cybercrime – PwnDefend

Analysing 1 Million Honeypot events with Defused Cyber Deception

A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.

Education

A threat to sanity – Cyber Myth: Juice Jacking

“Juice jacking” has become a modern cybersecurity myth — a catchy scare story built on a long-patched Android debugging issue and fueled by viral fear rather than facts. Despite years of warnings, there are no confirmed cases of real-world juice jacking attacks; the cost, effort, and low reward make it an impractical method for criminals. Yet the myth persists because it’s vivid, simple, and scary — everything our brains latch onto. The real danger is not the USB port at the airport, but the distraction such myths create. When people focus on imaginary threats, they waste precious attention that should go toward genuine risks like weak passwords, missing MFA, unpatched systems, and poor backups. So let’s take a bit of a deeper dive into this subject, because by it’s important to understand what to, and what not to focus on in my experience!

News

‘Secure’ Firewall backups, until they are not!

Firewalls are often both a defended gate but also the front door to access corporate network. That is all lovely until it’s not! You see so many corporate network intrusion incidents occur from threat actors simply logging into the VPN (due to lack of VPN), and then we have the software vulnerabilities where they shell their way in, but did you think that another way could be from stealing all the backups from a ‘security’ provider? Well now you might! There’s been bit of an incident (one that started as it’s only 5% of customers but actually it was 100% of customers who used the backup feature! YIKES), but before that let’s look at the typical landscape!

Threat Intel

Shiny Hunters / Scattered Spider Alleged Victims

Shiny Hunters/Scattered spider have published a leaked download site (DLS)/extortion site etc.
This is a fast publish with content mainly generated using an LLM (GROK). This appears to relate to victims who have been victims of social engineering, it does not appear to be related to the Salesforce, SalesLoft Drift breach: https://help.salesforce.com/s/articleView?id=005134951&type=1

Defence

Business Email Compromise: Impact Assessment

If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.

If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!

News

Japan goes on the Cyber Offensive

Ok with my AI companion GROK I’ve gone exploring on the differences between Japan’s new cyber laws and the UK! This is more GROK than me, but I thought people might find this interesting!

Leadership

Cybercrime and data theft

During an incident it’s one of the first questions people ask, what did the attacker do? Did they steal any data? How did they do it?

All of which are typically rather difficult to answer in the first, probably week of an incident (incidents vary, sometimes it’s very obvious, other times you can’t be 100% sure on some details!)

But recently I’ve been talking lots about the way organisations communicate during incidents to their customers and the public etc. I’ve been explaining that the day 0 comms of ‘no data was stolen’ followed by a ‘lots of data was stolen’ in say day zero plus five… well it doesn’t help with my my trust in the victim organisation. Which to me, seems like an odd strategy for organisations to take. They have options:

Threat Intel

The Com, 764, and Associated Groups

In evaluating capabilities for LLMs (AI) recently, I’m looking at the viability of creating more content with them. I’m explicitly calling out where I do, aside from my writing style, I’m also keen to show the pros and cons. Do LLMs replace humans? Not from my experience so far. I’ve been looking at combined physical + digital attacks recently and the associated threat classes… I’m trying to avoid the word group or gang, because collectives are slightly different and are dynamic, almost mission focused if you will.

Threat Intel

An evolution of threat actor

Motivation and a diverse network of people and capabilities can go a long way, then add in digital skills and winning steak… and you have: scattered spider!

There’s a big difference between zero day spraying the internet and planting webshells or copying someone’s open S3 bucket and say…. doxing staff, their families and attacking them and their assets in the real and digital worlds.

I think people won’t broadly grasp the effects that can be achieved (harm) when the adversary is motivated, dedicated, capable, resourced and has very little moral qualms.

There is no magic bullet to defend against an adversary like this, you need a whole of organisation defence (and to pursue even more than that!).

Threat Intel

Defending Against Scattered Spider

Defending against different skilled threat classes is an important thing to consider when you are planning, designing and operating a business. I’ve used GROK (AI) to create an html page which has both information on the kill chains, but also looks at countermeasures. I’m experimenting lots with VIBE coding and LLM assisted content generation so hopefully this proves useful. I do feel it needs a more human touch added as well… but let’s see! life without experimentation would be dull would it not!