The Weaponization of Cyberspace: How National Interests are Fragmenting Global Networks in 2023

 In 2023, the weaponization of cyberspace and the clash of national interests will lead to the breakdown of global networks into regional or even national architectures. As digitalization continues at a rapid pace, with estimates indicating that over 60% of the world's GDP will be digitalized by 2023, the ecosystem supporting it, cyberspace, is undergoing significant transformation. While technology investments increase across the board, the principles and assets governing cyberspace are eroding.

Top Risks 2023: Cyber infographic

The cyber arms race will accelerate in 2023, enabled by an expanded attack surface and a significant increase in automation across the spectrum of cyber threats. All threat actors are prioritizing the development of their capabilities, and the potential for real physical damage is at an all-time high as IT and OT (operational technology) networks converge. Governments and industry advisories focused on industrial control systems (ICS) have increased in recent years, and their successful exploitation by states and criminal groups is growing at an alarming rate.

In parallel to this weaponization, states are looking to exert more control over what some have already defined as their national cyberspace. In 2023, more than 75% of the world's population will be covered by at least one data privacy regulation. Combined with sanctions on specific technologies or vendors, the illusion of a truly global cyberspace is fading. The next iteration of states' intervention in 2023 and beyond will primarily focus on restricting which technologies can be used in their cyberspace.

The consequences of these two phenomena on organizations are existential. Network and system resilience will be tested like never before in 2023. The proliferation of vulnerabilities, connectivity, and threat actors targeting current and emerging technologies will challenge even the most advanced cyber security teams. Cloud services, operational technologies, and IT service providers will continue to face the most critical threats from states, criminals, and activists in 2023. The prospect of data and system integrity risks is also a concern. While organizations look to automation and AI as business enablers and security controls, threat actors have already begun weaponizing these tools and will increase their focus on them.

The ambition of operating a single global network for multinational organizations will be significantly challenged. While in recent years many attempted to centralize their operations and simplify their digital supply chains, the reality of nationalism in cyberspace will reverse many of these efforts. Compliance and political considerations will force organizations to build at best regional, at worst national networks within their own business. Ultimately, the digital organization of tomorrow will be a fragmented one. The key to avoiding the death of global networks will increasingly be decentralization - reversing the prevailing trend towards centralization to gain efficiencies and control. Beyond 2023, decentralized digital environments will provide greater agility, security, and resilience to those that adopt them.

Tactical Intelligence Security can help organizations navigate these challenges and protect their networks and critical assets. Our AI-powered VAPT services provide fast and accurate vulnerability identification, allowing organizations to proactively improve their security and avoid the consequences of a cyber attack. Contact us today to learn more and schedule a demo.

Cyber Security Best Practices



Securing your computer is a complex issue. Possible measures are endless, and many of them impose some restrictions on the legitimate user, which means there is a tradeoff between security and usability. Couple that with the fact that some measures require expert knowledge or complicated configuration, and it becomes obvious that it is hard for me to present a list like the one below. Not only do I have to concentrate on a single aspect of security, but such a list cannot possibly be complete. What I can do however, is to try and establish a baseline that I believe provides an acceptable basis, is general and easy enough so that I can recommend it to most end-users, and leaves most of your freedom/comfort intact so that you aren't scared away by the downsides. I strongly recommend everybody to adhere to as many of these practices as they can, because the list below is not nearly all that you can do to protect yourself, but merely a good start.

Tip #1 – Keep your software updated

After your OS and your software are installed, they should stay regularly updated. Turning automatic updaters on in your applications (or simply not turning them off) is a seamless and frustration-free method of making sure you are always up to date. While this advice pertains to all software, some software stand out with their importance: The operating system, the internet browser, and your e-mail client (if you use an offline one). It is especially important to keep these updated with the latest security fixes as they provide the largest and most common attack surfaces. However frustrating this may be, this also means updating or even reinstalling your operating system when it has reached end-of-support in its lifecycle. In particular, as of january 2020, you should not be running a Windows version older than Windows 8.1.

Tip #2 – Get a router, it is kind of a hardware firewall

For your home, get a router if you don't already have one. Better routers have very good firewalls with sophisticated features, but even cheap ones provide good inbound protection due to the way they do their so-called NAT. They will protect you against many attacks even when all your PC's defenses are down. Besides, a router is a requirement anyway if you need multiple devices at home connected to the internet. Depending on what kind of internet connection you have, your provider might even be making you have one (in which case they throw one at you for free). Routers sometimes impose some extra configuration upon you for a small number of applications, but since these devices are so common, guides are plenty on the internet to help you out in those cases.

Tip #3 – You also need a software firewall

Most firewalls in routers can only filter inbound connections, but even those that can filter outbound are absolutely incompetent to differentiate between two applications if they use the same port. Which means in that case they will be unable to tell your browser from malware! Software firewalls can do this differentiation. If you think it is already too late when infected, think twice. Even after you get infected, an outbound firewall can limit the activation or spread of the virus inside your computer (by disallowing control connections or the download of additional malware modules), or prevent it from spreading onto your network. Also, don't just think of malware. Privacy is closely related to security, and pretty often limiting even legitimate software is part of protecting your privacy.

Tip #4 – Disable AutoRun/AutoPlay

This tip is actually kind of outdated because this is already the default configuration in newer Windows versions. But I'm still including it in this list because there are enough people in the world using old Windows versions. Disable Windows' autorun function. See this article about the necessary steps. It protects you from your friend's or colleauge's infected USB drive who didn't even realize yet he has malware on it. This tip is even more important for those among you with laptops, as you probably use it in public or crowded places sometimes.

Tip #5 – Antivirus are relics, but still useful

No matter what a company tells you about how advanced their antivirus technology is, antivirus software are just plainly stupid. I mean, not their principle or goal, but the way they try to detect malware. Cannot be helped, that's how current state of the art is. While one can be significantly better than others, all of them are primitive and anything else you hear is just marketing. Chances are you have already heard others say, malware and antivirus are a cat-and-mouse game. This is nothing new and has always been the case, but with the internet getting as ubiquitous as never before, innovations in antivirus technology basically non-existent, and the number, sophistication, and even funding of malware exploding rapidly, the cat is more and more behind the mouse. Get an antivirus if your computer's performance can afford it, it doesn't hurt (*cough* usually). An antivirus is a useful layer in your computer's security, but don't overestimate its value. If you rely solely on an antivirus as your only line of defense, your computer's security is pretty bad.

Tip #6 – Choose your passwords well

Current research indicates, any password should be at least 8 characters long. Try to have lower- and upper-case characters in it, as well as numbers. Never make personal information (like your or your love's name, birth date, address etc.) part of your password, because as unlikely as it may seem, an attacker probably already knows these, and variations of these are gonna be among the first things they try. Oh, and do not use the same password everywhere. Everybody knows that good passwords are hard to remember and annoying to type in, but they are important. To ease your burden, use a password manager like KeePass. It will generate good passwords, remember and organize them, and will even type them in for you when asked. That way you only have to remember a single password (but be sure to keep it very safe), and the rest won't be a hassle anymore.

Tip #7 – Use your common sense

Possibly the most important advice I can give you. That's right, if you decide to implement only one thing from this list and none more, make it this one! The rule is simple: read, think, decide. Most security breaches are due to user error or oversight at their core. Take anything you see in internet ads with a grain of salt (or better, just ignore them completely). Deals that are too good to be true are not true. Remember that the "From" address in e-mails is easily spoofed, so don't trust it. Don't open any document or executable from your e-mails unless you've been expecting it. Also don't download or start an executable if you've been expecting a document instead. Carve it deep into your mind that a legitimate institution, company, or website never-never-ever asks you in mail for a password. Does a mail look different than it normally does? Did you just win an online lottery but you need to enter your credit card details first? What's the chance of an oil billionaire wanting to give you some of his shares? Read, think, and don't be naive.


Kia Motors Ransomware Attack: Details Emerge

 Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang, Bleeping Computers reports.

The report mentions:

  • Hackers are demanding $20 million for a decryptor and not to leak stolen data.
  • Kia is suffering a nationwide IT outage that affects the company’ mobile UVO Link apps, phone services, payment systems, owner’s portal, and internal sites used by dealerships.

A Kia Motors America statement to Bleeping Computers said:

“KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO. We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.” – Kia Motors America.

DoppelPaymer Ransomware: Earlier Warnings

Webroot, an OpenText company, listed DoppelPaymer among the nastiest malware of 2020.

The FBI issued a DoppelPaymer warning in 2020, after the ransomware surfaced in 2o19. DoppelPaymer ransomware attack victims include the City of Torrance, California; hackers allegedly stole more than 200 GB of files from the city in early 2020.

Trend Micro offers this overview of how DoppelPaymer ransomware attacks typically work.

Russian Hackers Target VMware Vulnerability, NSA Warns

 Russian cyber actors are exploiting a vulnerability in VMware Access and Identity Manager products to access protected data on affected systems, according to a National Security Agency (NSA) security advisory released this week.

The VMware vulnerability affects the following products:

  • Workspace One Access
  • Access Connector
  • Identity Manager
  • Identity Manager Connector

To exploit the VMware vulnerability, cyber actors must have access to a device’s management interface, NSA indicated. They can then forge security assertion markup language (SAML) credentials to request access to protected data.

How to Guard Against the VMware Vulnerability

NSA is urging National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware products as soon as possible. It offers the following recommendations to guard against the VMware vulnerability:

  • Understand the Vulnerability: The VMware vulnerability requires password-based access to a web interface and allows cybercriminals to execute Linux commands. As such, system administrators should leverage multi-factor authentication (MFA) and other appropriate security measures to minimize the threat’s impact.
  • Understand the Relevance: The VMware vulnerability enables cybercriminals to target customer and partner networks. Therefore, system administrators should identify any networks that could be affected by the vulnerability.
  • Prioritize the Response: System administrators must identify which data can be accessed via vulnerable VMware products, assess the risk associated with data that cybercriminals could access and patch vulnerable products accordingly.

In addition, system administrators should review server logs and check and update service configurations to mitigate the VMware vulnerability, NSA stated. They also can leverage MFA for security credential services as needed.

State-Sponsored Hackers Steal FireEye Red Team Security Testing, Assessment Tools

 State-sponsored hackers have attacked FireEye and stolen the cybersecurity company’s Red Team penetration testing and assessment tools, FireEye disclosed in an SEC filing on December 8, 2020. FireEye is concerned the hackers will potentially use the stolen Red Team penetration testing tools to attack additional companies. As a precaution, the company is sharing countermeasures to help potential targets mitigate attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, issued this warning about the stolen FireEye tools.

FireEye CEO Kevin Mandia

Among the key FireEye disclosures in the SEC filing:

1. State Sponsored Actor?: The attacker was a “highly sophisticated cyber threat actor” whose “discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” CEO Kevin Mandia believes the atack involves a “nation with top-tier offensive capabilities.”

2. FireEye Tools Were the Specific Target: This attack specifically targeted FireEye, and used methods that “counter security tools and forensic examination.” Hackers attacked “used a novel combination of techniques not witnessed by us or our partners in the past.” The attacker targeted and accessed certain Red Team assessment tools that FireEye uses to test our customers’ security.

3. FBI, Microsoft Assist Investigation: FireEye is investigating the attack in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft.

4. Defending Against the Red Team Tools: FireEye is proactively “releasing methods and means to detect the use of our stolen Red Team tools.” The company doesn’t know if the attacker intends to use the Red Team tools or to publicly disclose them. FireEye has developed more than 300 countermeasures for customers and the community at large to use in order to minimize the potential impact of the theft of these tools.

5. No Additional Attacks So Far: FireEye has seen no evidence to date that any attacker has used the stolen Red Team tools, but continues to monitor for their use.

6. Customer Information Targeted, But Not Stolen: The attacker primarily sought information related to certain government customers. While the attacker was able to access some of FireEye’s internal systems, there’s no evidence (so far) that the attacker exfiltrated data from the company’s customer information, incident response or consulting engagements or the metadata collected by products in the dynamic threat intelligence systems. FireEye plans to contact customers directly if it discovers any information was detected.

7. More Details: If/when more details become available, FireEye will disclose the information via its corporate blog.

Operation Falcon: Group-IB helps INTERPOL identify Nigerian BEC cybercrime ring members

A global threat hunting and intelligence firm, Group-IB, sponsored an INTERPOL-led Falcon operation targeting Nigeria's business email compromise (BEC) cybercrime gang, dubbed TMT by Group-IB. The arrest of three people in Lagos culminated in a cross-border anti-cybercrime effort involving INTERPOL's Cybercrime Directorate, the Nigerian Police Force, and the APAC Cyber Investigations Team of Group IB. The prolific gang has infiltrated at least 500,000 government and private sector enterprises in more than 150 nations since at least 2017. As some of the gang members remain at large, the investigation continues.

A type of email phishing attack that relies on social engineering is Business Email Compromise (BEC). Phishing emails may be targeted at specific individuals with an entity as part of BEC or sent out en masse. They attempt to steal confidential data, frequently disguised as money transfer requests, HR messages or business proposals.

With the support of Group-IB Cyber Investigations and CERT-GIB teams, the three BEC gang members with the initials «OC» (32 y.o.), «IO» (34 y.o.), and «OI» (35 y.o.) were arrested in Lagos not long ago as part of the Falcon operation by the Nigerian cybercrime police unit. According to the Nigerian Police, the data found on the computers of the arrested TMT members verified their role in the criminal scheme and reported stolen data from at least 50,000 targeted victims.

Pic. 1 Photograph courtesy of INTEPROL

Since 2019, Group-IB has been monitoring the gang and identified that TMT gang members may have compromised about 500,000 government and private sector businesses. Group-IB was also able to determine that the gang is split into subgroups with a number of individuals still at large based on the infrastructure that the attackers use and their techniques. The results of other alleged gang members that Group-IB was able to track were shared with the Cybercrime Directorate of INTERPOL. The inquiry continues.

The study of their activities showed that the gang focuses on mass email phishing campaigns spreading common strains of malware under the pretext of buying orders, product inquiries, and even COVID-19 help impersonating legitimate businesses:

Fig. 1 Sample of the TMT’s phishing email

The attackers send out phishing emails using Gammadyne Mailer and Turbo-Mailer. MailChimp is used to monitor whether the message has been opened by a receiving victim.

Fig. 2 Gammadyne Mailer used by cybercriminals

The gang was also seen using earlier compromised email account to push a new round of phishing attempts. The discovered email samples, detected and analyzed by Group-IB Threat Hunting Framework, were crafted in English, Russian, Spanish, and other languages, depending on the scammers target list.

Fig. 3 The example of the compromised data from the cybercriminals’ logs

Researchers from Group-IB note that the cybercriminals behind these BEC activities rely solely on a range of publicly accessible spyware and remote access (RAT) trojans, such as AgentTesla, Loky, AzoRult, Pony, NetWire, etc. The gang uses public crypters to prevent detection and monitoring by conventional security techniques. TMT-operated malware most frequently interacts with the C&C server of the attackers using SMTP, FTP and HTTP protocols.

The objective of their attacks is to steal browser, email, and FTP clients' authentication data. According to Group-IB info, the gang has managed to infect organizations around the world, including in the US the UK, Singapore, Japan, and even back home in Nigeria over the course of their operations. Although this gang's monetization tactics are still being investigated, selling account access as well as confidential data collected from emails to the highest bidder in the underground markets is not unusual for cybercriminals.

Craig Jones, INTERPOL’s Cybercrime Director highlighted the outstanding cooperation between all those involved in the investigation and underlined the importance of public-private relationships in disrupting virtual crimes.


"Group-IB is one of Tactical Intelligence Security's strategic partners.
If you want to know more about how Group-IB's solution can help your Business
contact us +233-574-55-09-79"

Visa Warns of Fresh Skimmer Targeting E-Commerce Sites


Visa Warns of Fresh Skimmer Targeting E-Commerce Sites

Visa's payment fraud disruption team is warning of a recently uncovered digital skimmer called "Baka" that is stealing payment card data from e-commerce sites while hiding from security tools.

Researchers discovered the malicious code while examining a command-and-control infrastructure that previously hosted the ImageID skimmer.

Although Baka functions similarly to other JavaScript skimmers, the Visa fraud team found that this malicious code is able to load dynamically into e-commerce sites and then hide from security tools using obfuscation techniques, according to the Visa alert.

The Baka skimmer has been found in "several merchant websites across multiple global regions," the alert notes, but it does not provide further details.

"The most compelling components of this kit are the unique loader and obfuscation method," the Visa alert notes. "The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. ... This skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated."

How Baka Works

The Visa alert does not indicate how Baka is initially delivered to a network. But the report notes that the malicious code is hosted on several suspicious domains, including: jquery-cycle[.]com, b-metric[.]com, apienclave[.]com, quicdn[.]com, apisquere[.]com, ordercheck[.]online and pridecdn[.]com.

Once the initial infection takes hold, the skimmer is uploaded through the command-and-control server, but the code loads in memory. This means the malware is never present on the targeted e-commerce firm's server or saved to another device, helping it to avoid detection, according to the alert.

"The skimming payload decrypts to JavaScript written to resemble code that would be used to render pages dynamically," according to Visa.

Once embedded in an e-commerce site's checkout page, the skimmer begins to collect payment and other customer data from various fields and sends the information to the fraudsters' command-and-control server, Visa notes.

Once data exfiltration is complete, Baka performs a "clean-up" function that removes the skimming code from the checkout page, according to the alert. This also helps ensure that JavaScript is not spotted by anti-malware tools.

Visa's analysts found that the operators behind Baka use an XOR cipher as a way to obscure the malicious code and further hide it from detection, according to the alert.

"While the use of an XOR cipher is not new, this is the first time Visa has observed its use in JavaScript skimming malware," according to the alert.

Mitigating risks

The Visa alert advises e-commerce merchants to take several steps to mitigate skimming risks, including:

  • Run regular checks to determine if any code is attempting to communicate with a known command-and-control server;
  • Check code added through a service provider;
  • Vet content delivery networks and other third parties that have access to the checkout function;
  • Update and patch any software or services used on checkout sites and consider adding a firewall;
  • Limit access to online administrative portals and ensure that those with access use strong passwords.

Other Skimming Attacks

In November 2019, Visa researchers uncovered another type of skimmer called Pipka that had the ability to remove itself from the HTML of a compromised payment website after it executed, enabling it to avoid security detection (see: New JavaScript Skimmer Found on E-Commerce Sites).

Other security researchers have more recently warned about ongoing attacks against e-commerce websites using malicious JavaScript to steal payment card data.

For example, in August, security firm Group-IB warned of a cybercriminal gang called "UltraRank" that is using malicious code to skim payment card data and then selling that information to others on its own underground site (see: 'UltraRank' Gang Sells Card Data It Steals).

Earlier this month, security firm Malwarebytes warned that some fraudsters have started using encrypted messages on Telegram to steal data faster (see: Fraudsters Use Telegram App to Steal Payment Card Data).