"If you pay the ransom, can you trust the attacker to give you back the promised data and then leave you alone forever? Paying ransom funds organized crime. Whenever possible, I encourage businesses not to pay." - Danny Jenkins, ThreatLocker CEO & Co-founder
When data is stolen, the impact is lasting. Paying a ransom rarely solves the problem.
What happened: In late October, attackers gained access through a compromised PennKey login and were able to move laterally into multiple internal systems and expose student, donor, alumni, and employee financial and contact records.
Why it matters:Penn is just the latest in a long line of attacks on higher education. These institutions hold vast amounts of sensitive data, both personal and research, as well as access to sensitive systems. Multiple class action lawsuits were filled in the immediate aftermath noting roughly 1.2 million exfiltrated records.
What you need to know: Russia-based Qilin utilizes a variety of methods to establish malicious connections and persist on unsuspecting networks. The ThreatLocker Threat Intelligence team regularly intercepts and mitigates Qilin-related attacks and shares what they've learned.
Why it matters: Qilin has claimed responsibility for more than 800 ransomware attacks this year alone operating a ransomware-as-a-service model. Historically, their dwell time is 19 days but may be extended. Knowing how they work is crucial to protecting your organization.
What you need to know: Scammers dramatically increase efforts to harvest credentials and benefit‑data during open enrollment, then use that data to run highly convincing phishing and social‑engineering campaigns. This data is obtained through compromised third-party vendors, identity compromise, and misconfigurations most frequently.
Why it matters: The stolen data fuels a full ecosystem of fraud including identity theft, benefits fraud, access resale, and more. Knowing that this is an active time for hackers gives you an opportunity to be proactive and disrupt their activity.
What you need to know: Threat actors love the holidays because IT teams may be understaffed. They will plan ransomware attacks and phishing scams around predictable downtimes. Common techniques include attacks that encrypt entire networks rather than isolated machines, data exfiltration from endpoints left logged in, DDoS attacks that overwhelm servers during high-traffic periods, and more.
Why it matters: You should always have a robust incident response plan in place, but the holiday season is a good time to reinforce it. You'll have a more restful holiday following this checklist.
Threats you need to know
Monitoring the latest ransomware attacks and tactics
ToddyCat finds new ways to bypass security measures
What you need to know: ToddyCat has developed new methods to steal authentication tokens allowing them to access internal emails while remaining relatively undetected. Their updated PowerShell toolkit runs on domain controllers and uses the SMB protocol to access network shares and read browser data directly from user files.
Why it matters: ToddyCat is able to infiltrate most networks undetected, and their updated tools are a response to heightened security measures further proving that in cybersecurity, resting on your laurels isn't an option.
What you can do: Implement MFA for email logins and network access and continuously educate your employees on social engineering tactics.
Google finds new malware backdoors potentially linked to Iran
What you need to know: Mandiant tracks the group UNC1549 and suspects it has ties to the Iranian Revolutionary Guard Corps. It relies heavily on spear-phishing and stolen credentials to gain access, and the use of multiple custom backdoors signals a significant increase in sophistication. The group has been deploying malware and privilege escalation utilities to extract password hashes, credentials, and to show pop-up messages to trick users into submitting credentials.
Why it matters: The operations appear to be strongly motivated by espionage, and the group is actively seeking sensitive information like intellectual property and IT documentation. The shift to more diverse malware variants also makes detection harder and increases the likelihood of long-term, undetected presence inside targeted networks. They leverage their access to then target other entities in the same industry. In addition to deploying phishing campaigns, they also exploited trusted connections with third parties.
What you can do: Practice the principle of least privilege for admin controls, ensure your third-party suppliers have high security maturity, and deploy behavior-based monitoring tools.
ThreatLocker CEO Danny Jenkins and COO Sami Jenkins held a live Q&A answering questions on Zero Trust, the ThreatLocker platform, the future of cybersecurity, and much more.
A brief sampling of what was covered:
Are there plans to implement AI into ThreatLocker?
How do exclusions in ThreatLocker Detect EDR work?
What is the roadmap for the Linux agent and Patch Management?
Even trusted applications can be used against you without the proper security in place. Learn how the right Zero Trust strategies can reduce the likelihood of a successful attack and block threats that rely on misusing your legitimate software.
What we'll cover:
ThreatLocker Ringfencing™, a critical Application Control technology that stops the exploitation of trusted software by limiting how your software is allowed to behave.
How you can customize your security so trusted applications, like PowerShell, can run but not access external network destinations.
Join us in Orlando, March 4-6, for immersive hacking labs, thought leadership sessions from global industry leaders, daily Cyber Hero certification exams, and more!
Our mission is to help you become more secure and gain more visibility into your environment. That's why we launched our quarterly magazine, Cyber Hero Frontline. In the current issue you'll find:
Windows 10 at end of life
Expert interview with counterintelligence pioneer Dennis Desmond on the human element in cybersecurity
A deep dive into why the aviation industry has seen a 600% YOY in attacks
And much more!
Read it online or subscribe to have a print copy mailed to you at no charge.
