing positions we have, candidates might be evaluated in role play scenarios as well.
References: upon success in the previous steps we will gather references from the candidate.

Decision: the hiring team will then determine if they will extend an offer to the candidate.

How does the process differ from one job to another or to a non-technical team?

Chris: The interview process for our technical teams usually focuses on a specific technical skill set that will enable success against the business objectives for the position. This can be evaluated in the form of a technical case study, code walk-through, or technical presentation. In our working environment, collaboration is a key factor for successful initiatives and the technical evaluation also allows for a candidate to demonstrate how they would approach working with other team members.

What We Look For In Candidates

What type of positions do you look to hire for?

Chris: Recorded Future hires across the globe into multiple functions from engineering, to customer service, consulting, and sales.

What skill sets do you look for?

Chris: While the exact skills required may differ among roles, we consistently seek extraordinary people who align with our values, work hard and are willing to go the extra mile to achieve goals.

For technical or semi-technical roles, the experience and skills we look for in candidates align to the technical components of our product and how we provide threat intelligence to our clients. For instance, Python is an essential language for some of our roles. That skill-set can apply to a wide-ranging amount of positions, such as Customer Success Managers, Data Engineering, Professional Services, Threat Research, and many other technical teams we have.

All of our positions require strong written and verbal communication skills. When providing information to internal or external stakeholders, it is imperative to be able to clearly define and articulate information needed to grow our business.

Resume Building & Interviewing Tips

Do you have any advice for crafting a strong resume for the industry?

Chris: Something that is not thought of as much as it should be, is the ability to clearly define your experience and accomplishments in your resume format, so your skill-sets and experience align to the position clearly and thoughtfully. A common best practice is describing not only what you know, but how you applied your skills, and how it resulted in success for the business through a measurable indicator. Your resume should broadcast how your skills align to the criteria needed to achieve success in the position. If this is not defined clearly and thoroughly, it could be hard to determine if your experience aligns to the position.

Is it important to match a resume to the job description?

Chris: It is common for a candidate to have multiple resumes that can speak to their experience in different ways. In each version, I would still recommend demonstrating how you have used your experience.

How should someone prepare for an interview?

Chris: To start, be on-time and ready for the interview, aware of who you are interviewing with, have an understanding of the history of the company, what the business focus of the company is, and based on the information that has been shared with them thus far, an understanding of the position. Come prepared with questions and ready to share why youre interested in the opportunity.

The job description and the business focus of a company should definitely be part of the research and preparation, prior to an interview. However, looking deep into a company throughout the interview process and taking advantage of the time you have with the interviewers to learn about how you can grow, how you can collaborate with others, and how the position you are interviewing for can contribute to the mission of the company are the foundation to understanding the position in totality. This is something each candidate should consider at each step of the interview process. Ultimately, this is how you will be utilizing your time when striving for success!

Any interviewing tips?

Chris: When interviewing for a position at any stage in the interview process, it is important to show you have invested time in researching our company. You could have experience and skills that match all requirements of the position, but if a candidate shows a lack of preparation or awareness for the interview, it will be seen as they may take a similar approach to their work, once hired.

Regardless of the position we are hiring for, a good tool for candidates is to apply the STAR method (describing examples by clearly defining the situation, task, action, and result) when describing their experience. The STAR method not only clearly defines the steps someone took to achieve success, but it also allows the hiring team to fully determine whether or not a candidate has experience needed to successfully complete the business objectives aligned to the position.

Are there any particular questions you often ask candidates during interviews?

Chris: I ask each candidate what they know about Recorded Future to start the interview to gauge the amount of interest and research they put into their preparation for the interview. I also ask why they are interested in Recorded Future, and what is driving their interest for a new opportunity in their career.

Why You Should Join Recorded Future

How would you describe the company culture at our organization?

Chris: We have three Core Values that all of our Futurists live by: We have high standards, act ethically, and we practice inclusion. We are a highly collaborative environment: supporting team members across the organization acts as the ultimate driver of our success. This core aspect of our DNA truly drives our ability to grow. The mission of the company really aligns well with our culture and regardless of what department you work in and the responsibilities of your position, you are contributing to something that is making the world safer.

Read more about our core values: Setting The Scene - Company Core Values, Our Guiding Principles

What opportunities for growth and development does our company offer?

Chris: As part of development and career progression for Futurists, all levels of management encourage and support development and career progression for their team members. There are current examples of this that range from Interns who were offered a full-time position upon completion of their Internship, to Futurists who have moved to adjacent teams within the company based on personal interest, and those who have chosen to pursue career advancement into SME or management positions.

Final Words

There are many reasons why Recorded Future is a great opportunity for job seekers. 1. We are a leader in the industry: no one is doing what we're doing at the scale that we are. Were the world's largest intelligence company. 2. Probably most importantly, were a people-first company. Whether that's in the way we collaborate together, the way we promote diversity and inclusion, or the way we put a strong focus on learning and development and building tailored careers for our employees so they can thrive and build their own paths.

Learn more about our DE&I initiatives from our most recent blog: APIDA Heritage Month: ERG Employee Stories, Community, and Support

Now what?

If any of that resonates with you or youre interested in learning more about careers at Recorded Future, we invite you to visit our careers page.

Are you actively looking for a new opportunity? Were hiring across teams and across locations.

For more information or questions, feel free to email careers@recordedfuture.com.

@mccaffreyr3: 'MSNBC. 5 Feb. Chinese INTELL collection massive. Primary cyber intrusion. Also Human INTELL. 260 satellites. Still US cannot tolerate continued balloon reconnaissance penetrations of sovereign airspace. '

Sun, 05 Feb 2023 20:40:57 -0500

twitter.com - Barry R McCaffrey

@mccaffreyr3: 'MSNBC continued. 5 Feb. Unlikely that the debris from the Chinese shoot down will yield any bonanza of technical intelligence. Principle tools of Chinese collection 260 satellites, cyber, humint. '

Sun, 05 Feb 2023 18:37:01 -0500

twitter.com - Barry R McCaffrey

@fomocapdao: 'Launch balloon > Shot down Balloon > China responded with retaliation > Cyber attack > Italy internet goes down It's all coincidences '

Sun, 05 Feb 2023 14:39:46 -0500

twitter.com

300) && (this.width >= this.height) ? 300: true); max-height: 300px; height: expression((this.height > 300) && (this.height >= this.width) ? 300: true); border: none;' src='http://pbs.twimg.com/media/FoOTF2QX0AEZviS.jpg'/>

MyIndMakers

Sun, 05 Feb 2023 10:37:04 -0500

myind.net

200) && (this.width >= this.height) ? 200: true); max-height: 200px; height: expression((this.height > 200) && (this.height >= this.width) ? 200: true); border: none;'/>

MyIndMakers enables the exchange of Global Ideas and Solutions from India. All day news updates related to Business, Hindu, Hinduism, India, Indic, Culture, Travel, Religion, Politics, Foreign Policy, Modi, Swami, BJP, Congress, Trump, Biden, Israel, Jihad, Christianity, China, Japan, Book Reviews, Movie Reviews, Indian Artciles, Blogs, Interviews, Podcasts, Videos, MyIndBook, MyIndMakers, myind.net,China, orchestrating, cyber attacks, allies, competitors, IPCSC

Digicel Business invests millions to protect against cyber criminals - Trinidad Guardian

Sun, 05 Feb 2023 10:37:04 -0500

guardian.co.tt

200) && (this.width >= this.height) ? 200: true); max-height: 200px; height: expression((this.height > 200) && (this.height >= this.width) ? 200: true); border: none;'/>

Digicel Business continues to pump millions of dollars into its cybersecurity services as the company has seen an uptick in fraudsters not only emanating from T&T but also Eastern Europe, Russia, China, North Korea, and most recently Brazil in South America.

@NikitaS_Live: 'India bans Chinese Apps- 234 apps banned by Information Technology Ministry. These apps were sourced to create terror among Indian Users. Welcome move..now a dip in cyber crimes,cyber bullying is expected. #ChineseApps #InformationTechnolo

Sun, 05 Feb 2023 08:42:06 -0500

twitter.com

@Covert_Radio: '"Chinese Spy Satellite"...? * WARNING * They spoke at Davos about "Cyber Attacks & Power Grid Attacks". Now, OUT OF NO WHERE, a "Chinese Spy Satellite" shows up in American Airspace? Potentially with Military Hardware? They're NORMALIZ

Fri, 03 Feb 2023 14:50:18 -0500

twitter.com

Surging Electrical Infrastructure Attacks Pose Disruption Threat for American Businesses - Interos - Interos

Fri, 03 Feb 2023 10:55:23 -0500

interos.ai - interos-blogger

200) && (this.width >= this.height) ? 200: true); max-height: 200px; height: expression((this.height > 200) && (this.height >= this.width) ? 200: true); border: none;'/>

By Alberto Coria and Trent Chinnaswamy A growing number of attacks on the United States’ critical electricity infrastructure threatens to cause supply chain disruption to thousands of businesses across the country. In 2022, the U.S. electrical grid sustained at least 103 deliberate physical and cyber-attacks – the highest level in a decade. Two recent attacks on electricity substations in North Carolina, and four in Washington, have raised alarm among experts at the U.S. Department of Homeland . show all text

It wouldn't stop at Stuxnet - by Hack Jartman

Fri, 03 Feb 2023 00:56:45 -0500

hackjartman.substack.com - Hack Jartman

200) && (this.width >= this.height) ? 200: true); max-height: 200px; height: expression((this.height > 200) && (this.height >= this.width) ? 200: true); border: none;'/>

We all know that the CIA likes to dip their tentacles in many a plot around the world. This is not news to any like-minded, paranoid individuals reading this. Over the past 15 years, the CIA has become increasingly involved in cyber security, leading to speculation about its involvement in recent cyber attacks. The CIA (and others) have been linked to cyber attacks on Iran’s nuclear program. In 2010, an operation known as Operation Olympic Games destroyed a large portion of Iran’s uranium enric. show all text

CV2-Forn

Chris Uhlmann: China's cyber traps already inside the castle wall | The Australian

China-linked PlugX malware infections found in more than 170 countries

Chinese Hackers Behind the Multi-Year Volkswagen Cyberattack - The Cyber Express

Russian Cyber Criminals Claim Responsibility for Attack Tipton Plant - WIBC

Sweden’s liquor supply severely impacted by ransomware attack on logistics company

A ransomware attack on a Swedish logistics company Skanlog severely impacted the country’s liquor supply.

A Chinese ship remains the focus of the investigation into Baltic Sea gas pipeline damaged last year

Security Expert Dmitri Alperovitch Talks Russia & Ransomware - Techopedia

Pakistanis Trapped in Cambodia's China-Run Cyber Slave Ring Targeting US - Reddit

Chinese Keyboard Apps Open 1B People to Eavesdropping - Dark Reading

The Israel-Iran Conflict Through an Intelligence Lens | Flashpoint

Phl, US To Counter China's False Narratives On WPS – Envoy | OneNews.PH

Another Belgian MP falls victim to Chinese cyberattack - The Brussels Times

US is reviewing risks of China's use of RISC-V chip technology - teiss

The growing threat of Chinese cyberattacks - Bewley Recruitment

Cyber Threats Linked to Iran-Israel Conflict - ReliaQuest

North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

Cyber Security Headlines: Chinese keyboard flaws, hacked news story, TikTok on the clock

Russian hackers claim responsibility for cyberattack on Tipton plant - Kokomo Tribune

Iran rejects U.S. "baseless" cyber-attack charges against Iranian individuals, firms

U.S. Charges Four Iranians With Treasury, State Dept. Hack Attempts - MeriTalk

Head of Belgian Foreign Affairs Committee says she was hacked by China | Reuters

DHS asked to consider potentially 'devastating' impact of hacks on rural water systems

South Korean Defense Industry Under Siege by North Korean Hacker Groups - The Cyber Express

Head of Belgian Foreign Affairs Committee says she was hacked by China - Yahoo Finance

Cyber Security Headlines: Chinese keyboard flaws, hacked news story, TikTok on the clock

U.S. slaps fresh sanctions against Iran over alleged cyber crimes - Tehran Times

Improving Dark Web Investigations with Threat Intelligence

How does the dark web affect organizations?

Ransomware

Credentials

Exploit Kits

Payment Cards

How does Recorded Future remediate threats originating on the dark web?

Ransomware Extortion Websites

Dark Web Markets

Dark Web Forums

Telegram

How Recorded Future helps mitigate dark web threats

Alert Notifications

Playbook Alerts

HUMINT

2023 Threat Analysis and 2024 Predictions

The influence of macro trends on the cyber threat landscape.

Key theme #1: Ransomware groups will likely increase their targeting of technologies supporting hybrid and remote work.

Key theme #2: The phishing landscape will become the spearphishing landscape as generative AI helps attackers create particularized lures.

2023 Annual Report

Attributing I-SOON: Private Contractor Linked to Multiple Chinese State-sponsored Groups

Appendix A Indicators of Compromise

Threat Intelligence for Financial Services

Four Challenges and Four Solutions to Improve Resilience

Challenge #1: Supply Chain Attacks

Solution: Mitigate Supply Chain Risk

Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign

The Next Evolution of Recorded Future AI: Powering the Future of Threat Intelligence

See Recorded Future AI in Action

Scenario 1: Based on an indicator of compromise (IoC) related to BlueBravo, a CTI analyst is tasked to provide information related to the full scope of the threat.

Scenario 2. A CTI team needs to assess the latest zero-day vulnerabilities, prioritize by active exploits and provide an executive summary to the CISO.

Scenario 3: An intelligence team needs to monitor geopolitical trends and their impact on cyber events.

Discover Whats Next with Recorded Future AI.

Leaks and Revelations: A Web of IRGC Networks and Cyber Companies

Annual Payment Fraud Intelligence Report: 2023

Aggressive Malign Influence Threatens to Shape US 2024 Elections

Charting China’s Climb as a Leading Global Cyber Power

Keeping SEC-ure: Using Threat Intelligence to Stay Ahead of the New SEC Regulations

Introduction

Third-Party Risk

Cybersecurity Incident Reporting

Policies and Procedures to Identify and Manage Cybersecurity Risk

Conclusion

Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities

Recruiter Tips: Insights on the Hiring Process at Recorded Future

The Basics

The Interview Process

What We Look For In Candidates

Resume Building & Interviewing Tips

Why You Should Join Recorded Future

Final Words

Now what?

@Covert_Radio: '"Chinese Spy Satellite"...? * WARNING * They spoke at Davos about "Cyber Attacks & Power Grid Attacks". Now, OUT OF NO WHERE, a "Chinese Spy Satellite" shows up in American Airspace? Potentially with Military Hardware? They're NORMALIZ