Threat Source newsletter (Sept. 29, 2022) — Personal health apps are currently under a spotlight, but their warning signs have always been there

Why do I care? 

Insider threats are different than “traditional” cyber attacks we think of because it’s not about a threat actor sitting in an entirely different country lobing malicious code at a network. It usually involves trying to socially engineer someone into unwittingly letting their guard down and providing access to a malicious user or giving up sensitive information in exchange for some money. This can seriously happen to anyone anywhere, increasingly so in the era of hybrid work. 

So now what?

Defending against these types of insider threats is difficult for a variety of reasons, but first and foremost, they typically are allowed to access the network and have valid login credentials. This is where traditional security controls like user and access control come into play. Organizations should limit the amount of access a user has to the minimum required for them to perform their job. 

Top security headlines from the week

Ukraine is warning that Russian state-sponsored actors are still targeting critical infrastructure with cyber attacks. The campaigns would likely be to “increase the effect of missile strikes on electrical supply facilities,” the Ukrainian government said. The warning also stated that the actors would also target Baltic states and Ukrainian allies with distributed denial-of-service attacks. Meanwhile, the U.S. continues to invest money into Ukraine’s cyber defenses and volunteer hackers continue to pitch in across the globe. (CyberScoop, Voice of America) 

U.K. police arrested a teenager allegedly involved in the recent Rockstar data breach, which included leaked information regarding the upcoming “Grand Theft Auto VI” video game. The suspect may have ties to the Lapsus$ ransomware group and have some involvement in another data breach against the Uber rideshare company. Lapsus$’s recent activities are vastly different from what APTs’ traditional goals are, usually related to making money somehow, instead opting to just seemingly want to cause chaos of the sake of it. These two major breaches highlight the fact that many major organizations have unaddressed vulnerabilities. (TechCrunch, Wired) 

A disgruntled developer leaked the encryptor behind the LockBit 3.0 ransomware, the latest in a line of drama with the group. The builder works and could allow anyone to build their own ransomware. The Bl00Dy ransomware gang has already started to use the leaked builder in attacks against companies. Bl00Dy has been operating since May 2022, first targeting medical and dental offices in New York. In the past, the group has also used leaked code from Babuk and Conti to build their ransomware payloads. They also claim to have a Tor channel they use to post leaks from affected companies if they do not pay the ransom. (The Record, Bleeping Computer) 

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week