Cyber Risk in the Non Profit Sector
Understand more about cyber risk in this sector.
Cyber Risk Graph
Explore how this sector relates to the wider risk graph
Threat Reports
Publicly available threat reporting on cyber attacks against Non Profit.
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
This blog post by researchers at Microsoft Threat Intelligence outlines activity they observed by Forest Blizzard using a tool they named ...
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
This blog post from Proofpoint's Threat Research Team details the TA427 group who they link to Kimsuky and attribute to North Korea. TA427 conduct ...
APT44: Unearthing Sandworm
This report from researchers at Mandiant marks the graduation of the Sandworm intrusion set to the Mandiant APT label: APT44. It provides a ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices
This report from Recorded Future's Insikt Group describes recent TTPs and infrastructure used for the deployment of the Predator spyware. Predator ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
TinyTurla Next Generation - Turla APT spies on Polish NGOs
'TinyTurla-NG' is a backdoor identified by Cisco Talos researchers which shows similarities to a previously used implant 'TinyTurla' - both used ...
CharmingCypress: Innovating Persistence
This report by Volexity outlines campaigns conducted by the actor they call CharmingCypress (aka Charming Kitten). The report describes targeting ...
HAFNIUM targeting Exchange Servers with 0-day exploits
In March 2021 Microsoft detected multiple zero-day exploits being used as part of a widespread campaign by HAFNIUM / Silk Typhoon. This report ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use against Non Profit.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1083 | File and Directory Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1070.004 | File Deletion | Defense Evasion |
| T1572 | Protocol Tunneling | Command and Control |
| T1059.004 | Unix Shell | Execution |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1601.001 | Patch System Image | Defense Evasion |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1059 | Command and Scripting Interpreter | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1016 | System Network Configuration Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1531 | Account Access Removal | Impact |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1608.003 | Install Digital Certificate | Resource Development |
| T1136.001 | Local Account | Persistence |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1020 | Automated Exfiltration | Exfiltration |
| T1566.002 | Spearphishing Link | Initial Access |
| T1057 | Process Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1036.007 | Double File Extension | Defense Evasion |
| T1583.001 | Domains | Resource Development |
| T1059.006 | Python | Execution |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1003.001 | LSASS Memory | Credential Access |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1110.003 | Password Spraying | Credential Access |
| T1059.001 | PowerShell | Execution |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1586.002 | Email Accounts | Resource Development |
| T1584.004 | Server | Resource Development |
| T1112 | Modify Registry | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1608.005 | Link Target | Resource Development |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1003.002 | Security Account Manager | Credential Access |
| T1588.001 | Malware | Resource Development |
| T1033 | System Owner/User Discovery | Discovery |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1505.003 | Web Shell | Persistence |
| T1087.001 | Local Account | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1047 | Windows Management Instrumentation | Execution |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1608.001 | Upload Malware | Resource Development |
| T1608.002 | Upload Tool | Resource Development |
| T1569.002 | Service Execution | Execution |
| T1583.003 | Virtual Private Server | Resource Development |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1203 | Exploitation for Client Execution | Execution |
| T1204.002 | Malicious File | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1114 | Email Collection | Collection |
| T1071.001 | Web Protocols | Command and Control |
| T1069.002 | Domain Groups | Discovery |
| T1534 | Internal Spearphishing | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1656 | Impersonation | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1007 | System Service Discovery | Discovery |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1119 | Automated Collection | Collection |
| T1583.004 | Server | Resource Development |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1001 | Data Obfuscation | Command and Control |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1204.001 | Malicious Link | Execution |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1059.007 | JavaScript | Execution |
| T1132 | Data Encoding | Command and Control |
| T1027.002 | Software Packing | Defense Evasion |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |