NCSC Threat Report Poster

NCSC Threat Report – 10th March 2023

New tool released to help with MITRE ATT&CK mapping

CISA, along with key partners including MITRE, have released a free tool named Decider to help map threat actor behaviour to the MITRE ATT&CK framework.

The MITRE ATT&CK® framework is a global knowledge base of actor tactics, techniques and procedures that can be used to map activity. The NCSC uses MITRE ATT&CK references in its advisories.

Decider uses guided questions to help make mapping easier, and includes a search and filter function, as well as the capability to easily export results.

It comes with accompanying resources to help users to get started with Decider.


Tips to avoid Microsoft OneNote attachment spreading malware on your network

Bleeping Computer highlights threat actors’ recent use of Microsoft OneNote file attachments to spread malware on Windows and offers advice on how to mitigate this on networks.

The use of OneNote files to spread malware follows Microsoft’s decision to disable macros in Word and Excel documents in 2022 because of their widespread misuse. Rather than distributing via macros or vulnerabilities, in OneNote create templates appearing as protected documents, with an instruction message to double-click.

The article recommends blocking OneNote attachments by blocking .one file extensions at secure mail gateways or servers, but also provides other advice for when this isn’t possible.


CISA ransomware advisory on the Royal variant

CISA and FBI in the US have published a new advisory on the ransomware variant known as Royal.

As the advisory reports, Royal is known to have impacted organisations in the US and internationally in critical national infrastructure (CNI) sectors.

It provides indicators of compromise and TTPs for detection of activity.

The NCSC also has guidance on mitigating malware and ransomware.


Cyber criminals use Eurovision as the latest phishing lure

Cyber criminals are targeting hotels hosting people travelling to Liverpool for the Eurovision song contest event in May. The online travel agent booking.com has confirmed to the BBC they have seen evidence of “some accommodation partners being targeted by phishing emails.”

Cyber criminals often take advantage of news and topical events to scam customers. There are some good ways you can prepare yourself and spot potential scams on the NCSC website, as well as guidance on what to do next if you are a victim of phishing.

Recent posts