#NSBCS.079 - Making Data Protection Second Nature, Not an Afterthought
Source: NSB Cyber
Making Data Protection Second Nature, Not an Afterthought - Privacy Awareness Week
In half a decade of cyber security experience, I've witnessed firsthand how human error continues to be the leading cause of data breaches. Despite technological advancements and security measures, the Australian Signals Directorate's (ASD) Cyber Threat Report 2023–2024 highlights that human error remains a significant factor in cyber security incidents. The report underscores a critical vulnerability: no firewall can prevent a well-crafted phishing email. Build a culture where data protection is second nature, not second thought.
Why This Matters
Increased Incidents: The 36% rise in human error-related breaches indicates a growing trend that cannot be ignored.
Financial Implications: Small businesses, in particular, face significant financial losses, with average costs nearing $50,000 per incident.
Reputational Damage: High-profile incidents, such as agencies' accidental sharing of confidential information, erode public trust.
Cyber Hygiene Tips for Every Employee
To mitigate the risks associated with human error, consider the following practices:
1. Think Before You Click
Verify Links: Hover over links to ensure they direct to legitimate sites.
Check Senders: Be cautious of emails from unfamiliar or suspicious addresses.
Report Suspicious Activity: If in doubt, report potential phishing attempts to your IT department.
2. Use Strong, Unique Passwords
Password Managers: Use password managers to generate and store complex passwords.
Multi-Factor Authentication (MFA): Enable MFA wherever possible to add an extra layer of security.
3. Be Mindful When Sharing Information
Double-Check Recipients: Before sending sensitive information, confirm the recipients' details.
Use Secure Channels: Opt for encrypted communication methods when sharing confidential data.
4. Practice Data Minimisation
Limit Data Collection: Only collect data necessary for your tasks.
Regular Audits: Conduct periodic reviews to ensure data is stored securely and retained only as long as needed.
5. Encourage a Reporting Culture
Immediate Reporting: Promptly report any mistakes or suspicious activities to mitigate potential damage.
Non-Punitive Environment: Foster an environment where employees feel safe to report errors without fear of retribution.
Building a Culture of Security
Fostering a robust security culture within an organisation is essential for safeguarding sensitive data and maintaining operational integrity. This involves implementing ongoing training programs to ensure employees stay well-informed about the latest cybersecurity threats, vulnerabilities, and best practices for mitigating risks. Additionally, it requires establishing and clearly communicating comprehensive data protection policies that outline expectations and procedures for handling sensitive information. Equally important is the role of leadership, which must consistently model exemplary security behaviors—such as adhering to protocols and prioritising cybersecurity in decision-making—to set a positive tone and inspire employees to follow suit, thereby embedding a proactive security mindset across the organisation.
For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.
What we read this week
Phishing Campaign Abuses Cloudflare Tunnel to Evade Detection - Securonix has identified a phishing campaign, codenamed SERPENTINE#CLOUD, exploiting Cloudflare Tunnel subdomains to stage multi-layered, in-memory malware delivery. Attackers send invoice-themed emails with zipped LNK files disguised as PDFs, triggering obfuscated VBScript and batch loaders. Payloads are fetched from remote WebDAV shares, culminating in the in-memory execution of RATs like AsyncRAT and Revenge RAT using Python loaders and the Donut packer. By leveraging *.trycloudflare[.]com, the campaign avoids URL-based defences. The activity spans the US, UK, and Europe. The use of LLM-style script comments and dynamic loader chains demonstrates the operation’s sophistication and evolving social engineering tradecraft.
APT29 Bypasses MFA via Google App-Specific Passwords - UNC6293, a professional Russian-aligned threat group assessed to be linked to APT29, ran a low-volume phishing campaign abusing Google’s app-specific password (ASP) feature to bypass MFA. The group impersonated US State Department staff with convincing, typo-free emails and PDFs, instructing targets to generate ASPs labelled “ms[.]state[.]gov” and return them. This granted attackers persistent access to Gmail accounts without triggering MFA. Victims included researchers linked to Ukraine and NATO policy. Google observed shared residential proxy infrastructure and has since revoked all identified ASPs. Users are urged to audit their ASPs and enable Advanced Protection for stronger account security.
Critical Veeam VBR RCE Vulnerability Impacts Domain-Joined Servers - Veeam has patched a critical remote code execution flaw (CVE-2025-23121) in Backup & Replication (VBR) software that affects domain-joined installations. Discovered by watchTowr and CodeWhite, the vulnerability enables any authenticated domain user to execute code remotely on the backup server. This flaw, fixed in version 12.3.2.3617, presents significant risk due to widespread misconfigurations where VBR servers are improperly joined to production domains. Ransomware groups—including Akira, Fog, and FIN7—have repeatedly exploited similar VBR flaws to delete backups and disable recovery. Veeam strongly advises isolating backup infrastructure and enforcing multi-factor authentication on administrative accounts.
Anubis RaaS Adds Destructive Data-Wiping to Ransomware Arsenal - Trend Micro has revealed that the Anubis ransomware-as-a-service (RaaS) group is equipping affiliates with a data-wiping function alongside standard encryption and extortion capabilities. The “wipemode” feature allows attackers to overwrite file contents, reducing them to zero-byte stubs and making recovery impossible—even if the ransom is paid. Anubis affiliates can choose from various revenue models, including post-theft extortion support. Initial access is typically gained via spear-phishing, followed by Volume Shadow Copy deletion and privilege escalation. The wiper function enhances pressure on victims and may appeal to hacktivists or nation-state-aligned threat actors due to its destructive potential.
Silver Fox APT Phishes Taiwan with Gh0stCringe, HoldingHands RAT - FortiGuard Labs has uncovered a complex campaign by Silver Fox APT targeting Taiwan, using phishing emails to distribute Winos 4.0, HoldingHands RAT, and Gh0stCringe. Infection begins with tax-themed phishing emails linked to password-protected ZIPs containing DLL side-loaders, encrypted shellcode, and legitimate binaries. Payloads are memory-resident and include anti-VM and privilege escalation features. The HoldingHands RAT, deployed via
msgDb.dat, implements C2 communication for data theft and remote access, with modular support for RDP and file management. The threat actor continuously refines malware deployment chains to evade detection and achieve persistent access across Taiwanese systems.
References
https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html
https://www.securityweek.com/russian-hackers-bypass-gmail-mfa-with-app-specific-password-ruse/
https://www.bleepingcomputer.com/news/security/new-veeam-rce-flaw-lets-domain-users-hack-backup-servers/
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html
https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan