Tactics Used by Cybercriminals Today

Popular Medusa Ransomware utilizes many LOTL (Living of the Land) techniques CISA Initial Access Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as: Phishing campaigns as a primary method for stealing victim credentials [T1566]. Exploitation of unpatched software vulnerabilities [T1190] through Common Vulnerabilities and Exposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and Fortinet EMS SQL injection vulnerability [CVE-2023-48788 [CWE 89: SQL Injection]. Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to: Copy (-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s). Execute an already existing local file on a remote machine with SYSTEM level privileges. Execute remote shell commands using cmd /c. One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389: netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow Then, a rule to allow remote WMI connections is created: netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes Finally, the registry is modified to allow Remote Desktop connections: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement. #cybersecurity #ransomware #Medusa #LOTL #Windows #CISA

New findings from OpenAI reinforce that attackers are actively leveraging GenAI. Palo Alto Networks Unit 42 has observed this firsthand: we've seen threat actors exploiting LLMs for ransomware negotiations, deepfakes in recruitment scams, internal reconnaissance and highly-tailored phishing campaigns. China and other nation-states in particular are accelerating their use of these tools, increasing the speed, scale, and efficacy of attacks. But, we’ve also seen this on the cybercriminal side. Our research uncovered vulnerabilities in LLMs, with one model failing to block 41% of malicious prompts. Unit 42 has jailbroken models with minimal effort, producing everything from malware and phishing lures to even instructions for creating a molotov cocktail. This underscores a critical risk: GenAI empowers attackers, and they are actively using it. Understanding how attackers will leverage AI to advance their attacks but also exploit AI implementations within organizations is crucial. AI adoption and innovation is occurring at breakneck speed and security can’t be ignored. Adapting your organization’s security strategy to address AI-powered attacks is essential.

The FBI recently issued a stark warning: AI-generated voice deepfakes are now being used in highly targeted vishing attacks against senior officials and executives. Cybercriminals are combining deepfake audio with smishing (SMS phishing) to convincingly impersonate trusted contacts, tricking victims into sharing sensitive information or transferring funds. This isn’t science fiction. It is happening today. Recent high-profile breaches, such as the Marks & Spencer ransomware attack via a third-party contractor, show how AI-powered social engineering is outpacing traditional defenses. Attackers no longer need to rely on generic phishing emails; they can craft personalized, real-time audio messages that sound just like your colleagues or leaders. How can you protect yourself and your organization? - Pause Before You Act: If you receive an urgent call or message (even if the voice sounds familiar) take a moment to verify the request through a separate communication channel. - Don’t Trust Caller ID Alone: Attackers can spoof phone numbers and voices. Always confirm sensitive requests, especially those involving money or credentials. - Educate and Train: Regularly update your team on the latest social engineering tactics. If your organization is highly targeted, simulated phishing and vishing exercises can help build a culture of skepticism and vigilance. - Use Multi-Factor Authentication (MFA): Even if attackers gain some information, MFA adds an extra layer of protection. - Report Suspicious Activity: Encourage a “see something, say something” culture. Quick reporting can prevent a single incident from escalating into a major breach. AI is transforming the cyber threat landscape. Staying informed, alert, and proactive is our best defense. #Cybersecurity #AI #Deepfakes #SocialEngineering #Vishing #Infosec #Leadership #SecurityAwareness

Hackers have found a way to bypass Windows Defender Application Control (WDAC) policies using a legitimate Microsoft debugging tool, WinDbg Preview, available via the Microsoft Store. This technique allows attackers to inject arbitrary shellcode into a target process, evading detection as it does not rely on traditional executables or DLLs. Key Points: - WinDbg Preview from the Microsoft Store is exploited to inject malicious code. - Attackers leverage WinDbg scripting for remote code execution without typical detection methods. - Windows API functions like OpenProcess and WriteProcessMemory are manipulated for the exploit. Mitigation Steps: 1. Update WDAC blocklists to explicitly include WinDbg Preview (WinDbgX.exe). 2. Disable the Microsoft Store on unnecessary endpoints to limit access. 3. Monitor the usage of debugging tools, especially for processes involving injection techniques, to enhance security measures.

BleepingComputer has a post today about a Ukrainian national being deported from Spain after being identified as the hacker behind several ransomware attacks in the US. The real story, however, is not about the hacker, but rather the ransomware-as-a-service (R-a-a-S) tool that he and his team used. Netfilim is a double-extortion ransomware service that not only encrypts files and demands payment for the decryption key, but also threatens to publicly publish extracted data unless additional payment is made. I've posted many times in the past about email phishing combined with social engineering as primary attack vectors of hackers, but Netfilim and other R-a-a-S tools like it breach corporate networks using weaknesses in unpatched, publicly-facing devices or applications, ie ones that have a public IP address. The Netfilim affiliates begin with vulnerability scans of public-facing assets to identify unpatched CVEs that can be exploited. The attempts at ingress then begin. So, while email phishing and social engineering continue to be very successful end-user error initiated infiltration methods, if your I.T. team chooses to leave unpatched devices accessible from the public internet, then they're purposely ignoring an attack vector that is fast becoming a primary point of entry for hackers, putting your entire company at risk of a breach and significant costs for recovery efforts and downtime. The BleepingComputer post is here: https://lnkd.in/e3jbkPEF TrendMicro has a great write-up here: https://lnkd.in/eV4sxwx9 The SISA blog goes deep on the Netfilim attack techniques: https://lnkd.in/edHAEQvg Qualys, the vulnerability scanning company, has a nice deep dive blog post here: https://lnkd.in/e8rWPpE4 Picus Security does a nice job of mapping Netfilim to MitreAtt&ck: https://lnkd.in/e4EZZvCU

Cybercriminals No Longer Confined to the Dark Web Social media has transformed the threat landscape significantly. Cybercriminals are no longer confined to the dark web or private channels; they operate openly, utilizing the same technologies we use daily. For instance, a cybercriminal operating under the marketplace name "DataGlobe" uses Telegram to sell data to other criminals for phishing campaigns or CPA (Cost Per Action) fraud. This individual advertises data that includes phone numbers, email addresses, names, genders, addresses, and even occupations. Taking their operations a step further, this cybercriminal has created company pages on LinkedIn and Facebook, openly advertising the same types of data. This strategy potentially enables them to reach a wider audience. DataGlobe is not an isolated case. Hundreds of cybercriminals market their products on platforms like Instagram, TikTok, Twitter, and Facebook. Cybercriminals like DataGlobe also exploit common tools such as LinkedIn Sales Navigator to scrape user data, which is then sold to other criminals for spear phishing and social engineering attacks. This shift underscores the need for heightened vigilance and proactive measures across all digital platforms, as cybercriminals increasingly exploit mainstream technologies to advance their illicit activities. What's your observation in the new landscape?

You click [Update] ☕ and maybe grab a quick coffee while your computer does its thing. When that little notification pops up for your browser or app, you hit "Update Now" and assume you're keeping things safe. . . Cybercriminals have a way to hijack that update process. Instead of receiving the genuine software patch, your computer could download something nefarious straight from the criminals. How? It boils down to messing with how computers talk to each other on newer networks. Think of it like giving your computer bad directions. Most modern systems use something called IPv6; it’s like the next-generation highway system for the internet, designed because we were running out of space on the old roads (IPv4). This newer system has features that let devices sort of automatically figure out how to connect and where to go. It’s efficient, usually.  But here’s the rub: bad actors figured out how to send out fake "road signs" or "directions" using this IPv6 system. They essentially stand on the digital street corner shouting, "Hey! I know the way to the update server! Follow me!" If a computer on the network is set up to listen for these kinds of automatic directions (and many are, by default), it might just trust that fake signal. So, when it tries to fetch that software update, its request goes straight to the criminal's machine, not the official company server. Yikes. Groups like TheWizards are reportedly using tools (Spellbinder) to do this. Once tricked, you don't get the real update. You get malware: password stealers, ransomware, tools to infiltrate your network. It happens under the guise of a normal update; your computer thinks it's doing the right thing. A wolf in sheep's clothing delivered right to your digital doorstep. (For a little more technical flavor: they spoof IPv6 Router Advertisements, performing an Adversary-in-the-Middle attack by faking DNS responses). Don't. Stop. Updating! They are still absolutely crucial for fixing security holes and keeping things running well. Running outdated software is like leaving your front door wide open. What this does mean is that security is a layered game. It’s not just about having an antivirus program (though that’s still important!). It also involves things happening behind the scenes: 🌐 Smart network setups that can spot and block these kinds of fake "directions" (features like RA Guard on network gear). 🌐 Careful monitoring of network traffic for weird behavior. 🌐 Making sure the operating systems themselves are patched against known weaknesses in how they handle these network protocols. Knowing these threats exist reinforces why companies invest in robust security and why we should take security alerts seriously. It’s a constant cat-and-mouse game, and sometimes the mice get pretty clever.💡 So, keep updating, and also maybe stop to appreciate the unseen security efforts working to make sure that update request actually gets to the right place. 👩🏽💻🛜

Old Tricks, New Tech: How Scammers Repackage Classic Cons Fraudsters may be using AI, deepfakes, and sophisticated cyber tools, but their tactics? Straight out of the classic conman playbook.  When I went through my training to learn how to conduct clandestine operations (which I later used to secretly infiltrate cartels, organized criminal groups, dirty banks, and adversary defense contractors) I was trained by the best. In one particular lesson, a former professional con artist taught me their nuances of deception, manipulation, and the art of gaining trust. Through these lessons I learned that the following “classic cons” still apply today in the era of cybersecurity and AI: 💡 The Impersonator (a.k.a. The Pig-in-a-Poke) – Yesterday’s smooth-talking grifter is today’s deepfake executive. Whether it’s the infamous CEO frauds we are now seeing or a voice-cloned “friend” in distress, the goal is the same: gain trust, then exploit it.   💡 The Urgency Play (a.k.a. The Spanish Prisoner) – The old "act now before it's too late" trick has evolved into phishing emails demanding immediate wire transfers or “limited-time” crypto investment deals. If you’re being rushed, it’s probably a scam.   💡 The Trojan Horse (a.k.a. The Badger Game) – Con artists once sweet-talked their way past front desks; now, they send emails posing as vendors with malicious attachments. If it looks too good (or routine) to question, question it.   💡 The Long Con (a.k.a. The Big Store, à la *The Sting) – Scammers used to cultivate relationships over weeks or months before striking. Today, romance scammers and business email compromise (BEC) fraudsters play the same long game, earning trust before asking for money.   💡 The Bait-and-Switch (a.k.a. The Three-Card Monte) – Once a staple of street hustlers, this trick now lives online in shady e-commerce sites, fake investments, and job scams where the offer changes after you’re hooked.  What’s the takeaway? The tech may be new, but the psychology is ancient. Every scam hinges on trust, urgency, and deception—and awareness is the best defense.  #AI #CyberSecurity #FraudPrevention #StayVigilant #MoneyLaundering #AML #FinancialCrime

Ever wonder how cybercriminals manipulate people into handing over passwords, transferring money, or granting access without a single line of code? Social engineering has evolved far beyond the days of poorly written phishing emails—it’s now AI-driven, hyper-personalized, and alarmingly effective. Attackers are using deepfakes, real-time manipulation, and multi-channel engagement to deceive individuals and businesses alike. Whether it’s a voice-cloned CEO authorizing a wire transfer or a LinkedIn message crafted by AI, the future of cyber deception is here. 🎧 Prefer listening on the go? This article is also a new podcast episode! Head over to podcast.baremetalcyber.com to check it out. Or visit Jason-Edwards.me for even more multimedia content. 🔹 What’s inside this deep dive? ✅ How AI is fueling next-gen phishing and social engineering attacks ✅ Why deepfakes and synthetic media make verification harder than ever ✅ The most effective defense strategies to combat these evolving threats ✅ Real-world tactics attackers use to manipulate individuals and businesses Cyber threats are no longer just about hacking computers—they’re about hacking human trust. Are your defenses ready for the next wave of deception? Let’s dive in. #CyberSecurity #SocialEngineering #PhishingAttacks #DeepfakeThreats #AIandCyberCrime #CyberAwareness #SecurityEducation #HackingHumans #SpearPhishing #CyberDefense

It was only a matter of time before criminals started leveraging the power of #GenAI. Criminals are now exploiting Generative AI to enhance their ongoing fraud schemes, making them more believable and far-reaching. By using AI-generated text, images, audio, and videos, these bad actors are reducing the time and effort needed to deceive their targets, leaving fewer warning signs of fraud. Examples include: 🧨 AI-generated messages for phishing, romance scams, and investment fraud 🧨 Fake social media profiles with realistic AI-generated photos 🧨 AI-powered chatbots embedded in fraudulent websites 🧨 Voice cloning to impersonate loved ones in crisis situations 🧨 AI-created videos to "prove" a scammer's identity or promote fake investments How to protect yourself: ✔️ Verify identities with a secret word or phrase ✔️ Look for subtle imperfections in images, videos, or audio ✔️ Limit online sharing of personal images and voice recordings ✔️ Never send money or sensitive info to unknown individuals Generative AI can be a tool for good, but it’s crucial we stay vigilant against its misuse. 🛡️Please share with family and friends to build awareness. Shout out to my former colleagues at the Federal Bureau of Investigation (FBI) for the timely report. #Cybersecurity #FraudPrevention #AI