Free vCISO Course: Turning MSPs and MSSPs into Cybersecurity Powerhouses - Related to 130, firms, defending, threat, ‘0ktapus’

Defending against USB drive attacks with Wazuh

USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent traditional network security measures. These attacks lead to data breaches, financial losses, and operational disruptions, with lasting impacts on an organization's reputation. An example is the Stuxnet worm discovered in 2010, a malware designed to target industrial control systems, specifically Iran's nuclear enrichment facilities. It exploited multiple zero-day vulnerabilities and spread primarily through USB drives, making it one of the first examples of a cyberattack with real-world physical effects. Stuxnet exposed the risks of removable media and raised global awareness of cybersecurity threats to critical infrastructure.

Attackers use various methods to deliver malicious payloads via USB drives, targeting individuals and organizations.

Drop attacks : Infected USB drives are deliberately left in public areas, such as parking lots, to entice victims to plug them in and infect their computers.

: Infected USB drives are deliberately left in public areas, such as parking lots, to entice victims to plug them in and infect their computers. Mail-based attacks : USB drives are sent to targets via mail, disguised as promotional items or legitimate devices, to trick them into plugging them into their systems.

: USB drives are sent to targets via mail, disguised as promotional items or legitimate devices, to trick them into plugging them into their systems. Social engineering : Attackers use psychological tactics to persuade victims to connect infected USB drives to their computers.

: Attackers use psychological tactics to persuade victims to connect infected USB drives to their computers. Unsolicited plugging: Attackers plug infected USB drives into unattended systems, spreading malware without victim interaction.

USB drive attacks typically follow a multi-step process to infiltrate systems and cause damage.

Reconnaissance: Attackers research their target to identify potential vulnerabilities. In this case, they may gather information about the organization, its employees, and its operational environment to determine the likelihood of someone using a USB drive.

Attackers research their target to identify potential vulnerabilities. In this case, they may gather information about the organization, its employees, and its operational environment to determine the likelihood of someone using a USB drive. Weaponization: Threat actors prepare the USB drive by embedding malware. This can be achieved by directly infecting the drive or crafting a seemingly benign file, such as a document, video, or image, which contains hidden malicious code.

Threat actors prepare the USB drive by embedding malware. This can be achieved by directly infecting the drive or crafting a seemingly benign file, such as a document, video, or image, which contains hidden malicious code. Delivery: Attackers distribute the infected USB drive to targets by dropping it in public areas, giving it away as a promotional item, or using social engineering to deliver it.

Attackers distribute the infected USB drive to targets by dropping it in public areas, giving it away as a promotional item, or using social engineering to deliver it. Exploitation: When the target connects to the USB drive, the malware is activated automatically or through user interaction, exploiting system vulnerabilities.

When the target connects to the USB drive, the malware is activated automatically or through user interaction, exploiting system vulnerabilities. Installation: The malware is installed on the target system, gaining persistence. This step allows the attacker to maintain control of the infected device even if it is rebooted or disconnected.

The malware is installed on the target system, gaining persistence. This step allows the attacker to maintain control of the infected device even if it is rebooted or disconnected. Command and Control (C2): The malware communicates with the attacker's server. This enables the attacker to issue commands, exfiltrate data, or deploy additional payloads.

The malware communicates with the attacker's server. This enables the attacker to issue commands, exfiltrate data, or deploy additional payloads. Actions on Objectives: The attackers achieve their goals, such as stealing sensitive data, deploying ransomware, or establishing persistent access for future exploitation.

Figure 1: Steps showing how USB Drive attacks work.

Enhance your cybersecurity posture against USB drive attacks with Wazuh.

Wazuh is an open source security platform that helps organizations detect and respond to security threats by monitoring system activities, from informational events to critical incidents. Organizations can proactively prevent breaches and safeguard sensitive data by monitoring USB activity with Wazuh.

Monitoring USB drive activities in Windows using Wazuh.

Wazuh monitors USB drive activities on Windows endpoints using the Audit PNP Activity feature. This feature logs Plug and Play (PnP) events, which helps identify when USB drives are connected. It is available on Windows 10 Pro and Windows 11 Pro, Windows Server 2016, and later versions.

Organizations can configure Wazuh to detect specific system events and monitor USB-related events, particularly focusing on Windows event ID 6416, which indicates when an external device is connected. Security administrators can detect USB device connections by creating Wazuh custom rules to identify potential security incidents.

The next step includes creating a Constant Database (CDB) of permitted devices' unique device identifiers (DeviceID). This list allows Wazuh to differentiate between authorized and unauthorized devices, generating alerts for both categories. For instance, when an authorized USB drive is plugged in, it triggers a lower-level alert, while unauthorized connections can generate high-severity alerts that indicate a potential security breach.

Figure 2: USB drive plug-in events on a monitored Windows endpoint.

Threat detection use case: Detecting the Raspberry Robin USB-Drive activities.

Wazuh provides a solution to mitigate USB-related threats, such as Raspberry Robin, a Windows-based worm.

Raspberry Robin targets industries like oil, gas, transportation, and tech, causing operational disruptions. It spreads via disguised .lnk files, gains persistence by updating the UserAssist registry, and mimics legitimate folders. The worm uses legitimate Windows processes such as [website], [website], [website], and [website] to execute, persist, and download additional malicious components. Its reliance on TOR-based command and control (C2) servers for outbound communication adds stealth and complicates detection.

Wazuh detects Raspberry Robin by monitoring registry modifications, unusual command execution patterns, and suspicious system binaries use. Its real-time file integrity monitoring and threat detection rules identify malicious activity, enabling swift response to mitigate potential disruptions.

Wazuh detects and mitigates Raspberry Robin by monitoring and responding to suspicious activity like:

Anomalous [website] activities : terminating suspicious processes or isolating affected endpoints.

: terminating suspicious processes or isolating affected endpoints. Flagging [website] downloads from obscure domains, blocking connections, and alerting administrators.

from obscure domains, blocking connections, and alerting administrators. Detecting UAC bypass via [website] , terminating the process, and notifying administrators.

, terminating the process, and notifying administrators. Blocking unusual outbound connections by [website] and [website].

Below is a sample custom rule configuration that detects possible Raspberry Robin activities.

92004 (?i)cmd\.exe$ (?i)cmd\.exe.+((\/r)|(\/v\.+\/c)|(\/c)).*cmd Possible Raspberry Robin execution on $([website] [website] 61603 (?i)msiexec\.exe$ (?i)msiexec.*(\/q|\-q|\/i|\-i).*(\/q|\-q|\/i|\-i).*http[s]{0,1}\:\/\/.+[.msi]{0,1} [website] downloading and executing packages on $([website] [website] 61603 (?i)(cmd|powershell|rundll32)\.exe (?i)fodhelper\.exe Use of [website] to bypass UAC on $([website] [website] 61603 (regsvr32\.exe|rundll32\.exe|dllhost\.exe).*\";[website]\(\);GetObject\(\"script:.*\).Exec\(\) Possible Raspberry Robin execution on $([website] [website].

Figure 5: Raspberry Robin IoCs and behaviors detected on a monitored Windows endpoint.

Figure 6: An alert showing the Raspberry Robin IoCs detected on a monitored Windows endpoint.

Monitoring USB drives in Linux using Wazuh.

USB drives can also introduce security risks to Linux endpoints as potential vectors for malware and unauthorized data access. udev is a system utility on Linux that automatically detects and manages external devices, such as USB drives, when plugged in. It creates the necessary device files in the /dev directory so that the system can interact with them. Administrators can create custom udev rules that generate detailed events, providing insights into USB activity. Wazuh has built-in rules for USB monitoring, but udev-generated events provide richer details, improving threat detection.

We configure udev rules on our Linux endpoints to trigger a logging script whenever a USB device is connected. The Wazuh agent must be set up to read the generated JSON log file produced from the logging script, allowing it to process and analyze USB activity.

Like the Windows USB drive monitoring, you need a constant database (CDB) list of authorized USB device serial numbers. Wazuh will compare incoming connections against this list, triggering alerts for unauthorized devices.

Figure 7: USB drive alerts for a monitored Linux endpoint.

Figure 8: An unauthorized USB drive event on a monitored Linux endpoint.

The blog post on Monitoring USB drives in Linux using Wazuh provides more information on monitoring USB drives plugged into Linux endpoints.

Monitoring USB drives in macOS using Wazuh.

You can use a custom script to log critical events related to USB devices on macOS endpoints and then configure Wazuh to monitor these events. Administrators can extract information such as connection and disconnection events, vendor IDs, product IDs, and serial numbers of USB drives plugged in. This script interacts with macOS's I/O Kit framework to gather USB device information, which is then formatted as JSON and saved to a log file. The log data generated from this custom script is sent to the Wazuh server for analysis using the Wazuh agent.

The blog post on Monitoring USB drives in macOS using Wazuh displays the steps to monitor USB drives on macOS endpoints.

Figure 9: USB drive alerts on a monitored macOS endpoint.

Figure 10: Unauthorized USB drive alert on a monitored macOS endpoint.

USB drive attacks pose a security risk across major operating systems, enabling malware propagation and unauthorized access to malicious actors.

Wazuh offers various detection mechanisms to increase the chances of detecting USB Drive attacks and mitigate the potential impact. Organizations can enhance cybersecurity by integrating these detection methods and enforcing strict USB access policies.

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of......

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations ......

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since ......

Free vCISO Course: Turning MSPs and MSSPs into Cybersecurity Powerhouses

We’ve all heard a million times: growing demand for robust cybersecurity in the face of rising cyber threats is undeniable. Globally small and medium-sized businesses (SMBs) are increasingly targeted by cyberattacks but often lack the resources for full-time Chief Information Security Officers (CISOs).

This gap is driving the rise of the virtual CISO (vCISO) model, offering a cost-effective solution, and giving SMBs access to strategic security leadership.

For MSPs and MSSPs this shift represents both a challenge and an opportunity. Over 94% of service providers recognize the increasing need for vCISO services, yet, over 25% of providers study lacking the cybersecurity and compliance expertise needed to offer vCISO services.

This gap is exactly why the vCISO Academy was created —to empower service providers with the knowledge and skills they need to thrive in this evolving landscape.

The vCISO Academy is a free, professional learning platform designed to equip service providers with the knowledge and training needed to build and expand their vCISO offerings, helping them superior serve their clients and bolster cybersecurity resilience.

The demand for vCISO services has exploded in recent years, driven by the increasing frequency and sophistication of cyberattacks on SMBs. The latest State of the vCISO Survey (2024) which interviewed 200 senior security leaders, revealed that 94% of service providers see demand for vCISO services and 98% of service providers who don’t currently offer vCISO services plan to introduce them in the foreseeable future.

This underscores the critical importance of vCISO services for MSPs and MSSPs, not just as a way to meet rising demand but also to stay competitive in a market where cybersecurity has become a business imperative.

MSPs, MSSPs: What does it really take to be a full-fledged virtual CISO? Virtual Chief Information Security Officer (vCISO) services are in high demand in today's constantly shifting cybersecurity landscape. What is really needed in order to provide vCISO service? Download to get a enhanced understanding of the vCISO’s main duties, roles and responsibilities Download for free.

The Expertise Gap in Delivering vCISO Services.

While the market for vCISO services is rapidly expanding, many MPSs and MSSPs struggle to offer these services due to lack of in-house expertise and resources. In fact, over 25% of service providers investigation lacking the necessary expertise to offer comprehensive vCISO services.

Service providers often hesitate to offer vCISO services due to the complexity of the role, which requires a combination of technical expertise, regulatory knowledge, and business strategy alignment. Additionally, they face challenges like resource constraints, uncertainty about having the necessary staff or budget, and concerns about scaling the services without overextending themselves.

The vCISO Academy was created to help MSPs and MSSPs address these concerns. It provides a clear, step-by-step roadmap that simplifies the process, enabling service providers to confidently start and grow their vCISO offerings.

How the vCISO Academy Fills This Critical Gap.

The vCISO Academy provides self-paced, hands-on learning designed to equip service providers with the training and knowledge needed to develop and scale their vCISO offerings.

Expert guidance from industry experts who share their practical knowledge and experience on a wide range of essential vCISO functions, including risk and compliance assessments, cybersecurity strategy development, and effective communication of risks to executive teams.

Self-paced learning allows access to videos, tools, and resources anytime and anywhere.

An interactive platform that provides exercises and real-world examples to reinforce understanding.

The Academy empowers MSPs and MSSPs to not only offer vCISO services confidently but also, build new revenue streams, enhance client relationships, and ensure their clients’ cybersecurity resilience.

Empowering MSPs and MSSPs to Accelerate Their vCISO Journey.

By addressing the knowledge shortage and providing structured, accessible learning, the vCISO academy allows service providers to:

Broaden your perspective: The vCISO Academy provides a deeper understanding of what it means to be a vCISO with specialized training to address the cybersecurity shortage. By helping to equip professionals with vCISO expertise, the Academy is helping fill a critical gap in the industry, ensuring businesses have access to the security leadership they need.

The vCISO Academy provides a deeper understanding of what it means to be a vCISO with specialized training to address the cybersecurity shortage. By helping to equip professionals with vCISO expertise, the Academy is helping fill a critical gap in the industry, ensuring businesses have access to the security leadership they need. Empower professional growth: The vCISO Academy is designed to advance professionals' careers by developing their vCISO skills, positioning them as trusted advisors, and making them invaluable to their clients. Courses are created by industry experts who share practical knowledge and real-world experience.

The vCISO Academy is designed to advance professionals' careers by developing their vCISO skills, positioning them as trusted advisors, and making them invaluable to their clients. Courses are created by industry experts who share practical knowledge and real-world experience. Scale services profitably and strengthen client relationships: For MSPs and MSSPs, adding vCISO services is a strategic move that opens up new revenue streams and strengthens client relationships.

With the vCISO Academy, MSPs and MSSPs are improved positioned to capitalize on emerging opportunities in the vCISO market while meeting the critical security needs of SMBs.

Start Your vCISO Journey with the vCISO Academy.

As the cybersecurity landscape continues to evolve, the role of the vCISO is becoming a cornerstone of success for MSPs and MSSPs. The vCISO academy offers and invaluable resource to help service providers gain the expertise needed to thrive in this competitive landscape.

Whether you are just establishing your vCISO services or looking to expand, the vCISO Academy provides the tools, knowledge, and support you need to grow your business and serve your clients more effectively.

Start your journey by visiting the vCISO Academy today and take the first step toward scaling your cybersecurity services and driving business growth. Together, we can ensure that businesses of all sizes have access to the cybersecurity leadership they need to stay secure​​.

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of......

The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that h......

USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent t......

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

“The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from individuals of the targeted organizations,” wrote Group-IB researchers in a recent findings. “These individuals received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.”.

Impacted were 114 US-based firms, with additional victims of sprinkled across 68 additional countries.

Roberto Martinez, senior threat intelligence analyst at Group-IB, mentioned the scope of the attacks is still an unknown. “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” he mentioned.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

“[A]ccording to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks,” researchers wrote.

Next, attackers sent phishing links to targets via text messages. Those links led to webpages mimicking the Okta authentication page used by the target’s employer. Victims were then asked to submit Okta identity credentials in addition to a multi-factor authentication (MFA) codes employees used to secure their logins.

In an accompanying technical blog, researchers at Group-IB explain that the initial compromises of mostly software-as-a-service firms were a phase-one in a multi-pronged attack. 0ktapus’ ultimate goal was to access business mailing lists or customer-facing systems in hopes of facilitating supply-chain attacks.

In a possible related incident, within hours of Group-IB publishing its analysis late last week, the firm DoorDash revealed it was targeted in an attack with all the hallmarks of an 0ktapus-style attack.

In a blog post DoorDash revealed; “unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.” The attackers, , went on to steal personal information – including names, phone numbers, email and delivery addresses – from clients and delivery people.

In the course of its campaign, the attacker compromised 5,441 MFA codes, Group-IB reported.

“Security measures such as MFA can appear secure… but it is clear that attackers can overcome them with relatively simple tools,” researchers wrote.

“This is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication,” Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in a statement via email. “It simply does no good to move consumers from easily phish-able passwords to easily phish-able MFA. It’s a lot of hard work, resources, time, and money, not to get any benefit.”.

To mitigate 0ktapus-style campaigns, the researchers recommended good hygiene around URLs and passwords, and using FIDO2-compliant security keys for MFA.

“Whatever MFA someone uses,” Grimes advised, “the user should be taught about the common types of attacks that are committed against their form of MFA, how to recognize those attacks, and how to respond. We do the same when we tell consumers to pick passwords but don’t when we tell them to use supposedly more secure MFA.”.

The [website] Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed two security flaws impacting Microsoft Partner Center and Synacor Z......

The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a mil......

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hund......