CSIRT-CAN – Centro de Respuesta a Incidentes de Seguridad de Canarias

Blog Lists

TYPES OF AI: HOW DO THEY DIFFER?

Artificial intelligence (AI) is one of the most powerful innovation tools of our century. However, there are different types with diverse and complementary functions. So today we'll analyze the differences between generative AI (GPT Chat) and predictive AI (Google Maps). 1) Main objectiveGenerative AI learns patterns from large volumes of data and then generates new output, such as text, images, audio, video, or code.Predictive AI uses historical data to estimate future results or assign a category: for example, forecasting sales, detecting fraud, estimating customer churn, or deciding if an email is spam. 2) Output typeThe output of generative AI is usually something "created": an email draft, an image, a summary, a conversational response, or a piece of code. The output of predictive/traditional AI is usually a probability, label, score, recommendation, or decision: “high risk,” “customer with an 82% probability of canceling,” “approved/rejected,” “product recommended.” 3) How they “think”In simple terms: • Predictive AI tries to answer: “What will happen?” or “What category does this belong to?”• Generative AI tries to answer: “What would a new example similar to what has been learned look like?” 4) Data and trainingGenerative AI is usually trained with very large and varied datasets because it needs to learn the structure of the content to be able to produce new, convincing outputs.Predictive AI can work with more focused and labeled data for a specific task, such as default (yes/no), churn (yes/no), demand per week, or diagnosis by class. 5) Everyday Examples. Generative• Spam filter.• Credit scoring.• Fraud detection.• Sales forecasting.• Recommendation tools.• Document or image classification. Predictive • Write an email.• Create an image.• Summarize a report.• Generate code.• Create a transcript or a conversation response. 6)  An easy way to remember it• Generative: write the report.• Predictive: calculate the probability of something happening. 

Read more

Mirai: An Infrastructure for Cybercrime

Mirai is malware that infects devices such as cameras, Wi-Fi devices, and smart TVs. It turns these devices into a network controlled by attackers, known as a botnet. This malware has been used to launch coordinated massive attacks. However, there are updates to its configuration.The new variants have improved DDoS attacks. They are now larger, more distributed, and harder to block. Furthermore, the key innovation lies in the use of new malicious proxies.• The attacker redirects traffic through them.• They appear to be “normal users” from the outside. This allows them to:• Hide the attacker's identity.• Evade blocks and security systems.• Simulate legitimate traffic. It's similar to using a VPN… but illegal and with hacked devices.These innovations can be used primarily to preserve the attackers' anonymity and launch attacks on a larger scale. Unlike just a few months ago, when this malware could take down a website, it can now maintain anonymity and perpetuate fraud.They are becoming multifunctional platforms, not just attack tools. And this is extremely worrying:• There are millions of vulnerable IoT devices• Attacks are now:o Harder to detecto More profitable for attackerso More persistentFurthermore, the Mirai malware is already like a "base template" that others constantly reuse. Mirai has evolved from a DDoS tool to a complete cybercrime infrastructure. 

Read more

FBI Dismantles Pro-Iranian Hacktivist Groups

The FBI (Federal Bureau of Investigation) seized two websites this week linked to a pro-Iranian hacking group known as the Handala Hack Team. The action was carried out in conjunction with the U.S. Department of Justice as part of a coordinated operation to disrupt cyber activities considered malicious and linked to a foreign actor.The two domains seized by the FBI:1. One served as a central site where the Handala group published information about its hacking operations.2. The other was used to publish personal data (“doxing”) of individuals allegedly linked to Israeli defense or technology companies (such as Elbit Systems or NSO Group).Both sites now display an official notice stating that the infrastructure has been seized by U.S. federal authorities because it was determined that it was used to “facilitate malicious cyber activities on behalf of, or in coordination with, a foreign state actor.”Handala Hack Team is a hacktivist group that presents itself as pro-Palestinian and has been active since at least late 2023.Although the group describes itself as “activist,” it is believed to operate with at least tacit support from Iranian state actors or as a less official face of Iranian-led operations.This group has claimed responsibility for politically motivated attacks, including network data wipes, information leaks, and the publication of target lists.The police operation comes just after Handala claimed responsibility for a significant cyberattack against Stryker Corporation, a large medical technology company with tens of thousands of employees.According to the group:• They accessed an internal Windows administrative account.• They controlled the Microsoft Intune management system.• And from there, they deleted data from tens of thousands of corporate and personal devices.This incident underscores how cyber operations have become an integral part of current geopolitical tensions, where not only states launch attacks, but also government-affiliated or government-funded groups can participate in digital campaigns with political or strategic objectives.Following the Stryker attack, agencies such as CISA (the U.S. Cybersecurity and Infrastructure Security Agency) and Microsoft have issued recommendations to strengthen device management systems, such as stricter access controls, multi-factor authentication, and least privilege policies. 

Read more

Microsoft Teams Suffers a Surge in Social Engineering Campaign

A social engineering campaign abusing Microsoft Teams and Windows Quick Assist is in full swing. BlueVoyant warns that attackers are deploying a newly identified malware family, called A0Backdoor, after convincing employees to grant them remote access.This activity overlaps with tactics previously linked to Blitz Brigantine, also identified as Storm-1811, a financial cluster that Microsoft has linked to the Black Basta ransomware operations.According to BlueVoyant, the attacks typically begin with an email bombardment, in which the target receives a large number of spam messages and is then contacted by someone impersonating internal technical support via Microsoft Teams.The attacker offers help to troubleshoot the email issue and convinces the employee to launch Quick Assist, a legitimate Microsoft remote support tool that allows screen sharing and device control.BlueVoyant discovered that installers placed files in user AppData paths that mimicked legitimate Microsoft software locations and then used DLL installation to execute malicious code.The campaign is significant because it shows that the same playbook defenders have followed since 2014 still works, but with updated tools and more covert command and control.For defenders, the lesson is clear: treat Microsoft Teams as an initial access channel, not just a collaboration application.Organizations should restrict or remove Quick Support where it's not needed, monitor unsolicited external Teams chats, and investigate signed MSI installers or Microsoft binaries that appear in unusual directories with write permissions for the user.

Read more

Tycoon 2FA Dismantled: How the Global Operation Was Carried Out

An international operation coordinated between law enforcement agencies and technology companies has dismantled Tycoon 2FA, one of the most widely used phishing-as-a-service (PhaaS) platforms for compromising accounts protected with multi-factor authentication (MFA). This action marks a milestone in the fight against cybercrime and demonstrates the impact of public-private collaboration on a global scale.What was Tycoon 2FA and why did it pose a threat?Tycoon 2FA was a criminal service that offered ready-to-use tools with which cybercriminals could launch advanced phishing campaigns, even without in-depth technical knowledge.Its main objective was to intercept credentials and authentication tokens in real time, allowing attackers to access legitimate accounts even when they were protected with MFA. The system used “adversary-in-the-middle” (AiTM) techniques: fake login pages acted as intermediaries between the victim and the legitimate service.In this way, when the user entered their credentials and completed the authentication process, the attacker captured both the password and the session token needed to log in without raising suspicion.Since its emergence in 2023, Tycoon 2FA became one of the most significant drivers of online phishing fraud.According to Microsoft data, it was linked to tens of millions of phishing emails per month, affecting more than 500,000 organizations worldwide.A criminal ecosystem based on “services”Tycoon 2FA's popularity stemmed from its business model. It operated as a subscription-based platform that offered criminals:• Web dashboards for managing phishing campaigns• Realistic login page templates• Automatic capture of credentials and session cookies• Infrastructure prepared to launch large-scale attacksThis model significantly lowered the barrier to entry for cybercrime, allowing inexperienced actors to execute sophisticated attacks against services like Microsoft 365 or Google Workspace.As a result, thousands of attackers were able to compromise corporate accounts, facilitating subsequent attacks such as Business Email Compromise (BEC), data theft, or financial fraud.The international operation that dismantled itThe takedown of Tycoon 2FA was the result of months of joint investigation between public agencies and private companies. The investigation began when security researchers identified the service's infrastructure and shared the information with international law enforcement agencies. The operation was led by Microsoft and coordinated with Europol, along with law enforcement agencies from several countries—including Spain, the United Kingdom, Portugal, Poland, Latvia, and Lithuania—and multiple cybersecurity companies. Key actions of the operation included:• Seizure of more than 330 domains used by the platform for its control panels and phishing pages.• Disabling the technical infrastructure that enabled the service to operate.• Coordination with technology providers to block servers and services used by the attackers.• Sharing intelligence with Computer Security Incident Response Teams (CSIRTs) worldwide.The objective was to disrupt the cybercrime value chain by cutting off access to the infrastructure and making it difficult for operators and their clients to continue phishing campaigns.The Global Impact of Tycoon 2FAThe reach of this platform illustrates the scale that criminal services on the internet have reached. It is estimated that Tycoon 2FA was linked to nearly 100,000 identified victims since 2023 and to a large number of phishing campaigns specifically targeting business, healthcare, and educational organizations.Furthermore, subsequent investigations have identified hundreds of thousands of records of credentials and login data obtained through the platform, demonstrating the magnitude of its impact on businesses and public bodies.A reminder for digital security: The dismantling of Tycoon 2FA highlights both the sophistication of current cybercrime and the need for international cooperation to combat it.It also underscores that traditional multi-factor authentication can be vulnerable to advanced phishing attacks, especially if phishing-resistant methods such as security keys or hardware-based authentication are not used.Although operations like this manage to disrupt criminal infrastructures, experts warn that the criminal ecosystem tends to adapt quickly.Therefore, the combination of shared intelligence, legal action, and continuous improvements to digital defenses will remain essential. 

Read more

What is CSIRT-CAN?

The CSIRT-CAN (Canary Islands Security Incident Response Center) is an entity dedicated to the protection and resilience of digital infrastructures in the Canary Islands. Our center specializes in the detection, analysis, and mitigation of cybersecurity incidents, providing technical and strategic support to public and private organizations.

Report an incident
CAPTCHA
Image CAPTCHA
Get new captcha!
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

What do we do for you?

CSIRT-CAN offers various services for the prevention and prompt resolution of cybersecurity-related incidents.

Tarjeta de Links

Information is  PREVENTION

Incident REPORTING

Proactivity and TRAINING

Happening Now

Trends

Slider Principal

Be Careful What You Search on Google!

Read more

Vulnerability Allowing Remote Code…

Read more

[SCI] Command Injection in Moxa Products

Read more

Multiple Vulnerabilities in Power…

Read more

Listados de Alertas
Newsletter

Services by Profiles

Públicos Objetivo