A recently identified large-scale QR code phishing campaign has exploited Microsoft Sway to deceive Microsoft 365 users into revealing their credentials. Detected by Netskope Threat Labs in July 2024, the campaign marked a 2,000-fold increase in attacks primarily targeting users in Asia and North America, especially in the technology, manufacturing, and finance sectors. The phishing emails guided potential victims to Microsoft Sway-hosted pages that prompted them to scan QR codes, leading to malicious sites. This approach bypasses security scanners and preys on the weaker security of mobile devices. Attackers further enhanced the campaign’s effectiveness by using transparent phishing tactics and Cloudflare Turnstile to evade detection. This method mirrors the tactics used in the PerSwaysion campaign five years ago, which also targeted Office 365 credentials of high-ranking individuals in various sectors.

Microsoft Sway abused in massive QR code phishing campaign Bleeping Computer

McLaren Port Huron Hospital reverted to using paper records following a ransomware attack on Aug. 6 that disrupted the IT systems of McLaren Health Care, impacting 13 of its facilities. Although IT systems are now restored, the hospital faces delays in patient care and is working to catch up on missed appointments by the end of the week. The transfer of patient information from paper back into electronic systems is expected to take several weeks.

Cyberattack forced Michigan hospital to use paper records for 1st time in 20 years, CEO says Becker's Hospital Review

A recent report from Sophos has highlighted significant updates to the Poortry/BurntCigar toolkit, a tool used by ransomware groups to compromise endpoint protection software. Originally identified for terminating endpoint detection and response (EDR) processes, the toolkit now has the capability to completely wipe EDR software from systems. The toolkit uses a malicious kernel driver and loader, heavily obfuscated to evade detection, and it has been utilized by ransomware gangs such as Cuba, BlackCat, and LockBit. Following Microsoft's closure of a loophole allowing custom kernel-level driver signing, developers have adapted by using methods like Signature Timestamp Forging and obtaining valid leaked certificates. These adaptations have enabled the toolkit to function akin to a rootkit, enhancing its evasion capabilities and making it a more formidable threat to IT defenses.

Tool used by ransomware groups now seen killing EDR: Report CSO Online

In his article, Jon Oltsik outlines "5 Best Practices for Running a Successful Threat-Informed Defense in Cybersecurity," emphasizing the importance of tailoring cybersecurity strategies to specific threats. He discusses the need for establishing a threat intelligence lifecycle, using threat intelligence for exposure management, driving detection engineering, promoting threat hunting, and pursuing continuous testing. These practices involve continuous improvement and alignment of resources to manage vulnerabilities effectively, write and refine detection rules, automate compromise detection, and conduct ongoing testing to identify gaps in defenses. Oltsik highlights that while challenging, adopting a threat-informed defense can lead to improved security efficacy and organizational efficiency.

5 best practices for running a successful threat-informed defense in cybersecurity publication

A recently identified large-scale QR code phishing campaign has exploited Microsoft Sway to deceive Microsoft 365 users into revealing their credentials. Detected by Netskope Threat Labs in July 2024, the campaign marked a 2,000-fold increase in attacks primarily targeting users in Asia and North America, especially in the technology, manufacturing, and finance sectors. The phishing emails guided potential victims to Microsoft Sway-hosted pages that prompted them to scan QR codes, leading to malicious sites. This approach bypasses security scanners and preys on the weaker security of mobile devices. Attackers further enhanced the campaign’s effectiveness by using transparent phishing tactics and Cloudflare Turnstile to evade detection. This method mirrors the tactics used in the PerSwaysion campaign five years ago, which also targeted Office 365 credentials of high-ranking individuals in various sectors.

Microsoft Sway abused in massive QR code phishing campaign Bleeping Computer

McLaren Port Huron Hospital reverted to using paper records following a ransomware attack on Aug. 6 that disrupted the IT systems of McLaren Health Care, impacting 13 of its facilities. Although IT systems are now restored, the hospital faces delays in patient care and is working to catch up on missed appointments by the end of the week. The transfer of patient information from paper back into electronic systems is expected to take several weeks.

Cyberattack forced Michigan hospital to use paper records for 1st time in 20 years, CEO says Becker's Hospital Review

A recent report from Sophos has highlighted significant updates to the Poortry/BurntCigar toolkit, a tool used by ransomware groups to compromise endpoint protection software. Originally identified for terminating endpoint detection and response (EDR) processes, the toolkit now has the capability to completely wipe EDR software from systems. The toolkit uses a malicious kernel driver and loader, heavily obfuscated to evade detection, and it has been utilized by ransomware gangs such as Cuba, BlackCat, and LockBit. Following Microsoft's closure of a loophole allowing custom kernel-level driver signing, developers have adapted by using methods like Signature Timestamp Forging and obtaining valid leaked certificates. These adaptations have enabled the toolkit to function akin to a rootkit, enhancing its evasion capabilities and making it a more formidable threat to IT defenses.

Tool used by ransomware groups now seen killing EDR: Report CSO Online

In his article, Jon Oltsik outlines "5 Best Practices for Running a Successful Threat-Informed Defense in Cybersecurity," emphasizing the importance of tailoring cybersecurity strategies to specific threats. He discusses the need for establishing a threat intelligence lifecycle, using threat intelligence for exposure management, driving detection engineering, promoting threat hunting, and pursuing continuous testing. These practices involve continuous improvement and alignment of resources to manage vulnerabilities effectively, write and refine detection rules, automate compromise detection, and conduct ongoing testing to identify gaps in defenses. Oltsik highlights that while challenging, adopting a threat-informed defense can lead to improved security efficacy and organizational efficiency.

5 best practices for running a successful threat-informed defense in cybersecurity publication