Surefire Cyber Inc.

During the Ransomware Advisory session at NetDiligence®'s #CyberRiskSummit, our DFIR Director, Matthew Dowling, shares insights from the LockBit takedown. Watch the recording: https://hubs.la/Q02FsxqK0 #ransomware #DFIR #incidentresponse #cybersecurity

Please give a warm welcome to the newest member of our team, Doug Mueller. Doug will work closely with our #engineering, #technology, and product teams on the strategic vision of our data and #intelligence products. Meet our team https://hubs.la/Q02FsHz90. #DFIR #incidentresponse

Wishing you a safe and joyous Independence Day filled with family, food and fun! #independenceday #FourthOfJuly

Our head of delivery sat down with the editors at Dark Reading to discuss #ransom negotiations. The key takeaway is to ensure you have a trusted partner that demonstrates empathy and critical thinking to help guide you through difficult decisions. #cybersecurity #incidentresponse #IR #DFIR

Earlier this week #Lockbit made headlines with claims they breached the Federal Reserve. They posted the Federal Reserve logo to their leak site and stated they would release data if the #ransom was not paid. Lockbit has instead stolen data from Evolve Bank & Trust and is also said to be behind an #attack on Indonesia’s national #datacenters. These developments suggest that Lockbit is trying to maintain their profile and relevancy. It is also interesting to note that they have not just updated their #malware and rebranded as so many other groups do. This may indicate that the law enforcement operations, which seized future code updates, may have caused the disruption intended. The damage to their reputation, and seeming desire to restore it may also indicate that they believe they will struggle to recruit affiliates to any rebranded group. All of this behavior suggests unpredictability. We may see them changing tactics, particularly in #negotiations, and causing more destruction in #cyberattacks as they fight to regain dominance.

📢 Don't miss the latest report from the Federal Bureau of Investigation (FBI) and U.S. Department of Health and Human Services (HHS) on indicators of compromise and tactics, techniques, and procedures associated with #socialengineering. #healthcare #Ransomware #cybersecurity

ONNX Store has been targeting Microsoft 365 accounts at financial firms. ONNX is a phishing-as-a-service (PhaaS) platform that was initially discovered in early 2024 and is believed to be a rebranded version of the Caffeine #phishing kit. 𝐖𝐡𝐚𝐭 𝐘𝐨𝐮 𝐍𝐞𝐞𝐝 𝐓𝐨 𝐊𝐧𝐨𝐰 𝐓𝐚𝐫𝐠𝐞𝐭𝐬: Microsoft 365 accounts in financial firms 𝐏𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐦𝐞𝐭𝐡𝐨𝐝: QR codes in PDFs, bypasses traditional email #phishing defenses 𝐓𝐰𝐨-𝐟𝐚𝐜𝐭𝐨𝐫 𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 (2𝐅𝐀) 𝐛𝐲𝐩𝐚𝐬𝐬: Real-time capture of login credentials and 2FA tokens 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐚𝐥 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Uses Cloudflare for domain protection and bulletproof for hosting 𝐖𝐡𝐲 𝐈𝐭'𝐬 𝐈𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐭 𝘌𝘯𝘩𝘢𝘯𝘤𝘦𝘥 𝘈𝘵𝘵𝘢𝘤𝘬 𝘚𝘰𝘱𝘩𝘪𝘴𝘵𝘪𝘤𝘢𝘵𝘪𝘰𝘯 𝐁𝐲𝐩𝐚𝐬𝐬𝐞𝐬 𝐭𝐫𝐚𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐝𝐞𝐟𝐞𝐧𝐬𝐞𝐬: The use of QR codes embedded in PDFs allows the phishing attempts to evade detection by traditional email security defenses, which typically focus on scanning text-based content and URLs. This method exploits a gap in conventional defenses, making it important for organizations to update their scanning technologies to include QR code analysis. 𝐑𝐞𝐚𝐥-𝐭𝐢𝐦𝐞 𝐜𝐫𝐞𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐜𝐚𝐩𝐭𝐮𝐫𝐞: The #2FA bypass technique allows attackers to capture login credentials and 2FA tokens in real-time. This capability undermines the additional layer of security provided by 2FA, requiring the need for more robust measures like hardware #security keys e.g., FIDO2 𝘏𝘪𝘨𝘩-𝘙𝘪𝘴𝘬 𝘚𝘦𝘤𝘵𝘰𝘳 𝐄𝐱𝐩𝐚𝐧𝐝𝐢𝐧𝐠 𝐭𝐚𝐫𝐠𝐞𝐭𝐬: In addition to financial firms, ONNX has been observed targeting other industries such as healthcare, retail, education, and government. Each of these sectors has its unique #vulnerabilities and high-value data, increasing the overall threat landscape. 𝘙𝘦𝘢𝘭-𝘵𝘪𝘮𝘦 𝘛𝘩𝘳𝘦𝘢𝘵 𝐈𝐦𝐦𝐞𝐝𝐢𝐚𝐭𝐞 𝐚𝐜𝐜𝐨𝐮𝐧𝐭 𝐡𝐢𝐣𝐚𝐜𝐤𝐢𝐧𝐠: The real-time sending of credentials and 2FA tokens allows the attackers to hijack accounts immediately. This quick access can lead to quick data #exfiltration, #fraudulent transactions, and further internal #phishing attacks within the compromised organization before the victim can even respond.

Today we join the nation in commemorating the end of slavery and celebrating the values of #freedom and #unity. At Surefire Cyber Inc. we stand committed to fostering an #inclusive and #diverse culture where every individual is valued and respected. #freedomday #Juneteeth

𝐄𝐱𝐜𝐢𝐭𝐢𝐧𝐠 𝐍𝐞𝐰𝐬! We're thrilled to welcome William Cordio to our #DFIR team! Billy will lead and oversee active #incidentresponse engagements, working closely with clients to guide them through the #IR lifecycle from #detection to #recovery. 𝐖𝐞𝐥𝐜𝐨𝐦𝐞 𝐁𝐢𝐥𝐥𝐲!! #cybersecurity #newjoiner #newhire

About 165 Snowflake customers have had their data exposed. The company has stated that the incidents are not due to a #vulnerability in their platform but instead are attributed to comprised credentials. The attackers used the stolen credentials to target accounts lacking multi-factor authentication (MFA). The customer list includes many high-profile companies such as Ticketmaster, Santander and Advance Auto Parts. These incidents serve as a stark reminder to implement robust authentication measures such as #MFA, especially as more companies are adopting cloud-based data platforms and storage solutions. 𝐊𝐞𝐲 𝐭𝐚𝐤𝐞𝐚𝐰𝐚𝐲𝐬 𝐟𝐨𝐫 𝐚𝐥𝐥 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧𝐬: - Review authentication practices - Implement MFA - Conduct regular security audits - Administer employee training - Adopt robust password management policies #cybersecurity #ransomwareprotection