Threat Brief | When Your Own Backups, Tools, and Vendors Get Turned Against You
This week's headlines share an uncomfortable theme: attackers aren't breaking down the front door anymore. They're walking in through the backup server, the chat app, and the software vendor you already trust. Here's what mid-market leaders should know.
INC ransomware crosses 830 victims — and your industry is on the list. Researchers at Acronis report that the INC ransomware crew has now claimed more than 830 victims since August 2023, with U.S. organizations making up over 65% of them and legal services, manufacturing, construction, technology, and health care among the most-targeted sectors. They get in through unpatched edge devices, steal credentials straight off Veeam backup servers, and use everyday remote-management tools to spread. So what: These are exactly netMethods' core industries, and the playbook is mundane on purpose — no exotic tradecraft, just unpatched gear and exposed backups. The fix isn't glamorous either: patch your firewalls and VPN appliances on a schedule, and make sure your backups are isolated and tested. If an attacker can reach your backups, you don't have backups. The Hacker NewsThe Hacker News
DragonForce is hiding inside Microsoft Teams traffic. Symantec and Carbon Black found the DragonForce ransomware group using a custom remote-access trojan to tunnel its command-and-control traffic through Microsoft Teams relay infrastructure — and it was deployed against a major U.S. services firm. So what: Your security tools are trained to trust Teams. That's the point — the attackers are riding the one connection nobody questions. For professional-services firms living inside Teams all day, this is a reminder that "trusted app" and "safe traffic" are not the same thing. Western Illinois University
Salesforce yanked a popular add-on after a vendor got hit. Salesforce disabled the Klue Battlecards app integration after detecting unusual activity that may have exposed a subset of customer data through the app's connection — the result of a breach at Klue itself, claimed by an extortion group called Icarus. So what: You can run a tight ship and still get exposed because a third-party app you bolted onto your CRM got compromised. Every integration you connect is a door you're trusting someone else to lock. Inventory your connected apps, and remove the ones nobody's actually using. The Hacker News
The extortion economy keeps grinding. Kodak confirmed a breach this week as the ShinyHunters group's leak-threat deadline arrived. The same crew has spent recent months hitting universities through an Oracle PeopleSoft flaw, plus a string of consumer and education platforms. So what: Public-sector and education organizations are squarely in the crosshairs of "steal-and-extort" groups that don't even bother encrypting — they just threaten to publish. If you hold sensitive records, assume someone wants to ransom the embarrassment, not just lock the files. Malwarebytes
Local angle: the quietest attack in Orange County is also the most expensive. Forget the dramatic ransomware screen. Locally, business email compromise targeting financial wire transfers is the number-one cybercrime loss in Orange County, with the Irvine Spectrum corridor of tech and professional-services firms especially exposed. The attacker quietly sits inside a real email account, watches conversations for weeks, then impersonates an executive or vendor at the exact moment a wire is being processed. So what: No malware required. The defense is human and procedural — multi-factor authentication on email, plus a hard rule that any payment change gets verified by a phone call to a known number. That one habit stops most of these cold. IntelecisIntelecis
The thread running through all five: the perimeter you're defending now includes your backups, your collaboration tools, your vendors, and your accounts-payable process. Most of these don't get solved by buying one more product — they get solved by someone watching the right things and keeping the boring stuff patched and tested.
That's the work we do. If you're not certain your backups are isolated, your connected apps are accounted for, or your team would catch a well-timed wire-fraud email, we'll take a look. → netmethods.com/cybersecurity