In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Holiday phishing advisory
CISA SCuBA project to secure cloud environments
Malicious VSCode extensions
CISA KEV updates
Holiday phishing advisory
It's that time of year, threat actors are leveraging the holiday season to launch malware, fraud, and phishing campaigns targeting individuals seeking deals, bonuses, or seasonal jobs. Proofpoint threat researchers released a report detailing the increased use of social engineering to craft convincing, time-sensitive lures to exploit heightened urgency during this holiday season.
Threat actors often align their phishing campaigns with seasons and events to make their attacks more convincing and relevant to potential victims. Examples include phishing emails posing as airlines delivering the Remcos RAT, HR-themed scams promising holiday bonuses to steal credentials, and employment fraud schemes impersonating nonprofits to target university users. Organizations should remain vigilant and reinforce cybersecurity awareness during this period. A few recommendations to help defend against these types of attacks in Azure and M365 include:
- Deploy advanced anti-phishing tools like Microsoft Defender for Office 365
- Require MFA and prioritize secure implementations like FIDO tokens or Microsoft Authenticator with passkeys
- Implement conditional access Enable Safe Links and Safe Attachments in Office 365
- Turn on ZAP in Office 365 to retroactively quarantine and mitigate threats
Source: Proofpoint
CISA SCuBA project to secure cloud environments
CISA has recently announced (BOD 25-01), a binding operation directive that orders federal civilian agencies to secure their cloud environments. The required configurations for Microsoft 365 can be found linked as source material. The Secure Cloud Business Applications Project, known as SCuBA, helps to assess security configurations in customer cloud environments. This tool is both easy to setup / run and provides actionable output in the form of specific recommendations related to advised baseline security configurations. Here's an example report with the specific products tested which can be further drilled down into when clicked:
The SCuBA tool is a great way to help get a security configuration baseline established and works for both Google and Microsoft cloud products.
Source: CISA | SCuBA CISA | BOD 25-01
Malicious VSCode extensions
A new wave of malicious extensions is available on the VSCode marketplace. According to researchers at ReversingLabs, this campaign has been ongoing since October 2024 and while initially focusing on the crypto community has shifted too targeting developers. One of the main tactics used by those attempting to distribute the suspect extensions includes fake positive reviews / ratings and an inflated number of installs. A full list of the identified malicious VSCode extensions provided by ReversingLabs is included here:
Developers must remain vigilant when using packages from public repositories or installing extensions, as malicious code can be introduced as dependencies in larger projects. Organizations should thoroughly evaluate the features and behaviors of open-source, third-party, and commercial code to track dependencies and identify potential threats.
Source: ReversingLabs Medium
CISA KEV updates
CISA has added 8 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact